Guide · Detection engineering

Cloud detection coverage 101

A practical primer on measuring and improving detection coverage across AWS, Azure and GCP using MITRE ATT&CK as the framework.

What detection coverage means

Detection coverage is the proportion of adversary behaviours that matter to your business that you can reliably detect with the tooling you have today. The number that matters is not 'how many rules do we have'; it's 'which TTPs would slip past us'.

MITRE ATT&CK gives us a shared vocabulary for this. If you can map every detection you ship to one or more ATT&CK techniques, you can compute coverage as a heatmap over the matrix and report on the gaps.

Name your sources

Every detection lives in one of three places: a managed cloud service (GuardDuty, Security Hub, Defender, SCC), a SIEM (Splunk, Sentinel, SecOps, Elastic, OpenSearch), or an EDR.

  • Pull the full list of GuardDuty finding types your environment can produce.
  • Pull the Security Hub controls and their compliance frameworks.
  • Export every published detection rule from your SIEM by name.
  • List every EDR rule pack you have enabled.

Compute coverage as code

Don't paint a Powerpoint heatmap. Compute coverage from the same mappings every quarter and check it into git. DCV does this for you across AWS, Azure and GCP, but the underlying technique is portable.

Pseudocode: coverage_pct(tactic) python
def coverage_pct(tactic, mappings, matrix):
    techniques = matrix.tactics[tactic].techniques
    covered = sum(1 for t in techniques if mappings.get(t.id))
    return 100.0 * covered / len(techniques)

Use the gaps

Coverage is a means, not a goal. Once you know your gaps, prioritise them by adversary prevalence (which techniques are actually used against your sector) and by the cost of a successful exploit. CloudSigma turns those prioritised gaps into ready-to-deploy Sigma rules.

Sources
  • MITRE ATT&CK, https://attack.mitre.org/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings.
  • Sigma project, https://github.com/SigmaHQ/sigma
Last verified: 2026-04-24