CardinalOps

On average, enterprise SIEMs only have detection coverage for 21% of adversary techniques defined in the MITRE ATT&CK framework. This is a 2% increase in coverage from the 2024 report.

79% of MITRE ATT&CK Techniques used by adversaries are missed by enterprise SIEMs.

A significant portion of existing SIEM detection rules, 13% on average, are broken. These rules are non-functional and will never trigger. This is a 5% decrease from the 2024 report.

SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90% of MITRE ATT&CK techniques (an increase of three percent from 2024) – but manual, error-prone detection engineering practices continue to limit actual coverage.

79% of MITRE ATT&CK Techniques used by adversaries are missed by enterprise SIEMs.