Enterprise SIEMs miss 79% of known MITRE ATT&CK techniques

Using the MITRE ATT&CK framework as a baseline, organizations are generally improving year-over-year in understanding security information and event management (SIEM) detection coverage and quality, but plenty of room for improvement remains, according to CardinalOps.

MITRE ATT&CK enhances SOC visibility

Founded in 2013, the framework’s underlying goal remains unchanged–to help defenders align their defenses and prepare to detect and prevent a wide range of tactics, techniques, and procedures (TTPs) observed in real-life attack scenarios.

Mapping SIEM detections to the MITRE ATT&CK framework gives SOC teams a structured, adversary-centric lens that enhances the identification and contextualization of attack techniques, enabling more precise detection and response.

Despite a 2% increase in coverage from 2024, on average, enterprise SIEMs have detection coverage for just 21% of adversary techniques defined in the MITRE ATT&CK framework, leaving 79% of techniques uncovered and organizations vulnerable to attack. This year’s minor increase is better than no progress at all, but organizations still have a long way to go in expanding coverage to fill the gaps.

When narrowed down to most frequently used techniques in actual observed attacks, organizations still only have coverage for 4 of the top 10 techniques.

Broken rules are a serious risk

A significant portion of existing detection rules, 13% on average, are non-functional and will never trigger due to issues like misconfigured data sources and missing log fields. While the data represents a 5% decrease from 2024, the persistence of broken rules in SIEM environments poses a huge risk where active threats can go unnoticed.

SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90% of MITRE ATT&CK techniques (an increase of 3% from 2024) – but manual, error-prone detection engineering practices continue to limit actual coverage.

However, the fact that organizations haven’t seen a commensurate increase in their coverage scores indicates that organizations are not getting significant returns on their investments in expanding their SIEM data ingestion.

Despite the scale of available data and detection infrastructure, organizations still struggle to keep pace with evolving threats due to resource constraints and a lack of automation in rule development and validation.

“Five years worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most,” said Michael Mumcuoglu, CEO at CardinalOps. “What’s clear is that the traditional approach to detection engineering is broken. Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed – even with modern SIEM platforms and sophisticated telemetry.”