Now You See Me

"The closer you look, the less you see." — The more you study the matrix, the less you see the threat.

In June 2025, CardinalOps published its fifth annual report on the state of enterprise SIEMs. The sample is the largest ever measured: 2.5 million log sources, 13,000 detection rules, hundreds of production SIEMs. The headline figure: enterprise SIEMs cover 21% of MITRE ATT&CK techniques¹.

In 2023, it was 24%. In 2024, 19%. Five years of measurement, and the rate oscillates between 19% and 24% with no progression.

CardinalOps also measures that organizations ingest the data needed to cover 90% of techniques. The problem is not a lack of data. The data is there. Functional detection rules are not keeping pace. And 13% of existing rules are broken, unable to fire due to misconfigured sources or missing fields¹.

Five years, billions invested, and an average SIEM detects one-fifth of what the world's reference framework defines as the threat landscape. The rate plateaus regardless of team maturity or budget spent.

The planes that came back

In 1943, statistician Abraham Wald examined bullet impacts on bombers returning from missions over Germany. The US military wanted to reinforce the most damaged areas. Wald recommended the opposite: armor the areas without impacts. The planes riddled in those areas never made it back to show them.

MITRE ATT&CK works like the military's survey before Wald intervened. It documents the visible impacts, techniques observed, reported, catalogued by organizations that survived the attack or detected it. MITRE openly acknowledges this on its own "ATT&CK Sightings" page. Several explicitly documented biases²:

The novelty bias: new or spectacular techniques are reported; routine techniques repeated thousands of times are not. The visibility bias: an incident responder fighting a fire in progress does not see the same things as one sifting through the ashes afterward.

The producer bias: a few organizations publish far more than others, and their client base is not representative of the real world. The victim bias: certain victims are more likely to report, or to be the subject of reports.

MITRE concludes that these biases mean using the matrix as raw data to understand technique prevalence "might give deceiving answers." Their words, not mine.

Translation: the matrix maps the planes that came back. The techniques it contains are those that someone saw, because the organization survived to report them, or because a security vendor had a sensor in the right place.

Attacks never detected, state-sponsored implants dormant for years, silent supply chain compromises: by design, the matrix does not contain them.

In 2024, Malwarebytes documented five Chrome extensions that had remained dormant for seven years, with "Featured" and "Verified" status in the stores. Upon activation, 4.3 million devices compromised²⁶. During the dormant phase, no malicious behavior to observe, no technique to catalogue. The plane had not come back because it had not yet taken off.

What the data shows

The actual distribution of ATT&CK techniques confirms this survivorship bias. The Cyentia Institute analyzed technique prevalence across multiple independent sources³. Results: one-third of ATT&CK techniques have never been reported by any source. Only 23% are reported by five or more sources. For sub-techniques, 85% have never been reported by any source. 1% appears in five or more sources.

A co-occurrence study on Emergent Mind specifies the concentration⁴: 19 techniques out of 594 (3.2%) account for 37% of documented occurrences. T1059 (Command and Scripting Interpreter) appears in 62% of analyzed incidents. A power-law distribution: a few nodes capture nearly everything, the vast majority capture almost nothing.

Picus Labs (Red Report 2025) confirms on its own dataset of over one million samples: 93% of malicious actions use the same ten techniques⁵.

The framework creates the illusion of exhaustive coverage (216 techniques, 475 sub-techniques) but real-world activity concentrates in a tiny fraction. Most of the matrix is a historical inventory: techniques observed once, documented, rarely or never seen again. The matrix is vast. The active threat is concentrated. Defensive effort disperses while the attack concentrates.

Rarity in ATT&CK does not mean rarity in reality. It means rarity in detection and reporting. The most dangerous techniques—firmware tampering, supply chain compromise, dormant implants—are rare in the statistics because they are surgical and their rarity reflects the absence of sensors, not the absence of attacks. The most "prevalent" techniques are also the crudest.

The granularity problem

T1059, the most prevalent technique (62% support in co-occurrence studies, 26% of Picus samples), is titled "Command and Scripting Interpreter." It covers thirteen sub-techniques. Saying an attacker "uses T1059" is equivalent to saying they use a scripting language or a command line. It is almost tautological. T1055 (Process Injection), second in the ranking (31%), has the same problem: MITRE acknowledges that legitimate API usage is "common and difficult to distinguish from malicious behavior"⁶.

Compare with T1542.001: UEFI/BIOS firmware modification. Surgical, rare, operationally significant when it appears. The abstraction gap between "the attacker uses a command interpreter" and "the attacker modifies UEFI firmware" is enormous. Yet both count as one technique.

MITRE acknowledges the problem. ATT&CK's "Design and Philosophy" document describes the goal of sub-techniques: "make the abstraction level of techniques similar across the knowledge base"⁷. The implicit admission: the abstraction level was not uniform. It still is not.

The consequence is mechanical. When Picus reports that 93% of actions use the Top 10, and the Top 10 includes catch-all categories like T1059 and T1055, the figure is inflated by heterogeneous granularity. When a single node captures 62% of everything, its co-occurrence with anything else is mechanically high. Measured prevalence is an artifact of definition breadth, not an indicator of danger.

The dormant extensions mentioned earlier, once activated, use T1059 (scripts), T1071 (standard HTTPS), T1547 (boot persistence): the same catch-all categories as any legitimate administration script.

The data reveals a framework whose resolution is inversely proportional to danger: the most common behaviors (the least individually dangerous) are finely mapped, the rarest (potentially the most devastating) are absent, buried in catch-all categories, or documented once as a forensic curiosity.

From dictionary to dysfunction

In practice, ATT&CK serves four functions. The first holds. The other three collapse.

The vocabulary that works

When a SOC in Paris and a CERT in Berlin say "T1055," they mean the same thing. Before ATT&CK, a red teamer would say "keylogger," a blue teamer would see "suspicious input capture." Standardization has real value. ATT&CK replaced Lockheed Martin's Cyber Kill Chain, which was linear and simplistic. That is undeniable progress. But it is a dictionary, not a defense system. The problem begins when the industry treats the dictionary as if it were the system.

The heatmap mirage

Organizations overlay their SIEM/EDR rules on the matrix to identify "gaps." The result: a color-coded heatmap shown to the CISO and the board to say "we cover X% of the matrix." The actual result is the opening figure of this article: 21%, five years of plateau, 13% of rules broken. The data is there. Turning it into functional detections hits a ceiling.

When the observable does not exist

In May 2025, the MITRE Center for Threat-Informed Defense launched the "Ambiguous Techniques" project⁸. The official definition: an ambiguous technique is "an ATT&CK technique whose observable characteristics are insufficient to determine intent." Translation: techniques in their own framework whose observables cannot distinguish legitimate from malicious.

Concrete cases abound. T1016 (System Network Configuration Discovery): ipconfig or ifconfig, executed by every network administrator, every provisioning script, every reconnaissance malware. Identical observable. T1082 (System Information Discovery): systeminfo or uname -a, same problem.

T1078 (Valid Accounts): the attacker uses stolen credentials. The authentication is, by definition, identical to that of a legitimate user. The observable is a successful login. T1071 (Application Layer Protocol): the C2 uses HTTPS, DNS, or another standard application protocol. The traffic is indistinguishable from normal traffic.

Jordan Camba (SnapAttack/Cisco) sums it up: "Most techniques within Recon and Resource Development tactics are fundamentally un-detectable through internal logs and telemetry."⁹

Some malware pushes the logic further. LummaC2 analyzes mouse movements to detect a sandbox environment and, if detected, chooses inaction²⁷. Beyond the ambiguity that MITRE acknowledges in its own techniques, the observable itself disappears.

The finding extends beyond reconnaissance. 84% of high-severity breaches exploit legitimate system tools (Vectra 2024)¹⁰. PowerShell appears in 71% of Living Off The Land cases. The LOLBAS project documents over 200 exploitable Windows binaries¹¹.

Volt Typhoon maintained undetected access to US critical infrastructure for over five years, using exclusively native tools¹². The observables themselves do not exist: the problem lies upstream from rule tuning.

The noise factory

At the end of this chain: 960 daily alerts per organization on average (AI SOC Market Landscape 2025)¹³. Up to 90% false positives in some environments (Cyber Sierra)¹⁴. 62% of alerts ignored¹⁴. 25% of analyst time wasted on false positives (Ponemon)¹⁵. 74% of breaches had generated alerts that were ignored (Verizon DBIR 2024)¹⁶.

Detection works mechanically. It generates alerts. It does not protect.

The human cost is documented. 70% of SOC analysts with five years of experience or less leave the role within three years (SANS 2025)¹⁷. 85% describe SOC work as "painful" or "very painful" (Ponemon)¹⁵. Average cost of an enterprise SOC: $5.3 million per year, up 20% year-over-year¹⁵. Average tenure of a SOC analyst: under two years.

Anton Chuvakin, former Gartner analyst and current lead at the Google Cloud CISO office, summarizes: alert fatigue has been documented since 2002. The industry tried the SIEM, then the EDR (which recreated the same problem), then the XDR (which recreated the SIEM), and now promises that AI will solve the problem. The same promise as UEBA in 2014¹⁸.

The Target case (2013) encapsulates twelve years of non-progress: the tools worked exactly as designed. The flood of alerts led analysts to ignore the ones that mattered¹⁹.

These dysfunctions stack, and the data documents each layer. But they do so before considering that adversaries are actively optimizing mimicry: 79% of intrusions are malware-free (CrowdStrike 2025)²⁰, 80% of the Top 10 ATT&CK techniques are stealth-oriented (Red Report 2025)⁵. Before considering AI acceleration. The empirical data alone is sufficient to ask the following question.

The removal test

In April 2025, the DHS/CISA contract for MITRE's CVE program nearly expired²¹. Over $28 million in MITRE contracts cancelled, 442 employees laid off²². Last-minute rescue by incremental CISA funding, for eleven months.

ATT&CK depends on the same federal tap. Let us ask the question nobody asks: if that funding stops, what changes in the global defensive posture?

Not the vocabulary. The identifiers T1059, T1055, T1078 are embedded in every SIEM, every EDR, every threat intelligence report, every SANS training. The taxonomy is self-sustaining: it would survive MITRE the way the OSI model survives without anyone consulting the original ISO documents.

Not detection capability, which plateaus at 21%. Not the operational signal, drowned in 90% false positives. Not the analysts, who are already leaving.

What disappears: the color-coded heatmap presented to the CISO and the board to state "we cover X% of the matrix." The compliance ritual. The right to say "ATT&CK-aligned" in NIS2 audits. The updating of new techniques, the only function that requires MITRE on an ongoing basis.

The argument is reversible. If removal does not degrade the actual defensive posture, then its presence was not improving it. The CardinalOps, Verizon DBIR, SANS, and Ponemon data converge: the actual defensive posture is catastrophic with the framework, and it would be difficult to do worse without it.

The geostrategic framing is more alarming than the removal scenario. The United States is not cutting defensive tools through negligence. It is reallocating. Federal investment is pivoting toward offensive capabilities: AI applied to vulnerability discovery, DoD cyber arsenals, zero-day stockpiling documented in previous articles in this series²⁵.

The defensive tools Washington provided to the world—CVE, NVD, ATT&CK—are becoming a budget adjustment variable. Europe built its defensive grammar on a framework whose country of origin is losing interest—through reallocation of priorities toward offense.

European dependency

MITRE Corporation is an FFRDC—Federally Funded Research and Development Center. Created in 1958, a spin-off of the MIT Lincoln Laboratory (military radar research). It operates six FFRDCs for the US government, including the National Security Engineering Center for the DoD and the National Cybersecurity FFRDC since 2014²³. The $5 billion NIST contract was renewed in October 2024 through 2029²⁴.

ATT&CK is presented as a global standard, "available to any person or organization for use at no charge." But its governance, funding, development priorities, and observation biases are anchored in the American security apparatus. The April 2025 crisis demonstrated this: when Washington re-arbitrates its budgets, the entire world trembles²¹.

In February 2026, MITRE formalized this dependency by creating the ATT&CK Advisory Council, an advisory body tasked with guiding the program's long-term strategy, roadmap, and quality standards²⁸. The composition is telling: CISA, CrowdStrike, Recorded Future, Tidal Cyber, Purdue/CERIAS. The entire American security ecosystem. Neither ANSSI, nor ENISA, nor any European CERT appears among the members. The timing is not coincidental: after the 2025 budget crisis, the council formalizes a community governance structure that reduces dependency on federal funding alone. The initiative secures the institution. It does not alter the composition of power: the organizations most dependent on the framework have no seat at the table where its direction is decided.

Europe structured its cyber defense (NIS2, national CERTs, certified SOCs, ENISA requirements) on this American framework. The dependency extends beyond the vulnerability catalog (CVE/NVD, documented in previous articles in this series²⁵). It extends to the very grammar with which Europe conceives its defense.

A framework that does not detect what it claims to detect, that could disappear at the next Washington budget arbitration, and whose removal would change nothing about the operational reality.

What I don't know

I don't know whether the continuous updating of ATT&CK—the addition of new techniques and documentation of emerging groups—is indispensable or marginal. The existing taxonomy covers the majority of measured activity (93% in the Picus Top 10). The annual delta of new techniques could be absorbed by other sources: vendor reports, community threat intelligence. But I have no data on how quickly the framework would become obsolete without updates.

I also don't know whether the 21% ceiling (CardinalOps) is a measurement artifact or a constant. If five years of data show the same oscillation between 19% and 24%, the hypothesis of an intrinsic limit of the detect-and-respond model applied to ATT&CK deserves consideration. But I have no formal proof that this ceiling is insurmountable. Only five years of measurement showing no progression.

I don't know whether MITRE is aware of the gap between the framework's actual usage (compliance scorecard, vendor marketing) and its original intent (adversary tradecraft knowledge base). The "Ambiguous Techniques" project of May 2025 suggests growing lucidity⁸. The outcome remains uncertain.

I don't know whether the American budgetary reallocation toward offense directly threatens ATT&CK or only the CVE/CWE programs. The April 2025 crisis hit the CVE program. The contracts funding ATT&CK flow through different channels, but all transit through the US federal budget. The creation of the Advisory Council in February 2026 suggests MITRE takes this hypothesis seriously enough to formalize an institutional resilience mechanism²⁸. But an advisory council does not generate revenue, and the question of operational funding remains open.

The question that follows

The question this article asks is simple: if ATT&CK, the most refined expression of the detect-and-respond model, produces the documented results (21% coverage, 90% false positives, 62% of alerts ignored, 74% of breaches with alerts ignored, 70% analyst turnover), is the problem in the framework or in the model?

MITRE has an answer to this question. It is called D3FEND—Detection, Denial, and Disruption Framework Empowering Network Defense. The mirror framework: for every offensive ATT&CK technique, a defensive countermeasure. The hypothesis of perfect symmetry between attack and defense.

The next article will examine that hypothesis.

Thirteenth article in a series on the structural flaws of Western cybersecurity (articles 1-5 in French):

• Article 1 : La vulnérabilité de la gestion des vulnérabilités
• Article 2 : La dépendance européenne aux standards américains
• Article 3 : Les États, architectes cachés du marché noir des vulnérabilités
• Article 4 : L'IA ou l'effondrement du modèle défensif occidental
• Article 5 : Desert Power — survivre sans l'Empire
• Article 6: I Am Altering the Deal
• Article 7: The Last Channel
• Article 8: Lord of Cyber War
• Article 9: The digital hawks
• Article 10: They Live... we sleep
• Article 11: Soylent Green
• Article 12: Ghost in the Binary

¹ CardinalOps, "5th Annual Report on the State of SIEM Detection Risk" (June 2025) — 2.5 million sources, 13,000 rules, 21% coverage, 13% broken rules, 90%+ potential coverage with ingested data https://cardinalops.com/wp-content/uploads/2025/06/25-CardinalOps-2025-State-of-SIEM-Report.pdf

² MITRE ATT&CK Sightings — documentation of five biases (novelty, visibility, producer, victim, availability) https://attack.mitre.org/resources/sightings/

³ Cyentia Institute, "Multi-Source Analysis of Top MITRE ATT&CK Techniques" — 1/3 of techniques never reported, 85% of sub-techniques never reported https://www.cyentia.com/multi-source-analysis-of-top-mitre-attck-techniques/

⁴ Rahman, M.R. & Williams, L.A., "Investigating co-occurrences of MITRE ATT&CK Techniques" (2022) — 19/594 techniques = 37% of occurrences, T1059 at 0.62 support https://arxiv.org/abs/2211.06495

⁵ Picus Labs, "Red Report 2025" — 1M+ malware samples, 14 million malicious actions, 93% in Top 10, T1055 at 31% https://www.picussecurity.com/resource/the-top-ten-mitre-attck-techniques

⁶ MITRE ATT&CK, T1055 documentation (Process Injection) — detection guidance https://attack.mitre.org/techniques/T1055/

⁷ MITRE ATT&CK, "Design and Philosophy" — sub-technique objectives https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

⁸ MITRE Center for Threat-Informed Defense, "Ambiguous Techniques" (May 2025) — techniques whose observable characteristics are insufficient to determine intent https://ctid.mitre.org/projects/ambiguous-techniques/

⁹ Jordan Camba (SnapAttack/Cisco), cited in the Ambiguous Techniques project documentation https://ctid.mitre.org/projects/ambiguous-techniques/

¹⁰ Vectra AI (2024) — 84% of high-severity breaches exploit legitimate system tools https://www.vectra.ai/topics/living-off-the-land

¹¹ LOLBAS Project — Living Off The Land Binaries, Scripts and Libraries, 200+ documented Windows binaries https://lolbas-project.github.io/

¹² CISA Advisory AA24-038A — Volt Typhoon, 5+ years of undetected access to critical infrastructure via native tools https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

¹³ Software Analyst Cyber Research (SACR), "AI SOC Market Landscape 2025" — 282 organizations, 960 average daily alerts per organization https://softwareanalyst.substack.com/p/sacr-ai-soc-market-landscape-for

¹⁴ Cyber Sierra — up to 90% false positives, 62% of alerts ignored https://cybersierra.co/blog/alert-fatigue-in-soc/

¹⁵ Ponemon Institute, "Second Annual Study on the Economics of Security Operations Centers" (2021, sponsored by FireEye) — 25% of analyst time on false positives, 85% describe SOC work as "painful" or "very painful", average SOC cost $5.3M/year (+20% YoY) https://www.businesswire.com/news/home/20210112005211/en/NEW-PONEMON-RESEARCH-Growing-Security-Operation-Center-Challenges-Increasing-Complexity-and-Rising-Costs-Drive-Investments-in-XDR-and-Security-Automation

¹⁶ Verizon, "Data Breach Investigations Report 2024" — 74% of breaches had generated alerts that were ignored https://www.verizon.com/business/resources/reports/dbir.html

¹⁷ SANS Institute, "2025 SOC Survey" (Christopher Crowley, July 2025) — median tenure 3-5 years, 62% of organizations not doing enough to retain staff https://www.sans.org/white-papers/sans-2025-soc-survey

¹⁸ Chuvakin, A. (ex-Gartner, Google Cloud CISO office) — alert fatigue history since 2002, SIEM → EDR → XDR → AI cycle https://medium.com/anton-on-security/antons-alert-fatigue-the-study-0ac0e6f5621c

¹⁹ Target Corporation breach (2013) — functional FireEye alerts, ignored by the SOC https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883

²⁰ CrowdStrike, "Global Threat Report 2025" — 79% of intrusions malware-free https://www.crowdstrike.com/en-us/global-threat-report/

²¹ See article 1 in this series; Nextgov/FCW (April 2025) — DHS/CISA contract for the CVE program expired April 16, 2025, rescued by incremental CISA funding for 11 months https://www.nextgov.com/cybersecurity/2025/04/mitre-warns-cve-program-will-lose-us-government-funding/404585/

²² Virginia Business (April 2025) — over $28 million in MITRE contracts cancelled, 442 layoffs https://www.scworld.com/news/mitre-support-expires-for-pillar-of-cybersecurity-industry-cve-program

²³ MITRE Corporation — operates 6 FFRDCs for the US government, including the National Security Engineering Center (DoD) and the Homeland Security Systems Engineering and Development Institute https://www.mitre.org/our-impact/rd-centers

²⁴ NIST, National Cybersecurity FFRDC contract — $5 billion, renewed October 2024 through 2029 https://www.mitre.org/news-insights/news-release/nist-renews-five-year-contract-mitre-operate-national-cybersecurity

²⁵ See articles 1, 2, 5, 7, and 12 in this series — documentation of European dependency on American CVE/NVD/KEV infrastructure

²⁶ Malwarebytes Labs (2024) — "Sleeper extensions: five Chrome extensions dormant for seven years activated as spyware" — 4.3 million devices compromised, "Featured"/"Verified" status, extensions later expanded to Firefox https://www.malwarebytes.com/blog/news/2024/sleeper-extensions

²⁷ Outpost24 / KrakenLabs, "Analyzing LummaC2 stealer's novel Anti-Sandbox technique" (2023) — mouse movement analysis via trigonometry for sandbox detection, inaction as evasion technique; confirmed by Picus Labs, Red Report 2026 (February 2026) as major finding https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/

²⁸ MITRE, "MITRE Announces Formation of the ATT&CK Advisory Council" (February 25, 2026) — strategic advisory body comprising CISA, CrowdStrike, Recorded Future, Tidal Cyber, Purdue/CERIAS. Launched simultaneously with ATT&CK v18 (Kubernetes, CI/CD, cloud databases, 3 new ICS Asset types). No European representative among its members https://www.mitre.org/news-insights/news-release/mitre-forms-attack-advisory-council-strengthens-long-term-stewardship