Input 01
Company name
One field. Floodlight researches your sector, region, the adversaries that target you, and the regulations that apply — live, and cited.
Sets
Who comes for you
A skill from the Loadout
Floodlight.
Live
You can't defend what you can't see. Floodlight maps where you can.
What it does
Builds your visibility plan.
Floodlight takes three pieces of input and produces an initial security-visibility posture — an ATT&CK Tactic Coverage map that reads, tactic by tactic, where you can see an attacker and where you are blind. It is not a CISO in a box, and it does not pretend to be. It is the first honest read for a team that knows it should be doing more and is not sure where to start.
The thesis is simple: the first step to security is visibility. You cannot detect, investigate, or respond to an attacker you have no telemetry on. So before anyone talks tools or budget, Floodlight builds the plan for what you should be able to see — and shows you, in plain language, the gap between that and what you have today.
The output
Coverage, tactic by tactic.
The headline is one strip — the twelve ATT&CK tactics an attacker moves through, from first foothold to impact. Each cell is weighted by how often the techniques inside it actually get used, then colored by whether you can see them. Green where you can. Red where you can't. The middle state is the one most teams miss.
TA0001 Initial Access Partial
TA0002 Execution Covered
TA0003 Persistence Partial
TA0004 Priv. Escalation Blind
TA0005 Defense Evasion Partial
TA0006 Credential Access Blind
TA0007 Discovery Covered
TA0008 Lateral Movement Partial
TA0009 Collection Covered
TA0011 Command & Control Covered
TA0010 Exfiltration Partial
TA0040 Impact Blind
Covered — you can see and hunt it Partial — a source exists, but the quality or retention isn't enough Blind — no usable telemetry Choke point — a move attackers can rarely avoid
Partial is the trap. A source that exists but rolls off in three days, or never captured the right field, is blind when you need it — not "almost covered." Floodlight calls that out instead of crediting it. And a cell that is both blind and a choke point is your number one move: the place an attacker can't route around, that you currently can't watch.
How it works
Three inputs. Nothing else.
Every extra question is a reason to abandon the form, so there are only three. The questions set context — what you should have. The toggles inside the report capture current state — what you actually have. Keeping those separate is what makes the gap honest.
Input 02
Industry & region
Pre-filled from your name. One tap to correct. This anchors the threat model and the retention rules you are held to.
Sets
What you are held to
Input 03
Environment shape
Cloud-first, hybrid, or on-prem — plus two switches: run OT/ICS (adds ATT&CK for ICS) and build or deploy AI/ML (adds MITRE ATLAS).
Sets
What you should have
What you get
A plan, not a vanity score.
A quick-wins roadmap
Ranked by marginal coverage gain — the next source that buys you the most visibility per unit of effort, not an alphabetical checklist.
A threat-weighted KPI
One number that weights coverage by how often techniques are actually used. Not a single percent you can game by logging noise.
Per-source quality flags
Each log source carries its data-quality and retention read — so you know the difference between having a source and being able to use it.
Click into any cell
A tactic opens to its techniques, each mapped to the exact log source, the specific fields, and the retention you need to actually detect it.
Built on
Standing on trusted ground.
Floodlight does not invent a framework. The mapping layer — tactics, choke points, log source to field to retention — is a curated, version-stamped catalog built on published work, so it never hallucinates an event ID. The company-specific layer — your adversaries, verified breaches, the regs that apply — is researched live at runtime and cited. Sources first, always.
DeTT&CT
Rabobank CDC
Scores visibility and detection coverage, and grades the data quality behind each — because a log you keep for three days is not the same as one you can hunt across.
CTID Top ATT&CK Techniques
Center for Threat-Informed Defense
Ranks techniques by real-world prevalence and flags the choke points — the moves an attacker can rarely avoid. Floodlight weights coverage by what actually gets used.
MITRE ATT&CK v18
MITRE
The backbone tactic and technique model. Built on the October 2025 release — Detection Strategies and Log Sources, not the deprecated data-source model.
NIST CSF
NIST
Frames the work in language a board already speaks. Identify and Detect first — you cannot respond to what you never saw.
Who it's for.
Teams without a SOC
No security operations center, no clear first move. Floodlight gives you a ranked starting plan instead of a blank page.
New security leaders
Walking into a role and a stack you did not build. Get a defensible read on where the blind spots are, with the receipts.
MSPs and consultants
A fast, citable first-pass posture for a new client. Standalone and offline, so their data never leaves their hands.
Founders and operators
Regulated, growing, and unsure where the floor is. See the gaps before an auditor or an attacker does.
Run it
Download the standalone.
Floodlight runs fully self-contained — no MCP server, no account, nothing leaving your machine. Drop the folder into any AI tool's skills directory (Cowork, Claude Code, or upload it as a user skill on Claude.ai), then say "run floodlight for [company]."
Standalone by design
No MCP server, no connection, no data leaving your machine. A security posture is exactly the kind of thing you should be able to run disconnected — so you can.
Built to travel
Exports to a self-contained HTML file and to PDF. The posture goes in the board deck, the audit binder, or the team channel — no login to read it.
Also in the kit
The full Loadout.
Open source.
Floodlight ships under MIT, like the rest of the kit. Use it commercially, adapt it for your clients, embed it in your own tooling. Source lives in github.com/missionbuilt/loadout. The framework catalog is versioned and citable, so you can see exactly what the coverage map is built on.
Visibility first. Everything else follows.