Post-Incident

Coming in a later phase

Turn a resolved incident into a coverage lesson — map what happened onto ATT&CK, find what we were blind to, and close the gap. Not yet implemented.

What's coming

  • Map a resolved incident onto the ATT&CK kill chain that actually occurred
  • Surface which techniques were detected, which were blind, and why
  • Propose detections for the gaps the incident exposed
  • Capture the analyst's correction as a validated golden example

In the meantime, you can:

Model the threat

decompose the incident's kill chain in the Threat Canvas to find the chokepoints.

Review proposed detections

the proposal queue drafts new rules for the gaps an incident exposes.