Coverage is weighted toward the techniques the adversaries targeting you actually use, and toward choke points and high-tempo tactics. Toggle the data sources you have below — the numbers move with you.
ATT&CK Tactic Coverage
Where you have eyes — and where you're blind.
Each cell is one ATT&CK tactic, from initial intrusion to impact. Color shows threat-weighted visibility into that phase. ◆ Choke marks tactics attackers can't avoid — a blind choke point is your highest-value fix. ▲ Tempo marks the fast, evasion-heavy phases. Click any cell for the techniques and the exact telemetry behind it.
Strong visibility Partial — gaps remain Blind spot◆ Choke convergence point▲ Tempo fast / evasion-heavy
Quick wins
What to turn on first.
Every source you don't yet have, ranked by how much threat-weighted coverage it would add right now. This is your roadmap — start at the top.
Every recommended source is enabled. Toggle some off below to see what you'd lose.
Your data sources
The visibility plan.
The crown-jewel telemetry for your profile, each with the specific fields that make it useful and the retention it warrants. Toggle to model your current state — coverage, the strip, and the roadmap all recalculate live.
Who's coming for you
Adversaries, in priority order.
Drawn from your sector, region, and recent activity. Attribution is directional, not certain — treat this as where to look first.
Beyond the endpoint
Other priorities.
Risks that visibility alone won't close — but that your collection strategy should account for.
Retention
How long to keep it.
The regulations that likely shape your retention. Speed of modern attacks raises the value of centralized, off-host collection — and defense-evasion log clearing means logs must leave the host before they can be wiped.