Identity security has rallied around the same three words for years: Visibility, Insights, and Actions. But ask a sharper question in a threat context — how much of the identity attack landscape a given product actually covers — and the visibility you were promised goes missing.
The coverage story you get instead is a MITRE ATT&CK matrix.
What Defenders Actually Ask
Three questions come up in every identity risk conversation. Which real-world identity attacks am I exposed to? Which campaigns hitting companies like mine would work against me? Which of my users would an attacker hit first? A grid of shaded technique cells answers none of them. It shows what a tool can theoretically detect. Where you stand against the attacks actually being run is a separate question, and the one that decides your risk.
Coverage Measured in Attacks
ATT&CK is a useful common language for researchers. It makes a poor unit of account for risk. T1566 won't tell a CISO whether a Scattered Spider-style help-desk reset would land in their environment, or which finance accounts sit in its path.
Start from the attack instead: what the real campaign looks like, who fits its target profile, what would shift the odds. That framing turns coverage into something everyone on the security team can evaluate — not just the analyst who can read the matrix.
Coverage should be legible. Name the real attacks your stack can withstand, and the ones it cannot, in plain language.
See the latest from Abnormal's product and engineering teams.
