Home/Detection coverage

Detection Coverage Workspace

See what you can detect, where you are blind, and what to add next. Coverage is measured across three things: the telemetry you collect, the detection rules you run, and the techniques you are actually exposed to.

Covered

You collect the telemetry and a rule maps to the technique.

Blind, fixable

You have the telemetry but no rule yet. We point at public rules and atomic tests that close it.

Ceiling gap

No telemetry for it, so no rule can ever fire. Onboard the log source first.

Undetermined

No data-source mapping exists for the technique, so we will not guess.

Build your picture in three steps

Declare your telemetry

Tell us which log and data sources you collect. This sets the hard ceiling on what is even detectable, no matter how good your rules are.

→

Add your detection rules

Paste your Sigma rules. Each is mapped to ATT&CK accurately, by its own tags or a match to our curated corpus, and anything unmapped is listed rather than guessed.

→

See it against the map

The ATT&CK heatmap shows where detection exists across every tactic and technique, and where the blind spots are, so you know what to write next.

→

One unified table that folds all three steps into a single prioritized view, ranked by your real exposure, is on the way. For now each step opens its own tool.

Free

Check whether your software, operating systems, and packages are exposed, and read the public detection heatmap. Start from Am I affected.

Pro

Score your own telemetry and rules against your real exposure, track coverage over time, and export a client-ready report. See pricing.