MITRE ATT&CK v19.0 · NIS2 · DORA · ISO 27001

Stop mapping
ATT&CK by hand.

Generate SIEM-ready detection use cases in minutes — aligned to your sector, your threat landscape, and your compliance obligations.

Generate use cases free See how it works
14
ATT&CK Tactics
All enterprise tactics covered · v19.0
4
SIEM platforms
Sentinel KQL · Splunk SPL · Elastic EQL · Sigma
11
Sectors covered
From Financial Services to OT / ICS / SCADA
<3 min
Time to use case
Intake to deployable detection rule
How it works

Five steps.
One deployable use case.

Built around the workflow of a working SOC analyst — not a product manager's idea of one.

01
Define your environment
Select your sector, infrastructure stack, and crown jewels. No freeform text — structured intake that produces structured output.
02
Receive matched threat intelligence
Recent breaches and threat models matched to your sector. Real incidents — Black Basta, APT28, LockBit 3.0 — with source attribution from NCSC, ENISA, CISA.
03
Confirm your detection scope
Review and adjust before committing. Every selection is visible in a structured summary. Edit any dimension without starting over.
04
Generate detection use cases
ATT&CK-aligned, sector-enriched detection logic. Sigma rules, KQL, SPL, and EQL — ready to copy into your SIEM.
coveragehq.nl
Step 1 of 5 — Intake
Tell us about your environment
Healthcare
Financial
Government
Energy
OT / ICS
Other
Environments
On-premises
Cloud
Windows / AD
Step 2 of 5 — Intelligence · 4 matches
7 relevant threats found
Black Basta — Dutch Healthcare Provider
BLACK BASTA RANSOMWARE 2024-03 NCSC-NL
LockBit 3.0 — Belgian Financial Institution
LOCKBIT RANSOMWARE 2024-01 ENISA
APT28 — Education Credential Theft
APT28 ESPIONAGE 2024-03 NCSC-NL
Step 3 of 5 — Confirm
Review your detection scope
Sector
Healthcare
Threats
6 of 7 selected
Output
2 USE CASESFREE
Step 5 of 5 — Results
2 detection use cases generated
Exploitation of Public-Facing Application — Citrix / FortiGate / Pulse
T1190HIGH
Ransomware Mass File Encryption — OT/IT Systems
T1486CRITICAL
title: Perimeter Exploitation — Citrix
tags:
  - attack.t1190
  - attack.initial_access
Sample output

What a use case looks like.

Every use case ships with detection logic for four SIEM platforms, enumerated log sources, and a curated false positive register.

Exploitation of Public-Facing Application on Energy Sector Perimeter Devices (Citrix / FortiGate / Pulse)
T1190 INITIAL ACCESS HIGH
Signed PDF — Pro+
Description

Detects exploitation attempts against internet-exposed perimeter appliances commonly targeted in energy sector ransomware campaigns, including Citrix NetScaler, Fortinet FortiGate, and Ivanti Pulse Secure. Threat actors including LockBit 3.0 have leveraged CVE-2023-4966, CVE-2023-27997, and CVE-2024-21887 to gain initial access.

Log sources
Fortinet FortiGate Citrix NetScaler / ADC Ivanti Pulse Secure VPN IIS / Apache Web Server WAF Logs (F5, Imperva) Syslog (OT/IT DMZ)
Sigma
Sentinel KQL
Splunk SPL
Elastic EQL
title: Perimeter Device Exploitation — Citrix/FortiGate/Pulse status: experimental author: CoverageHQ tags: - attack.initial_access - attack.t1190 - cve.2023.4966 logsource: category: webserver detection: selection: cs-uri-stem|contains: - '/vpns/portal/scripts/' - '/dana-na/' - '/+CSCOE+/' condition: selection # references: cisa.gov/known-exploited-vulnerabilities-catalog
Frameworks & coverage

Built on the standards
your auditors expect.

MITRE ATT&CK v19.0
All 14 enterprise tactics. Technique IDs embedded in every generated rule and visible throughout the workflow.
NIS2 Directive
Annex I obligations mapped across all supported sectors. Use cases tagged to relevant NIS2 control areas.
DORA
Digital Operational Resilience Act requirements for financial sector entities, including Article 10 detection obligations.
ISO 27001 / BIO2
Detection controls cross-referenced to ISO 27001 Annex A and BIO2 baseline for Dutch government entities.
Sigma · Microsoft Sentinel KQL · Splunk SPL · Elastic EQL · QRadar AQL · NCSC-NL · ENISA · CISA · Caldera v5.1.0
Pricing

Start free.
Scale when it matters.

No feature walls on the core workflow. Upgrade when you need volume, PDF export, or Caldera validation.

Free
0
always free
  • 5 use cases per month
  • All 14 ATT&CK tactics
  • KQL · SPL · EQL · Sigma
  • PDF export with watermark
  • Caldera emulation
  • Priority support
Get started
Most used
Pro
49
per month · excl. VAT
  • 100 use cases per month
  • All 14 ATT&CK tactics
  • KQL · SPL · EQL · Sigma
  • Signed PDF — no watermark
  • Caldera emulation
  • Priority support
Upgrade to Pro
Team
199
per month · excl. VAT
  • Unlimited use cases
  • All 14 ATT&CK tactics
  • KQL · SPL · EQL · Sigma
  • Signed PDF — no watermark
  • Caldera emulation
  • Team management
Upgrade to Team
Enterprise
MSSP & white-label
Unlimited generation · white-label branding · dedicated support · SLA available · volume pricing
Contact us
RE
Reinier Eisma
Sr. Security Consultant
KPN Security
Founder, CoverageHQ

"I built this because every engagement started the same way — pulling up ATT&CK, searching for relevant techniques, manually writing detection logic for a SIEM that wasn't the same as last week's client.

CoverageHQ is the tool I needed in those sessions. Sector-aware. Threat-informed. SIEM-agnostic. Built by someone who has sat in the SOC, not someone who has read about it."