A practical primer on measuring and improving detection coverage across AWS, Azure and GCP using MITRE ATT&CK as the framework.
Detection coverage is the proportion of adversary behaviours that matter to your business that you can reliably detect with the tooling you have today. The number that matters is not 'how many rules do we have'; it's 'which TTPs would slip past us'.
MITRE ATT&CK gives us a shared vocabulary for this. If you can map every detection you ship to one or more ATT&CK techniques, you can compute coverage as a heatmap over the matrix and report on the gaps.
Every detection lives in one of three places: a managed cloud service (GuardDuty, Security Hub, Defender, SCC), a SIEM (Splunk, Sentinel, SecOps, Elastic, OpenSearch), or an EDR.
Don't paint a Powerpoint heatmap. Compute coverage from the same mappings every quarter and check it into git. DCV does this for you across AWS, Azure and GCP, but the underlying technique is portable.
def coverage_pct(tactic, mappings, matrix):
techniques = matrix.tactics[tactic].techniques
covered = sum(1 for t in techniques if mappings.get(t.id))
return 100.0 * covered / len(techniques)
Coverage is a means, not a goal. Once you know your gaps, prioritise them by adversary prevalence (which techniques are actually used against your sector) and by the cost of a successful exploit. CloudSigma turns those prioritised gaps into ready-to-deploy Sigma rules.