Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MITRE ATT&CK coverage gaps: what does your identity stack miss?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: MITRE ATT&CK grids are useful for research, but they do not answer the questions defenders actually ask about identity risk, exposed attack paths, or which accounts an attacker would target first, according to Abnormal AI. The real issue is that coverage language often hides practical attack exposure instead of measuring it.

NHIMG editorial — based on content published by Abnormal AI: Identity security has rallied around visibility, insights, and actions

Questions worth separating out

Q: How should security teams measure identity coverage against real attacks?

A: Measure coverage by campaign survivability, not by technique counts.

Q: Why do ATT&CK-style grids fail to answer practical identity risk questions?

A: They describe technique mapping, not whether a real campaign would succeed.

Q: What do IAM and PAM teams get wrong about coverage reporting?

A: They often report visibility as if it were protection.

Practitioner guidance

  • Reframe coverage reporting around attack paths Replace technique-only summaries with statements that describe the real campaigns your environment can stop, the identities they would target, and the likely business impact if they succeed.
  • Inventory identities by attacker value List the users, support roles, finance accounts, and privileged identities most likely to be targeted first, then test coverage against those paths rather than against a generic matrix.
  • Test help-desk and reset workflows as attack entry points Validate whether phishing, social engineering, or account-recovery abuse could move from entry to control of an account with material privileges before detection or approval breaks the chain.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

  • How the vendor translates ATT&CK coverage into attack-path language for security teams that need decision-ready reporting.
  • Examples of the specific identity campaigns the vendor believes matter most for enterprise defenders.
  • The practical distinctions between visibility, detection coverage, and real-world attack resilience.
  • The vendor's own framing for which users and accounts attackers would target first.

👉 Read Abnormal AI's analysis of why ATT&CK coverage is not the same as identity risk →

MITRE ATT&CK coverage gaps: what does your identity stack miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Technique coverage is not identity risk coverage. A shaded ATT&CK matrix can tell a team what a control might detect, but it does not tell them whether a real-world campaign would succeed against their users, privileges, or support workflows. The practical problem is the gap between observable technique mapping and actual attack path survivability. Security teams should treat matrix coverage as research input, not as a measure of resilience.

A few things that frame the scale:

A question worth separating out:

Q: What should defenders do when a coverage matrix looks complete?

A: Ask which real campaigns still work, which identities would be hit first, and which business processes could be abused to move from entry to privilege. That check reveals whether the matrix reflects actual resilience or only detection alignment.

👉 Read our full editorial: MITRE ATT&CK coverage is not the same as attack risk



   
ReplyQuote
Share: