This directory contains coverage-tracking artifacts used to measure, visualize, and prioritize detection engineering progress.
Coverage tracking helps the program understand:
- which attacker behaviors are represented in current content
- where meaningful detection gaps remain
- which tactics or techniques need additional engineering focus
- how detection engineering maturity is progressing over time
Coverage is intended to support both engineering decision-making and leadership reporting.
Used for:
- ATT&CK coverage matrices
- coverage summaries
- documented gaps
- gap closure tracking
Used for:
- CKC-aligned coverage views
- supporting summaries
- visual or matrix-based reporting where applicable
Examples of artifacts in this directory may include:
- coverage matrix CSV files
- coverage summary markdown files
- gap tracking documents
- supporting charts or exported visuals
- tactic and technique mapping support files
Coverage artifacts should help answer questions such as:
- which ATT&CK tactics have the strongest current support?
- which tactics or techniques are underrepresented?
- which gaps are blocked by telemetry rather than engineering effort?
- which areas should be prioritized in the roadmap?
- how is coverage changing over time?
Coverage tracking should be:
It should support decision-making, not just exist as a count of mapped rules.
Artifacts should be maintained in predictable folders and formats.
Coverage should not overstate maturity or depth simply because a tactic has one starter rule.
Coverage should connect back to roadmap priorities, telemetry reality, and program maturity.
Artifacts should be usable in quarterly reviews, annual reviews, and executive updates.
Coverage artifacts should be reviewed:
- periodically during content expansion
- during quarterly reporting cycles
- during annual roadmap review
- whenever significant new detections are added
- whenever major telemetry changes affect use case feasibility
The goal of this directory is to make detection coverage visible, actionable, and measurable so the program can mature deliberately rather than grow without direction.