Skip to main content
ShieldOps
Back to blog
Platform

ShieldOps achieves 97% MITRE ATT&CK coverage — here's how we measure it

James Okafor·Director of Detection EngineeringFeb 14, 202511 min read

Coverage claims in the security industry are notoriously unreliable. Vendors quote numbers without defining the denominator, conflate detection with prevention, or count a single telemetry source as covering an entire tactic. We're opening our methodology entirely — including the gaps.

How we define coverage

We use MITRE ATT&CK v15 as our baseline: 14 tactics, 196 techniques, and 411 sub-techniques. A technique is 'covered' if and only if: (1) we have at least one detection rule mapped to it, (2) that rule has fired at least once in production in the last 90 days on our red team infrastructure, and (3) the alert is enriched with enough context for an analyst to triage without additional investigation.

What we don't count

Techniques where we only have telemetry (visibility) but no alert logic do not count toward coverage. Neither do rules that exist in our library but have never been validated against real-world activity.

The 3% gap

At 97% coverage, our current gaps are concentrated in two areas: (1) Techniques requiring physical access to endpoints — these are out of scope for a cloud-delivered platform by design. (2) Three sub-techniques under T1657 (Financial Theft) that emerged in ATT&CK v15 and for which we are building detection rules now.

  • T1200 (Hardware Additions) — requires physical access, out of scope
  • T1657.001/.002/.003 (Financial Theft sub-techniques) — ATT&CK v15 additions, detection rules in development
  • T1606.002 (SAML token forgery in on-prem AD FS) — limited telemetry available from on-prem deployments

Our testing methodology

Every quarter our red team runs Atomic Red Team tests against dedicated detection validation infrastructure. Results feed directly into our coverage dashboard, which maps each test outcome to the relevant technique and updates our published numbers. We commit to updating this dashboard within 30 days of each ATT&CK version release.

bash
# Example: validating T1003.001 (LSASS Memory Dump)
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3 \
  --timeout 60 \
  --output-path ./results/T1003.001.json

# ShieldOps validates alert fired within SLA
shieldops coverage-check \
  --technique T1003.001 \
  --expected-alert "credential_access.lsass_dump" \
  --sla-seconds 30

Why this matters for your security programme

Coverage metrics help you answer one question for your board: if an attacker uses technique X, do we detect it? The answer should never be 'we think so'. Build a validation programme, define coverage rigorously, and publish the gaps. Transparency on gaps is more valuable than inflated claims — it tells your team exactly where to invest next.

Ready to see ShieldOps in action?

Join 2,000+ security teams protecting their infrastructure.

Get a free demo