Assess
Compliance self-assessment
Pick the control families you already have · see your threat coverage and which other frameworks you satisfy
Tell the engine which control families you have implemented in a framework. It computes two things: the ATT&CK techniques those controls defend against (and how many you can actually detect), and - through the published crosswalks - how many controls in other frameworks you are effectively already satisfying. Counts are honest: only real detections and real crosswalk links are counted, never inferred.
How an analyst uses self-assessment. You tell the engine which control families you have actually implemented (AC, IA, SC…). It then shows two things grounded only in real data: the ATT&CK techniques those controls defend against and how many have public detection content, and - through published crosswalks - how many controls in other frameworks you are already satisfying.
Why it matters (certify once, answer many). If you are audited against NIST 800-53 and a client asks for ISO 27001 or SOC 2, the crosswalk turns “start a new certification” into “here is the gap list” - the controls you do not already satisfy. That is one of the biggest time-savers in GRC.
Honest caveat: “detectable” means a public rule exists for the technique, not that your SIEM runs it. Policy families (PM, PL, PS, PA) will not show techniques - that is expected, not a gap. Select technical families (AC, IA, SC, SI, AU) to see technique coverage.