Telemetry coverage ceiling
Which ATT&CK techniques you can never detect with the logs you collect - the hard ceiling a better rule can’t lift.
▸
“Coverage” means three different things - this page is the hard floor
The word “coverage” hides three very different questions, and a SOC that conflates them over-reports what it can actually see. The coverage workbench, the Coverage Check, and this ceiling each answer a different one:
1Does a detection exist anywhere? The public catalogue - a green result means someone wrote a rule for that technique. It says nothing about your environment. That is what the default heatmap and /compliance report.
2Do you actually run it? Your deployed coverage - true only when a rule is loaded in your SIEM and firing. The Coverage Check reads the ATT&CK tags your real rules declare and reports that honestly.
3Could you ever detect it? This page. Even a perfect rule is blind without the log it queries. Computed from each technique’s ATT&CK data-source requirements against the telemetry you tick, it shows what stays invisible no matter how good your detections get.
You are at layer 3 - the hard floor. A better rule can lift a missing-rule gap; it can never lift a missing-telemetry gap. Start here: there is no point authoring a detection for a technique whose data source you don’t collect. Fix the ceiling by adding telemetry, then write rules where the floor allows it.
A missing detection rule can be written; a missing log source can’t be queried. Tick the telemetry your environment actually collects and this shows the techniques that stay invisible no matter how good your detections get - computed from each technique’s ATT&CK data-source requirements (652 of 858 techniques carry data-source guidance).
Select your telemetry above
Tick the log and telemetry sources your environment collects, then compute the ceiling to see which techniques stay permanently invisible.