Skip to main content

MITRE ATT&CK Coverage

AlphaSOC provides comprehensive detection coverage across the MITRE ATT&CK Enterprise framework through managed detections and support for custom Sigma rules. The coverage map below shows the adversarial techniques detected by the AlphaSOC engine in its default state with our in-built managed detections.

Using the ATT&CK Navigator

You can download the coverage data as an ATT&CK Navigator layer file for detailed analysis and integration with your security workflows:

  1. Download the layer file using the button in the coverage map below
  2. Open the ATT&CK Navigator
  3. Click "Open Existing Layer" → "Upload from local"
  4. Select the downloaded JSON file

The Navigator layer includes color-coded coverage based on detection count, allowing you to visualize detection depth across the framework.

MITRE ATT&CK Coverage Map

AlphaSOC Detection Coverage

In-built managed detection alignment with the MITRE ATT&CK Enterprise framework.

Download ATT&CK Navigator Layer
93%14 of 15Tactics Covered
Reconnaissance
0/12 Covered
T1589
Gather Victim Identity Information
T1590
Gather Victim Network Information
T1591
Gather Victim Org Information
T1592
Gather Victim Host Information
T1593
Search Open Websites/Domains
Resource Development
4/9 Covered
T15836
Acquire Infrastructure
T15842
Compromise Infrastructure
T15862
Compromise Accounts
T16081
Stage Capabilities
T1585
Establish Accounts
Initial Access
6/9 Covered
T107879
Valid Accounts
T11332
External Remote Services
T11896
Drive-by Compromise
T11906
Exploit Public-Facing Application
T11993
Trusted Relationship
Execution
5/10 Covered
T105910
Command and Scripting Interpreter
T12044
User Execution
T16106
Deploy Container
T16481
Serverless Execution
T16516
Cloud Administration Command
Persistence
9/12 Covered
T107814
Valid Accounts
T1098107
Account Manipulation
T11336
External Remote Services
T113615
Create Account
T15052
Server Software Component
Privilege Escalation
6/9 Covered
T10375
Boot or Logon Initialization Scripts
T107830
Valid Accounts
T109847
Account Manipulation
T148418
Domain or Tenant Policy Modification
T15431
Create or Modify System Process
Stealth
2/9 Covered
T10704
Indicator Removal
T15351
Unused/Unsupported Cloud Regions
T1078
Valid Accounts
T1205
Traffic Signaling
T1211
Exploitation for Stealth
Defense Impairment
1/9 Covered
T14842
Domain or Tenant Policy Modification
T1222
File and Directory Permissions Modification
T1556
Modify Authentication Process
T1578
Modify Cloud Compute Infrastructure
T1599
Network Boundary Bridging
Credential Access
9/14 Covered
T10402
Network Sniffing
T111017
Brute Force
T11871
Forced Authentication
T15286
Steal Application Access Token
T15391
Steal Web Session Cookie
Discovery
8/16 Covered
T10462
Network Service Discovery
T10694
Permission Groups Discovery
T10878
Account Discovery
T152616
Cloud Service Discovery
T158031
Cloud Infrastructure Discovery
Lateral Movement
3/8 Covered
T10216
Remote Services
T15501
Use Alternate Authentication Material
T15701
Lateral Tool Transfer
T1072
Software Deployment Tools
T1080
Taint Shared Content
Collection
3/5 Covered
T11142
Email Collection
T12136
Data from Information Repositories
T153012
Data from Cloud Storage
T1119
Automated Collection
T1557
Adversary-in-the-Middle
Command and Control
13/17 Covered
T10013
Data Obfuscation
T10081
Fallback Channels
T107145
Application Layer Protocol
T10902
Proxy
T10951
Non-Application Layer Protocol
Exfiltration
4/8 Covered
T10412
Exfiltration Over C2 Channel
T104830
Exfiltration Over Alternative Protocol
T153735
Transfer Data to Cloud Account
T156727
Exfiltration Over Web Service
T1011
Exfiltration Over Other Network Medium
Impact
8/12 Covered
T148550
Data Destruction
T14863
Data Encrypted for Impact
T14895
Service Stop
T149018
Inhibit System Recovery
T149620
Resource Hijacking