Detection Surface

Detection Coverage — 210 detection rules + 10 IR playbooks across 10 MITRE tactics

Each detection is repo-counted, mapped to MITRE ATT&CK technique IDs, and routed into SignalFoundry’s triage and evidence pipeline.

103

Sigma

Wazuh

Splunk (lab)

IR Playbooks

MITRE ATT&CK Coverage

Detection density by tactic

Sigma rule distribution across ATT&CK tactics (103 rules shown below). Wazuh, Splunk, and IR playbooks add cross-platform depth not reflected in this chart. Based on actual repo file count.

MITRE ATT&CK Tactic Coverage

Source: content/detection-rules/sigma/ · 103 YAML files across tactic folders · Bar color: red = highest density, green = above average, blue = baseline

Pipeline Integration

Detection Fires

→

Wazuh Alert

→

SignalFoundry Ingest

→

Policy Triage

→

Redaction

→

Evidence Pack

→

Escalation

→

Proof & Evidence ↗

324,074 cases triaged, ~88% auto-closed, 8,574 escalated with evidence. Verify totals →

High-Signal Detections

Critical-severity rules

DCSync Attack Detection

SigmaCriticalT1003

LSASS Memory Dump via Comsvcs.dll

SigmaCriticalT1003

NTDS.dit Credential Extraction

SigmaCriticalT1003

AMSI Bypass Attempt

SigmaCriticalT1562

Masquerading as Windows Process

SigmaCriticalT1036

Ransomware File Encryption

SigmaCriticalT1486

Potential Rootkit Behavior

SigmaCriticalT1014

Firmware Corruption Attempt

SigmaCriticalT1495

Verification

Reproduce these counts

Source of Truth

PROOF_PACK/VERIFIED_COUNTS.md

Verification Command

pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1

Last Verified

04-07-2026

SignalFoundry

See the pipeline that processes these detections

Proof & Evidence

Verified metrics and reconciled totals

Case Studies

Real incidents, real detections, real outcomes