--- title: "ATT&CK Security Coverage | ThreatConnect" slug: "attack-security-coverage" description: "This article describes how Organization Administrators can use the ThreatConnect ATT&CK Visualizer to assign security coverage to techniques and sub-techniques for their Organization. It also describes the Security Coverage overlay for ATT&CK views." tags: ["Administrator"] updated: 2025-10-02T20:16:56Z published: 2025-10-02T20:16:56Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # ATT&CK Security Coverage ## Overview Organization Administrators can use the ThreatConnect® ATT&CK® Visualizer to assign security coverage to MITRE ATT&CK® [Enterprise](https://attack.mitre.org/matrices/enterprise/) [techniques and sub-techniques](https://attack.mitre.org/techniques/enterprise/) for their Organization. This information can help you evaluate the strengths and weaknesses of your security posture for specific techniques, identify gaps in security coverage, and enhance defense strategies with precision. After an Organization Administrator has assigned security coverage in the ATT&CK Visualizer, users in the Organization can use the **Security Coverage**overlay for [standard](https://knowledge.threatconnect.com/docs/standard-attack-views) and [imported](https://knowledge.threatconnect.com/docs/imported-attack-views) ATT&CK views to identify which techniques have coverage and which ones may require attention. WarningSecurity coverage assigned in the ATT&CK Visualizer applies to the entire Organization. Before making changes to security coverage, coordinate with other Organization Administrators in your Organization, as any changes you make will overwrite the existing security coverage. ## Before You Start ### User Roles - To assign security coverage for an Organization in the ATT&CK Visualizer, your user account must have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator. - To use the **Security Coverage** overlay for standard and imported ATT&CK views, your user account can have any Organization role. ## Assigning Security Coverage for Your Organization Follow these steps to assign security coverage to techniques and sub-techniques in the ATT&CK Visualizer: 1. From the **Tools**dropdown on the top navigation bar, select **ATT&CK**. 2. Click **Settings ![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**at the upper right of the **ATT&CK**screen. 3. On the **ATT&CK Settings**drawer, click **Assign Coverage**to open the security coverage assignment view in the ATT&CK Visualizer (Figure 1). ![Figure%201_ATT&CK%20Security%20Coverage_7.4.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_ATT&CK%20Security%20Coverage_7.10.0.png) 4. [Select the techniques and sub-techniques](/docs/attack-security-coverage#selecting-techniques-and-subtechniques)that you want to assign security coverage to.NoteIf the [**Selection Details**drawer](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques) is open, close it before proceeding to Step 5. 5. Click the **Selection Actions**dropdown at the upper right and select **Assign Coverage**. Then select one of the following options: - **No Coverage**: Your organization’s security defenses do not address or detect the techniques. - **Weak Coverage**: Your organization is equipped to provide only limited coverage for the techniques. - **Moderate Coverage**: Your organization has a reasonable amount of coverage for the techniques. - **Strong Coverage**: Your organization’s security defenses are well equipped to detect, mitigate, and respond effectively to the techniques. - **Clear Coverage**: Remove the assigned coverage from the techniques. 6. To assign security coverage to additional techniques and sub-techniques, click **Clear Selections**at the upper right, and then repeat Steps 4–5. 7. After all security coverage is assigned, click **Save Coverage**at the upper right. Figure 2 shows security coverage assigned to techniques and sub-techniques for the Organization named **Demo Organization**. ![Figure%202_ATT&CK%20Security%20Coverage_7.4.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_ATT&CK%20Security%20Coverage_7.10.2.png) ImportantYour Organization’s saved security coverage is factored into the [ATT&CK RQ Financial Impact](https://knowledge.threatconnect.com/docs/attack-rq-financial-impact) calculation. After you update your security coverage, there will be a brief recalculation period during which the ATT&CK RQ Financial Impact configuration and data are unavailable. It is recommended that you keep your Organization’s security coverage up to date to allow for the highest level of accuracy in the ATT&CK RQ Financial Impact calculation. ## Selecting Techniques and Sub-techniques When assigning security coverage in the ATT&CK Visualizer, you can use the following methods to select techniques and sub-techniques: - **Select items individually**: Click a technique or sub-technique to select it. When a technique or sub-technique is selected, click it again to deselect it. - **Select all visible items under a tactic**: Click a tactic to select all visible (i.e., not collapsed)**techniques and sub-techniques in the tactic’s column, including items that are scrolled off to the bottom. If a technique has sub-techniques, but the technique is not expanded when you click the tactic, none of the technique’s sub-techniques will be selected. If all visible techniques and sub-techniques in a tactic column are selected, clicking the tactic again will deselect those items. - **Select all visible items**: Select **Select All Visible**from the **Selection Actions**dropdown at the upper right to select all techniques and sub-techniques that are visible (i.e., not collapsed) on the screen, including items that are scrolled off to the side, top, or bottom. If a technique has sub-techniques, but the technique is not expanded when you select the **Select All Visible**option, none of its sub-techniques will be selected. - **Deselect all visible items**: Select **Deselect All Visible**from the **Selection Actions**dropdown at the upper right to deselect all techniques and sub-techniques that are visible on the screen, including items that are scrolled off to the side, top, or bottom. - **Deselect all items**: - Select **Deselect All**from the **Selection Actions**dropdown at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen. - Click **Clear Selections**at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen. As you select techniques and sub-techniques, the **Selection Actions** dropdown displays the current number of selected items. NoteYou can continue selecting techniques and sub-techniques while the **[](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques)** [](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques)[**Selection Details**drawer](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques) [](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques)**[](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques)** is open. Also, you can deselect techniques and sub-techniques from the [**Selections**card on the **Selection Details**drawer](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques#multiple-techniques-or-subtechniques) when multiple items are selected. ### Viewing Technique and Sub-technique Details Selecting techniques and sub-techniques in the ATT&CK Visualizer opens the [**Selection Details**drawer](https://knowledge.threatconnect.com/docs/visualizing-attack-tactics-techniques-and-sub-techniques). When only one technique or sub-technique is selected, the **Selection Details**drawer displays details about the selected item. When multiple techniques or sub-techniques are selected, the **Selection Details**drawer displays the current selections in a tabular format. To view more details about a specific technique or sub-technique, click its table row. When you select an individual technique or sub-technique, the **Selection Details**drawer opens automatically. You can also open the **Selection Details**drawer manually by clicking **View selection details![View%20selection%20details](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/View%20selection%20details.png)**at the upper right or by selecting **View Selection Details**from the **Selection Actions**dropdown at the upper right. ## Assign Coverage View Options Use the **⋯**menu at the upper right to do the following while assigning security coverage in the ATT&CK Visualizer: - Export the security coverage assignment as a JSON or PNG file.NoteUsing the ATT&CK Visualizer’s **Export as PNG…** feature in Firefox® is not recommended at this time. - Remove all assigned security coverage for your Organization.WarningRemoving all assigned security coverage for your Organization cannot be undone. ## Security Coverage Overlay in ATT&CK Views When a standard or imported ATT&CK view is open in the ATT&CK Visualizer, users in your Organization can select the **Security Coverage**overlay to display the security coverage assigned to techniques and sub-techniques in the ATT&CK view. ### Security Coverage for Standard ATT&CK Views The **Security Coverage**overlay for [standard ATT&CK views](https://knowledge.threatconnect.com/docs/standard-attack-views) displays your Organization’s security coverage for each technique and sub-technique used by the Groups added to a standard ATT&CK view (Figure 3). ![Figure 3_ATT&CK Security Coverage_7.10.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_ATT&CK%20Security%20Coverage_7.10.2.png) When using the **Security Coverage**overlay for standard ATT&CK views, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways: - Each tactic displays the number of its techniques used by the Groups out of the total number of its techniques. - Techniques and sub-techniques that have security coverage and are used by the Groups are outlined in a color corresponding to the assigned security coverage level (**None**, **Weak**, **Moderate**, and **Strong**) and display a label with the assigned security coverage level and the number of Groups using the technique or sub-technique (e.g., **◼ Weak - 2 Groups**). Expand the label to view the Groups. - Techniques and sub-techniques that do not have security coverage and are used by the Groups are outlined in light gray and display a label with the number of Groups using the technique or sub-technique (e.g., **2 Groups**). Expand the label to view the Groups. - Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. If a technique has sub-techniques, but the Groups use only the technique, the technique will display **0 of *<#>***, where ***<#>***is the total number of the technique’s sub-techniques. ### Security Coverage for Imported ATT&CK Views The **Security Coverage**overlay for [imported ATT&CK views](https://knowledge.threatconnect.com/docs/imported-attack-views) displays your Organization’s security coverage for techniques and sub-techniques that were annotated in the MITRE ATT&CK® Navigator (Figure 4). ![Figure 4_ATT&CK Security Coverage_7.10.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_ATT&CK%20Security%20Coverage_7.10.0.png) When using the **Security Coverage**overlay for imported ATT&CK views, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways: - Each tactic displays the number of its techniques that are annotated out of the total number of its techniques. - Annotated techniques and sub-techniques with security coverage are outlined in a color corresponding to the assigned security coverage level (**None**, **Weak**, **Moderate**, and **Strong**) and display a label with the assigned security coverage level. - Annotated techniques and sub-techniques without security coverage are outlined in light gray. - Each annotated technique displays the number of its sub-techniques that are annotated out of the total number of its sub-techniques. If a technique has sub-techniques, but only the technique is annotated, the technique will display **0 of *<#>***, where ***<#>***is the total number of the technique’s sub-techniques. --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.* *Firefox® is a registered trademark of The Mozilla Foundation.* 20151-07 v.02.A