Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main
Customers
Why Mitiga
Request a DemoEmergency Assistance

Numbers Don’t Equal Coverage

Security vendors often promote “100% MITRE ATT&CK coverage.” The reality is most of those claims reflect endpoint-centric testing, not the attack surfaces organizations rely on most today: Cloud, SaaS, AI, and Identity.

That gap is where attackers thrive. And that’s where Mitiga stands apart.

The Cloud Gap

MITRE’s Enterprise matrix now spans more than 200 techniques, including dedicated matrices for Cloud platforms, SaaS, Identity Providers, and Office Suites. Yet very few detection and response vendors publish clear coverage numbers for those categories.

Independent research suggests that traditional SIEMs detect only about 21% of ATT&CK techniques on average. That leaves massive blind spots when attackers target SaaS accounts, cloud control planes, AI infrastructure, or identity systems.

Some of the most damaging breaches today, including malicious OAuth grants, API exfiltration, and compromised collaboration tools, play out entirely outside the endpoint.

Mitiga’s 80%

We measure ourselves against the techniques that matter for modern operations, not just the ones that are easy to catch. So, at Mitiga, our platform currently delivers 

  • 66 Cloud/SaaS/Identity techniques covered out of the box
  • More than 80% of MITRE’s defined scope across Cloud, SaaS, and Identity

That means that when an attacker abuses a third-party integration in Salesforce, spins up shadow resources in AWS, or pivots from a compromised Okta account into GitHub, our detection framework is built to see it. Immediately.

What Leaders Should Ask

When you’re evaluating detection coverage, don’t stop at the headline percentage. Push for scope and evidence.

  • Ask for the scope. Does the number include Cloud/SaaS techniques, or is it just endpoints?
  • Look for technique-level mapping. Marketing numbers mean little without MITRE IDs.
  • Demand transparency. Vendors should publish their ATT&CK version, included matrices, and definitions of “coverage.” Whether it could include telemetry, analytics, and response.

Without that clarity, you’re comparing apples to oranges. By leading with a scoped, documented percentage, we’re giving security teams something the market rarely provides: a verifiable view of their detection posture for the attack surfaces most at risk.

The Bottom Line

Cloud and SaaS attacks don’t look like endpoint attacks, and most tools still don’t cover them well. If your coverage claims don’t explicitly address these domains, you’re not measuring what matters.

At Mitiga, we’ll keep pushing our 80% higher, and we’ll keep publishing it. Because security teams deserve to know exactly what’s visible. And what isn’t.

See how your own coverage stacks up. Request a personalized demo and map your detections against the MITRE ATT&CK cloud and SaaS techniques that matter most.

LAST UPDATED:

August 21, 2025

Don't miss these stories:

Inside Mitiga’s Forensic Data Lake: Built for Real-World Cloud Investigations

Most security tools weren’t designed for the scale or complexity of cloud investigations. Mitiga’s Forensic Data Lake was.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.

God-Mode in the Shadows: When Security Tools and Excessive Permissions Become Cloud Security Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

How AI Is Transforming Cybersecurity: Detection, Response & Threat Evolution with Mitiga’s Ofer Maor

In this episode of Mitiga Mic, Brian Contos, Field CISO at Mitiga, sits down once again with Ofer Maor, CTO and Co-founder, to break down one of today’s most urgent cybersecurity challenges: the intersection of Artificial Intelligence (AI) and Detection & Response. From the Automated SOC to AI-powered attackers and cloud-based AI infrastructure threats, Ofer outlines the three pillars of AI-DR (AI Detection and Response) and what organizations need to know now and in the near future.

Meet Mitiga in Las Vegas at Black Hat, DEF CON, and BSides

From August 4 to 11, Mitiga will be on the ground in Las Vegas for Black Hat USA, DEF CON, and BSides Las Vegas. If you’re responsible for cloud security, SaaS threat detection, or incident response, this is your opportunity to connect directly with our team.