Your ATT&CK Heatmap Is Counting Rules, Not Coverage

A recent study found that many detection vendors' ATT&CK heatmaps are misleading, as they count rules rather than actual coverage. This means that a green cell on the heatmap doesn't necessarily mean reliable detection, but rather that at least one rule references the technique tag. To get accurate coverage, engineers should count the actual rules and aggregate by technique and tactic, rather than relying on the vendor's heatmap.