MITRE ATT&CK Coverage
Defend maps all detection rules to the MITRE ATT&CK framework, giving you a standardized view of which adversary techniques your endpoints are protected against. Current coverage stands at 73% across 12 tactics with 88+ techniques detected.
Coverage by Tactic
| Tactic | Techniques Detected | Coverage |
|---|---|---|
| Initial Access | 9 | ██████░░ |
| Execution | 13 | ████████░ |
| Persistence | 13 | ████████░ |
| Privilege Escalation | 6 | ██████░░ |
| Defense Evasion | 16 | █████████░ |
| Credential Access | 11 | ████████░ |
| Discovery | 13 | █████░░░ 57% |
| Lateral Movement | 10 | ████████░ |
| Collection | 9 | ███████░ |
| Command and Control | 10 | ████████░ |
| Exfiltration | 10 | ████████░ |
| Impact | 10 | ██████████ 100% |
Not covered by design: Reconnaissance and Resource Development are pre-compromise tactics that occur outside the endpoint. EDR has no visibility into these phases.
ATT&CK Heatmap
The Defend console includes an interactive MITRE ATT&CK heatmap that shows:
- Green cells — Techniques with active detection rules
- Yellow cells — Techniques with partial coverage (some sub-techniques detected)
- Gray cells — Techniques not yet covered
- Red cells — Techniques detected in your environment in the last 30 days
Click any cell to see the specific detection rules mapped to that technique and recent detections.
Technique Annotations on Detections
Every detection in Defend includes the MITRE ATT&CK technique ID and name. For example:
- T1059.001 — Command and Scripting Interpreter: PowerShell — Suspicious PowerShell execution with encoded command
- T1486 — Data Encrypted for Impact — Mass file encryption detected (ransomware indicator)
- T1003.001 — OS Credential Dumping: LSASS Memory — Process accessed LSASS memory
These annotations help your analysts understand the adversary's position in the attack chain and predict likely next steps.
Key Detection Highlights
Impact (100% Coverage)
All 10 impact techniques are detected, including ransomware (T1486), data destruction (T1485), shadow copy deletion (T1490), and service stop (T1489). Impact detections trigger critical severity and can auto-isolate devices.
Discovery (57% — Improvement Target)
Discovery techniques (enumeration of systems, users, and permissions) are the hardest to distinguish from legitimate admin activity. Defend detects 13 discovery techniques but relies on behavioral AI to reduce false positives for common admin workflows.
Lateral Movement (10 Techniques)
Detects RDP, PSExec, SMB, SSH, WinRM, and DCOM lateral movement. The investigation workspace includes a lateral movement graph that visualizes cross-device connections.
Requesting New Coverage
If you need detection for a specific MITRE technique not currently covered:
- Open a support ticket referencing the technique ID
- The Defend threat intelligence team evaluates feasibility based on available telemetry
- New rules are deployed to all Defend customers automatically
Next Steps
- Detection Rules — How rules work and how to create custom rules
- Threat Investigation — Investigating detections with ATT&CK context
- Cross-MSP Intelligence — How community detections improve coverage