What Does MITRE ATT&CK Coverage Really Mean?

What would you think if a vendor claimed 100% ATT&CK coverage?

MITRE ATT&CK coverage is frequently used to compare security products, but coverage claims are often vague, inconsistent, and not comparable across tools or services. 

In this Ask Me Anything (AMA) session, Jon Baker, a 20-year MITRE veteran, and William Booth, former MITRE CALDERA Lead and General Manager of MITRE ATT&CK Evaluations, unpack common misconceptions around MITRE ATT&CK coverage and discuss how the framework should be used to support smarter buying and validation decisions.

What we’ll cover:

How ATT&CK’s tactic, technique, and procedure model affects what can realistically be tested 
Why coverage differs across defense, offense, and threat intelligence use cases 
How depth of testing changes the meaning of a “covered” technique 
What responsible coverage exclusions look like and why they exist 
How to assess vendor coverage claims without relying on percentages 

This AMA is driven by audience questions and real ATT&CK examples, with the goal of enabling smarter buying, validation, and program decisions. Attendees may earn up to 1 CPE credit through ISC2 for attending this session.

Jon Baker

VP, Threat-Informed Defense

Jon brings over 20 years of experience leading cybersecurity innovation, with a focus on making security more efficient and effective at scale. He is the former Director and Co-Founder of MITRE’s Center for Threat-Informed Defense (CTID), where he united sophisticated security teams to advance the state of the art and the practice in threat-informed defense globally. Prior to launching the CTID, Jon led MITRE’s Cyber Threat Intelligence and Adversary Emulation Department, where he advanced those critical capabilities across MITRE and managed the CALDERA and MITRE ATT&CK® teams. Jon led teams developing open standards, including STIX and TAXII for threat intelligence sharing, and co-created OVAL while managing MITRE’s security automation program.  

William Booth

Sr. Dir., Product Management

William Booth is Senior Director of Product Management at AttackIQ, where he leads cybersecurity product strategy focused on helping organizations operationalize Continuous Threat Exposure Management (CTEM). Prior to AttackIQ, he served as General Manager of MITRE ATT&CK® Evaluations and previously led MITRE Caldera™. William has hands-on experience defining how ATT&CK coverage is measured, evaluated, and communicated across the industry.

Watch the Webinar

You have successfully registered for the webinar. Please check your email for confirmation details.

By submitting this form you indicate that you have read and agree to the terms of our Privacy Policy.