2025-10-21 –, Europe
This lightning talk will cover that the concept of 'detection coverage' is a utopia in both corporate and governmental entities, as almost no one has the tooling to provide any sort of quantitative data on their detection coverage.
Vendors and unserious CISOs/blue teams try to use the otherwise excellent MITRE ATT&CK framework to establish detection coverage, but the most that this framework does is point out potential blank spots
The truth of the pudding for detection coverage is that if you ask ANY blue teamer that isn't using OpenTide what their detection coverage is, you're going to get at best a feeling-based qualitative answer such as 'I think so' 'I feel that we are' 'I believe that we are able to detect what we need to'. Because no one has the data to prove it. Before OpenTide, no framework existed to provide any sort of data-driven answer.
So, ultimately, NO ONE actually knows if they're able to detect what they need to be able to detect. Many try to mature this using red or purple teaming, or using vendors to supplement their detection coverage, but ultimately, unless you can map out threats at the level of granularity that 'Atomic red team' works at, you never really know.
Infosec Librarian.