Guide · Detection engineering

Detection coverage versus compliance coverage

Last reviewed:

Compliance coverage tells you which controls are expected. Detection coverage tells you which attacker behaviours your team can see in the logs.

Two different questions

Compliance coverage asks whether a control is present, configured and assessed against a standard. Detection coverage asks whether a specific attacker action would leave evidence that the SOC can query, alert on and investigate.

Those questions overlap, but they are not interchangeable. A Security Hub control that checks whether CloudTrail is enabled supports detection readiness. It does not prove that the team can detect a compromised access key being used from a new location.

Where compliance helps detection

Compliance data is still useful. It tells you whether the raw material for detection exists: logging is enabled, identity policies are reviewed, storage buckets are not public by default and critical services emit audit trails.

Use compliance findings as prerequisites in the coverage matrix. If a tenant fails the logging control, every technique that depends on that log should be marked as unproven, even if the Sigma rule exists on paper.

  • Logging controls show whether the data source can exist.
  • Identity controls show whether risky access paths are constrained.
  • Configuration controls expose blast-radius issues that change alert priority.

Where compliance misleads

Compliance dashboards are usually asset-centred. ATT&CK coverage is behaviour-centred. Passing a control about encryption, backup or public access may reduce risk, but it does not automatically cover Initial Access, Credential Access or Defence Evasion.

The common mistake is to colour a technique as covered because a related control passes. Keep the evidence label visible. A posture control can be context; an alert or query over event data is detection evidence.

Report both without mixing them

Executives need both views. Compliance coverage says whether the environment meets the promised baseline. Detection coverage says whether the SOC can see the moves an attacker is likely to make next.

DCV keeps those labels separate so a coverage report can say, plainly, which gaps need a configuration fix, which need a log source and which need a new rule. That is more useful than one large percentage that hides the work.

Coverage label model text 
posture-control: improves readiness but does not alert
log-source: provides telemetry but needs rule logic
detection-rule: alerts on attacker behaviour
correlation-context: raises priority when paired with another signal
← Back to Guides
Sources
  • MITRE ATT&CK, https://attack.mitre.org/
  • AWS Foundational Security Best Practices standard, https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
  • Microsoft Defender for Cloud regulatory compliance dashboard, https://learn.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard
  • CIS Controls v8, https://www.cisecurity.org/controls/v8
Last verified: 2026-05-20