Review One Coverage Gap
Draft
Level: Intermediate
Goal: Compare a threat layer to existing coverage.
Real-Life Scenario
A SOC lead imports current detection coverage and wants to know which high-priority actor TTPs are still not covered.
When To Use This
Use this workflow when you need a structured analyst workflow and want the output to remain traceable to evidence.
Steps
- Load threat TTPs into Navigator.
- Import or load current coverage layer.
- Identify uncovered high-priority tactics/techniques.
- Open TTP detail panels for detection guidance.
- Create backlog items for feasible detections.
Expected Result
Focused coverage-gap list for engineering.
Review Notes
- Keep source labels and evidence attached to every accepted result.
- Treat actor matches, enrichment hits, and matrix overlap as analytical signals until corroborated.
- Export only reviewed findings for customer, SOC, detection engineering, or executive use.