Map your Sigma detection rules onto the MITRE ATT&CK matrix and find coverage gaps.
Project description
attack-mapper ๐ฏ
Map your Sigma detection rules onto the MITRE ATT&CK matrix and find your coverage gaps โ fast, offline, and CI-friendly.
Part of a detection-engineering toolkit that pairs perfectly with a Detection-as-Code pipeline (Sigma โ CI โ SIEM). It answers the question every blue team eventually asks: "Which ATT&CK techniques do my rules actually cover, and where are the blind spots?"
Features
- ๐ Extracts ATT&CK technique IDs from Sigma rules via:
- canonical
attack.<id>tags, - raw
T1059tags, attack.mitre.org/techniques/...URLs inreferences:.
- canonical
- ๐ Per-tactic coverage bars + overall coverage ratio in the terminal.
- ๐จ Four HTML styles to show off your coverage:
matrix(default) โ tactic cards with technique chips,rowsโ compact tactic progress bars,heatโ dense heatmap of every technique,reportโ print-ready dossier with canonical vertical ATT&CK columns and sub-techniques nested under their parents (PDF it for audits/portfolio).
- ๐ข Covered techniques (incl. parent techniques of covered sub-techniques) render green; gaps render red; explicitly ignored ones render grey.
- ๐ Scope filters โ
--includeand--ignorenarrow the analysis to the techniques/tactics you care about (or exclude the ones you don't). The active scope is shown in the report so readers know what was filtered. - ๐
Portfolio badge (
--badge) โ a shields.io-style SVG coverage badge. - ๐งพ JSON summary (
--json) โ machine-readable output for dashboards/CI. - ๐งญ ATT&CK Navigator export โ every HTML report embeds an "Export layer" button that downloads a ready-to-import Navigator layer.
- ๐งฑ Uses the real MITRE ATT&CK enterprise dataset (v19 structure: Stealth + Defense Impairment). Revoked/deprecated techniques are filtered out so the coverage denominator matches the official matrix (15 tactics, 222 techniques, 475 sub-techniques). Shipped as a compact JSON, no network needed at runtime.
- โ
Pure Python stdlib +
pyyaml; tiny dependency footprint. - ๐ค Non-zero exit when nothing maps โ use it as a CI gate in your detection repo.
Screenshots
report (print-ready dossier) |
matrix (cards) |
|---|---|
Install
pip install attack-mapper
For development:
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest
Usage
# Map a folder of Sigma rules, print the terminal report, emit HTML (matrix)
attack-mapper rules/ --html sample/coverage_matrix.html
# Try the other HTML styles
attack-mapper rules/ --html sample/coverage_rows.html --style rows
attack-mapper rules/ --html sample/coverage_heat.html --style heat
attack-mapper rules/ --html sample/coverage_report.html --style report
# Scope the analysis: only Execution + T1053, ignore Reconnaissance
attack-mapper rules/ --include T1059 TA0002 --ignore Reconnaissance
# Portfolio artifacts: badge + JSON
attack-mapper rules/ --badge sample/coverage_badge.svg --json sample/coverage.json
Run against the bundled sample rules:
attack-mapper rules/ --html sample/coverage_matrix.html --badge sample/coverage_badge.svg
Why not sigma2attack or DeTT&CT?
Both are excellent and you should know they exist. sigma2attack (from the Sigma tooling) converts Sigma rules into an ATT&CK Navigator heatmap layer โ if all you need is a layer file, it does the job. DeTT&CT is the heavyweight: it scores data-source visibility as well as detection coverage, and is the right tool for a mature SOC doing formal capability assessments.
attack-mapper sits in between, optimized for Detection-as-Code pipelines: it runs offline with a bundled dataset, produces self-contained HTML reports you can email or print (plus the Navigator layer, a badge, and JSON), gates CI with its exit code, and supports scope filters for counting only the techniques relevant to your environment. It is also ATT&CK v19-native (Stealth + Defense Impairment) with a scheduled workflow that flags future MITRE updates automatically.
How it works
Sigma rules โโโถ sigma_parser โโโถ technique IDs
โ
ATT&CK DB โโโถ attack_loader โ
โผ
coverage.build_report (with --include/--ignore) โโโถ CoverageReport
โ
renderers (terminal / HTML matrix|rows|heat)
plugins (badge SVG / JSON)
Scope filters
--include and --ignore accept technique IDs (e.g. T1059), sub-technique
prefixes (e.g. T1059 also covers T1059.001), tactic shortnames
(e.g. execution) or tactic IDs (e.g. TA0002). A covered technique is always
recorded as covered even if it falls outside an --include scope, but only
in-scope covered techniques count toward the coverage ratio (both numerator
and denominator are scoped).
Updating the ATT&CK dataset
The shipped attack_mapper/data/attack_db.json is a snapshot (regenerated
automatically by a monthly GitHub Action that fails when MITRE ships an update). To regenerate from the latest
official STIX bundle:
curl -L -o enterprise-attack.json \
https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
ATTACK_MAPPER_STIX=enterprise-attack.json python -m attack_mapper.build_db
You can also run directly off the STIX bundle at runtime by setting
ATTACK_MAPPER_STIX.
Project layout
attack-mapper/
โโโ attack_mapper/
โ โโโ cli.py # argparse entry point
โ โโโ sigma_parser.py # Sigma โ ATT&CK technique IDs
โ โโโ attack_loader.py # ATT&CK DB (compact JSON / STIX)
โ โโโ coverage.py # coverage + gaps + scope filters
โ โโโ renderers.py # terminal table + 4 HTML styles
โ โโโ plugins.py # badge SVG + JSON summary
โ โโโ build_db.py # regenerate the compact ATT&CK DB
โ โโโ data/attack_db.json # real ATT&CK (compact, ships with the package)
โโโ rules/ # sample Sigma rules
โโโ sample/ # generated HTML / badge / JSON examples
โโโ tests/ # pytest suite
โโโ pyproject.toml
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attack_mapper-0.4.0.tar.gz.
File metadata
- Download URL: attack_mapper-0.4.0.tar.gz
- Upload date:
- Size: 47.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a9c1f0d098e7a987a48b5654fe4dcb63531089a79b8c3b5036db02246ebbae66
|
|
| MD5 |
c386efe154d99bed2aaabcdcb8b2acf8
|
|
| BLAKE2b-256 |
32d0f0f4c5fbe796d38f01e40de486e4e9e9a43181609961571bbb23aff1ef93
|
File details
Details for the file attack_mapper-0.4.0-py3-none-any.whl.
File metadata
- Download URL: attack_mapper-0.4.0-py3-none-any.whl
- Upload date:
- Size: 42.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
48a7790ca5d50213abcc178649b22eb13b0f1fb2c3faedd414103af5bb66faa9
|
|
| MD5 |
cbbc188bb53ab9fb77e6132c2cbb9ab1
|
|
| BLAKE2b-256 |
23db9c86e2cbc7de41d6b977f1d890185ca91baaa6ec1339f4744e635adf61bc
|