Platform
ATT&CK technique mapping methodology
Mapping cyber threat intelligence sources to MITRE ATT&CK® is not a single decision; it is a methodology with edge cases. This page documents how Intel Fusion handles those edge cases so coverage numbers are defensible under scrutiny.
Claimed coverage vs. observed coverage
Vendors claim coverage. Intel Fusion treats those claims as evidence, not ground truth. When a feed claims coverage of T1059 Command and Scripting Interpreter, the claim is weighted by the actual indicator and reporting density observed against that technique over the last 90 days. A claim with thin observed support is reported as partial coverage rather than full coverage.
This protects the portfolio coverage mapping from being inflated by aspirational vendor mappings, and produces a coverage number that survives the question "show me the evidence."
Sub-technique granularity
ATT&CK sub-techniques (T1566.001, T1566.002, T1566.003, etc.) are where rationalization decisions get sharp. Intel Fusion maps to sub-technique level when source content supports it and to technique level when it does not, with a clear fidelity flag on the resulting score. Two feeds that look identical at technique level often diverge at sub-technique level — and the rationalization recommendation changes accordingly.
Partial coverage
A feed rarely fully covers a technique; usually it covers some of the variants, some of the platforms, some of the time windows. Intel Fusion does not collapse partial coverage to a binary "covered/not covered." Each (source, technique) cell carries a score in [0, 1] representing the share of the technique surface the source addresses. This makes the union calculation more honest: P = 1 − ∏(1 − cᵢ) over partial cᵢ values, not over binary flags.
Risk weighting
Not every technique matters equally to your environment. Intel Fusion supports weighting techniques by sector exposure, adversary group relevance, and incident history. The weighted coverage score is what shows up in executive reporting; the raw coverage score is preserved for audit. For specialized profiles — for example the NNSA Cyber Threat Profile — the weights are derived from the profile itself.
Matrix drift
ATT&CK is a living framework. Techniques get added, retired, restructured. Intel Fusion versions the matrix and tracks per-source mappings against the version they were established against. When the matrix updates, mappings are reviewed and either confirmed, remapped, or flagged for analyst review. Coverage scores produced before and after a matrix change are explicitly versioned so historical reporting stays comparable.
Limitations
Coverage scores reflect the source as Intel Fusion has measured it; they are not an official MITRE assessment. Source content evolves, vendor mappings change, and new adversary tradecraft can appear faster than any framework can absorb it. The methodology is designed to be transparent about these limits — the methodology documentation, source metadata, and per-cell evidence are all surfaced in the platform.
Related
Coverage scores you can defend.
Request a demo to see the methodology working over your own sources.