Detection vs Scenario Coverage¶

Auto-generated by scripts/detection_vs_scenario_coverage.py. Do not hand-edit -- regenerate with --report.

Methodology disclosure

Methodology disclosure: This report is a technique-ID overlap check, NOT a 'queries actually fire on synthetic log artifacts' check. A detection is considered to 'cover' a scenario if at least one ATT&CK technique ID appears in both the detection's surrounding context (heading, comment, rule metadata) and the scenario's narrative. Real coverage validation requires a log-data-stream simulator plus KQL/SPL/Sigma/YARA parsers; that is a separate, larger task (1.9 in the Revolutionary Plan, full form). Detections without any extractable technique ID in their context are listed as techniques_referenced: [] and counted as uncatalogued rather than fabricated -- the same applies to scenarios with no extractable techniques. Read-only analysis: nothing in docs/ is modified to make the numbers look better.

Summary¶

Metric	Value
Detections (total)	300
Detections catalogued (with technique ID)	160
Detections uncatalogued (no technique ID)	140
Scenarios (total)	108
Scenarios catalogued	108
Scenarios uncatalogued	0
Scenarios fully covered	1
Scenarios partially covered	103
Scenarios uncovered	4
Coverage % (of catalogued scenarios)	96.3%
Unique techniques across detections	187
Unique techniques across scenarios	262

Top 10 techniques with most detections¶

Detection volume per technique. High count is not always good -- it can mean genuine defence-in-depth, or it can mean the same technique is being repeated across multiple chapters. See the over-covered section below for an honest read.

Rank	Technique	Detection count
1	`T1486`	7
2	`T1105`	5
3	`T1489`	5
4	`T1490`	4
5	`T1059`	4
6	`T1053.005`	4
7	`T1021`	4
8	`T1021.002`	4
9	`T1082`	3
10	`T1219`	3

Top 20 scenarios with the largest detection gap¶

Scenarios are ranked by the count of techniques referenced in the scenario for which no detection in the corpus claims coverage. Uncatalogued scenarios (no extractable techniques) are excluded from this list because there is nothing to gap-check.

Scenario	Title	Gap count	Missing techniques (first 8)
`SC-061`	SC-061: Satellite Communication Hijacking	12	`T1005`, `T1018`, `T1020`, `T1040`, `T1046`, `T1048.003`, `T1498`, `T1498.001`, ... (+4)
`SC-018`	SC-018: Mobile Device Compromise	11	`T1078.004`, `T1407`, `T1417`, `T1430`, `T1437`, `T1444`, `T1474.001`, `T1521`, ... (+3)
`SC-068`	SC-068: Election Infrastructure Manipulation -- Voter Registration Systems	11	`T1005`, `T1036.005`, `T1070.004`, `T1078.002`, `T1491.002`, `T1498.001`, `T1505.003`, `T1530`, ... (+3)
`SC-103`	SC-103: Healthcare IoMT Data Breach -- Operation VITAL SIGNS	10	`T1018`, `T1030`, `T1040`, `T1046`, `T1048.001`, `T1053.003`, `T1074.001`, `T1078.001`, ... (+2)
`SC-013`	SC-013: AI Model Poisoning → Fraud Detection Bypass	9	`T0018`, `T0020`, `T0024`, `T0040`, `T0043`, `T1078.004`, `T1195.001`, `T1552.004`, ... (+1)
`SC-065`	SC-065: Quantum Computing -- Harvest Now, Decrypt Later	9	`T1018`, `T1040`, `T1046`, `T1074.002`, `T1114`, `T1530`, `T1552`, `T1552.004`, ... (+1)
`SC-072`	SC-072: Smart Grid and Power Infrastructure Attack	9	`T0826`, `T0831`, `T0836`, `T0855`, `T0857`, `T0882`, `T1040`, `T1078.003`, ... (+1)
`SC-022`	SC-022: Enterprise LLM Jailbreak & Data Exfiltration	8	`T0043`, `T0048.002`, `T0051`, `T0054`, `T1078.001`, `T1111`, `T1114.002`, `T1530`
`SC-023`	SC-023: RAG Poisoning & Knowledge Base Compromise	8	`T0020`, `T0043`, `T0054`, `T1070.006`, `T1136.001`, `T1213`, `T1491.001`, `T1565.001`
`SC-035`	SC-035: BGP Hijacking -- Operation Route Phantom	8	`T1040`, `T1114.002`, `T1557`, `T1557.002`, `T1565.002`, `T1584.001`, `T1590.004`, `T1590.005`
`SC-069`	SC-069: Firmware Supply Chain Compromise	8	`T1027.009`, `T1036.005`, `T1071`, `T1072`, `T1074.001`, `T1542`, `T1542.001`, `T1553.006`
`SC-071`	SC-071: Connected and Autonomous Vehicle Attack	8	`T1036.005`, `T1040`, `T1091`, `T1213`, `T1498`, `T1557`, `T1565`, `T1565.001`
`SC-106`	SC-106: Industrial Control System Attack on Water Treatment -- Operation TOXIC C	8	`T0816`, `T0831`, `T0836`, `T0846`, `T0855`, `T0878`, `T0888`, `T1046`
`SC-009`	SC-009: Cloud Account Takeover → Data Exfiltration	7	`T1070.003`, `T1090`, `T1114`, `T1114.003`, `T1530`, `T1537`, `T1552.005`
`SC-014`	SC-014: OT Ransomware Attack -- Municipal Water Treatment Plant	7	`T0829`, `T0831`, `T0836`, `T0840`, `T0855`, `T0880`, `T0886`
`SC-017`	SC-017: Insider Threat -- Data Exfiltration	7	`T1048.002`, `T1052.001`, `T1070.004`, `T1074.001`, `T1213`, `T1530`, `T1537`
`SC-055`	SC-055: Election Infrastructure Attack	7	`T1046`, `T1498`, `T1498.001`, `T1505.003`, `T1552.001`, `T1565.001`, `T1598.003`
`SC-058`	SC-058: Quantum Cryptographic Harvest	7	`T1005`, `T1040`, `T1048.001`, `T1114`, `T1530`, `T1542.004`, `T1601.001`
`SC-064`	SC-064: Cryptocurrency Bridge Exploit	7	`T1005`, `T1537`, `T1565.001`, `T1584`, `T1587.001`, `T1593`, `T1657`
`SC-066`	SC-066: UEFI Firmware Rootkit Persistence	7	`T1005`, `T1072`, `T1106`, `T1542`, `T1542.001`, `T1553.006`, `T1573.002`

Techniques with more than 5 detections (potential over-coverage)¶

These are techniques where the corpus has many detections. Often legitimate (high-priority technique with many real-world variants) but worth a periodic review for duplicates that do not add detection diversity.

Technique	Detection count
`T1486`	7

Uncatalogued items (no extractable technique IDs)¶

These items did not surface a T#### ATT&CK technique ID in their context window. They are NOT assumed to be invalid -- many are perfectly good detections / scenarios that just do not spell out the technique. They are listed here so a human can decide whether to add the missing tag.

Uncatalogued detections (140)¶

ID	Lang	Source	Line	Context hint
`DQ-001`	kql	`docs/tools/detection-query-library.md`	23	"KQL"
`DQ-002`	spl	`docs/tools/detection-query-library.md`	43	"SPL"
`DQ-003`	kql	`docs/tools/detection-query-library.md`	66	"KQL"
`DQ-004`	spl	`docs/tools/detection-query-library.md`	87	"SPL"
`DQ-005`	kql	`docs/tools/detection-query-library.md`	109	"KQL"
`DQ-006`	spl	`docs/tools/detection-query-library.md`	131	"SPL"
`DQ-007`	kql	`docs/tools/detection-query-library.md`	156	"KQL"
`DQ-008`	spl	`docs/tools/detection-query-library.md`	172	"SPL"
`DQ-009`	kql	`docs/tools/detection-query-library.md`	194	"KQL"
`DQ-010`	spl	`docs/tools/detection-query-library.md`	211	"SPL"
`DQ-011`	kql	`docs/tools/detection-query-library.md`	233	"KQL"
`DQ-012`	spl	`docs/tools/detection-query-library.md`	250	"SPL"
`DQ-013`	kql	`docs/tools/detection-query-library.md`	274	"KQL"
`DQ-014`	spl	`docs/tools/detection-query-library.md`	288	"SPL"
`DQ-015`	kql	`docs/tools/detection-query-library.md`	311	"KQL"
`DQ-016`	spl	`docs/tools/detection-query-library.md`	331	"SPL"
`DQ-017`	kql	`docs/tools/detection-query-library.md`	353	"KQL"
`DQ-018`	spl	`docs/tools/detection-query-library.md`	371	"SPL"
`DQ-019`	kql	`docs/tools/detection-query-library.md`	393	"KQL"
`DQ-020`	spl	`docs/tools/detection-query-library.md`	410	"SPL"
`DQ-021`	kql	`docs/tools/detection-query-library.md`	434	"KQL"
`DQ-022`	spl	`docs/tools/detection-query-library.md`	452	"SPL"
`DQ-023`	kql	`docs/tools/detection-query-library.md`	469	"KQL"
`DQ-024`	spl	`docs/tools/detection-query-library.md`	484	"SPL"
`DQ-025`	kql	`docs/tools/detection-query-library.md`	505	"KQL"
`DQ-026`	spl	`docs/tools/detection-query-library.md`	524	"SPL"
`DQ-027`	kql	`docs/tools/detection-query-library.md`	548	"KQL"
`DQ-028`	spl	`docs/tools/detection-query-library.md`	565	"SPL"
`DQ-029`	kql	`docs/tools/detection-query-library.md`	584	"KQL"
`DQ-030`	spl	`docs/tools/detection-query-library.md`	600	"SPL"
`DQ-031`	kql	`docs/tools/detection-query-library.md`	620	"KQL"
`DQ-032`	spl	`docs/tools/detection-query-library.md`	645	"SPL"
`DQ-033`	kql	`docs/tools/detection-query-library.md`	669	"KQL"
`DQ-034`	spl	`docs/tools/detection-query-library.md`	687	"SPL"
`DQ-035`	kql	`docs/tools/detection-query-library.md`	708	"KQL"
`DQ-036`	spl	`docs/tools/detection-query-library.md`	727	"SPL"
`DQ-037`	kql	`docs/tools/detection-query-library.md`	752	"KQL"
`DQ-038`	spl	`docs/tools/detection-query-library.md`	772	"SPL"
`DQ-039`	kql	`docs/tools/detection-query-library.md`	797	"KQL"
`DQ-040`	spl	`docs/tools/detection-query-library.md`	814	"SPL"
`DQ-041`	kql	`docs/tools/detection-query-library.md`	834	"KQL"
`DQ-042`	spl	`docs/tools/detection-query-library.md`	857	"SPL"
`DQ-043`	kql	`docs/tools/detection-query-library.md`	880	"KQL"
`DQ-044`	spl	`docs/tools/detection-query-library.md`	901	"SPL"
`DQ-045`	kql	`docs/tools/detection-query-library.md`	926	"KQL"
`DQ-046`	spl	`docs/tools/detection-query-library.md`	945	"SPL"
`DQ-047`	kql	`docs/tools/detection-query-library.md`	967	"KQL"
`DQ-048`	spl	`docs/tools/detection-query-library.md`	983	"SPL"
`DQ-049`	kql	`docs/tools/detection-query-library.md`	1004	"KQL"
`DQ-050`	spl	`docs/tools/detection-query-library.md`	1025	"SPL"

... 90 more uncatalogued detections suppressed for brevity.

Uncatalogued scenarios (0)¶

(none -- every scenario has at least one technique tag)

Methodology (repeated)¶

Methodology disclosure: This report is a technique-ID overlap check, NOT a 'queries actually fire on synthetic log artifacts' check. A detection is considered to 'cover' a scenario if at least one ATT&CK technique ID appears in both the detection's surrounding context (heading, comment, rule metadata) and the scenario's narrative. Real coverage validation requires a log-data-stream simulator plus KQL/SPL/Sigma/YARA parsers; that is a separate, larger task (1.9 in the Revolutionary Plan, full form). Detections without any extractable technique ID in their context are listed as techniques_referenced: [] and counted as uncatalogued rather than fabricated -- the same applies to scenarios with no extractable techniques. Read-only analysis: nothing in docs/ is modified to make the numbers look better.

Reproduce locally:

python scripts/detection_vs_scenario_coverage.py --report
python scripts/detection_vs_scenario_coverage.py --text
python scripts/detection_vs_scenario_coverage.py --scenario SC-009
python scripts/detection_vs_scenario_coverage.py --detection DQ-001
python scripts/detection_vs_scenario_coverage.py --export-json detection-coverage.json