Skip to main content

Jul 7, 2026

The Three Questions Your Identity Tool Won't Answer

Identity products report coverage in MITRE technique IDs, when defenders just want to know which attacks they're actually exposed to

Identity security has rallied around the same three words for years: Visibility, Insights, and Actions. But ask a sharper question in a threat context — how much of the identity attack landscape a given product actually covers — and the visibility you were promised goes missing.

The coverage story you get instead is a MITRE ATT&CK matrix.

What Defenders Actually Ask

Three questions come up in every identity risk conversation. Which real-world identity attacks am I exposed to? Which campaigns hitting companies like mine would work against me? Which of my users would an attacker hit first? A grid of shaded technique cells answers none of them. It shows what a tool can theoretically detect. Where you stand against the attacks actually being run is a separate question, and the one that decides your risk.

Coverage Measured in Attacks

ATT&CK is a useful common language for researchers. It makes a poor unit of account for risk. T1566 won't tell a CISO whether a Scattered Spider-style help-desk reset would land in their environment, or which finance accounts sit in its path.

Start from the attack instead: what the real campaign looks like, who fits its target profile, what would shift the odds. That framing turns coverage into something everyone on the security team can evaluate — not just the analyst who can read the matrix.

Coverage should be legible. Name the real attacks your stack can withstand, and the ones it cannot, in plain language.

See the latest from Abnormal's product and engineering teams.

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.