← Back to Projects

CoverageIQ

Full-stack security platform concept that predicts likely next attacker moves from MITRE ATT&CK campaign data, then checks Sigma detection coverage for each predicted technique.

Threat IntelligenceMITRE ATT&CKSigmaPythonFastAPISOC
View on GitHub

Overview

What it does

Every SOC has the same gap: an alert fires on a phishing technique, and you're left guessing what comes next. Your SIEM caught the entry point — but if the attacker pivots to credential dumping or lateral movement, do you have rules for that? Most teams find out the answer after the breach.

CoverageIQ answers two questions on every alert:

  1. What technique is likely coming next? (based on 600+ real MITRE ATT&CK campaigns, not guesswork)
  2. Do I actually have Sigma detection coverage for it?
Alert fires → T1566 (Phishing detected)
   ↓
Predict next moves:
   → T1055 Process Injection    72%  ⚠️  NO DETECTION RULE
   → T1078 Valid Accounts        61%  ✅  2 Sigma rules
   → T1003 Credential Dumping   44%  ⚠️  NO DETECTION RULE
   ↓
"You are blind to 2 of 3 most likely next moves"

Key features

Attack Chain Predictor — When an alert fires, the detail page shows the 3 most likely follow-on techniques with probability scores derived from historical ATT&CK campaign sequences.

Detection Coverage Heatmap — Interactive ATT&CK matrix showing every technique colored by your Sigma rule coverage. Click any cell to see which rules cover it, which actors use it, and whether Atomic Red Team tests exist.

Threat Actor Coverage Scoring — Pick any APT group and instantly see how well your current rule set would detect their full TTP profile.

PDF Threat Intel Ingestion — Upload CISA advisories or APT reports. The platform extracts ATT&CK technique IDs (T#### pattern), matches them against your Sigma library, and returns a gap report in seconds.

Alert Simulator — Built-in simulator generates realistic alerts every 30 minutes for demo and testing without needing live log sources.

Architecture

The full stack runs in Docker Compose — six services, no external paid dependencies:

  • FastAPI backend — prediction engine, coverage calculation, PDF ingestion
  • PostgreSQL — techniques, campaigns, coverage scores, alerts
  • Redis — task queue and caching
  • Celery worker + Beat — async data sync and scheduled coverage recalculation
  • Next.js frontend — ATT&CK heatmap, alert queue, actor coverage dashboard

All data sources are free: MITRE ATT&CK STIX via taxii.mitre.org, SigmaHQ rules from GitHub, Atomic Red Team from GitHub.

What I learned

Building this exposed how large the gap is between detection rule libraries and real attacker behavior. Teams have thousands of Sigma rules but no systematic way to check whether those rules cover what attackers actually do next. The prediction model built on real campaign data is a more honest signal than any heuristic playbook.

Objectives

  • Predict attacker next moves from real MITRE ATT&CK campaign sequence data
  • Map predicted techniques against live Sigma rule library to surface detection blind spots
  • Ingest CISA advisories and APT reports via PDF upload for instant coverage analysis
  • Score threat actor coverage — 'how well would you detect APT29 right now?'
  • Build a deployable full-stack security platform with realistic data flows and analyst-facing workflows

Tools Used

Python 3.11FastAPIPostgreSQLRedisCeleryNext.js 14Docker ComposeMITRE ATT&CK STIXSigmaHQAtomic Red Team

Methodology

  1. Ingested MITRE ATT&CK STIX bundle (600+ campaigns, 130+ threat actors) via taxii.mitre.org
  2. Built technique chain model from campaign sequence data to power next-move prediction
  3. Loaded and indexed 3,000+ SigmaHQ rules by ATT&CK technique tag
  4. Built PDF ingestion pipeline using regex T#### pattern extraction for CISA advisories
  5. Deployed full stack via Docker Compose: Postgres, Redis, Celery worker, Celery Beat, FastAPI, Next.js
  6. Implemented an alert simulator for demo and testing workflows

MITRE ATT&CK Mapping

TechniqueTacticDescription
T1566 - PhishingInitial AccessExample trigger technique — platform predicts T1055, T1078, T1003 as next moves
T1055 - Process InjectionDefense Evasion, Privilege EscalationPredicted as 72% probable follow-on to phishing; coverage gaps surfaced
T1003 - OS Credential DumpingCredential AccessPredicted as 44% probable follow-on; Sigma rule gaps flagged
T1078 - Valid AccountsDefense Evasion, PersistencePredicted as 61% probable; existing Sigma rules validated

Key Findings

  • Alert triage gap: most SOC teams respond to the fired technique but have no coverage model for follow-on moves
  • Real MITRE ATT&CK campaign data gives statistically grounded next-move predictions, not heuristic guesses
  • PDF ingestion (CISA advisories, APT reports) enables rapid coverage analysis without manual TTP extraction
  • Sigma rule coverage across SigmaHQ rules averages 40-60% for commonly predicted follow-on techniques