Next-Generation Technologies & Secure Development
,
Security Information & Event Management (SIEM)
,
Security Operations
Startup Maps Detections Against MITRE ATT&CK and Recommends Missing Protections

Cribl purchased an agentic detection engineering startup founded by an ex-Palo Alto Networks engineering leader to give organizations greater visibility into their security posture.
See Also: Cloud NGFW for Azure
The San Francisco-based telemetry platform said its acquisition of Boston-based CardinalOps will result in more comprehensive MITRE ATT&CK coverage and customized protections based on each customer’s environment, said Nicole Beckwith, senior director of security engineering and operations. Both companies share a vendor-agnostic philosophy, enabling clients to continue using their preferred SIEM.
“Now with CardinalOps, we’re able to take the detections that we have, plug it into the system and push out those detections per TTP that we don’t have covered,” Beckwith told ISMG. “That’s what excites me about it.”
CardinalOps, founded in 2020, employs 35 people and has raised $24 million, having last completed a $17.5 million Series A funding round in March 2022 led by Viola Ventures. The company has been led since inception by Michael Mumcuoglu, who co-founded behavioral analytics firm LightCyber, sold it to Palo Alto Networks for $103.1 million in February 2017 and spent three years as Palo’s engineering VP (see: Breaking Security Data Silos Before AI Threats Strike).
Mapping Existing Detections Against the MITRE Framework
CISOs are routinely asked by boards, CIOs and executive leadership whether their organizations are adequately protected, yet many existing dashboards provide only high-level indicators without demonstrating the depth of coverage. CardinalOps continuously evaluates detections against adversary techniques, allowing organizations to assign measurable percentages to their detection coverage.
“Coverage being a number you can trend, not just an assertion, means that because of CardinalOps, we’re able to map security controls against the adversary behavior, and we can continuously assess the detection coverage in an environment,” Beckwith said.
CardinalOps continuously maps existing detections against the MITRE ATT&CK framework to identify exactly where coverage gaps exist. Rather than relying on manual assessments, organizations receive ongoing evaluations of which tactics, techniques and procedures are currently covered and which remain unprotected. Security teams can then prioritize engineering efforts based on those gaps.
“With CardinalOps, it doesn’t just tell you you’re covered,” Beckwith said. “It tells you the depth of that coverage, right? You’re not guessing that you’re covered. You can trend that over time.”
Security teams can select adversaries they actively monitor, such as Scattered Spider, and CardinalOps automatically compares that group’s known TTPs against the organization’s current detections. The platform identifies which techniques are already covered and generates recommendations for those that are missing. Those detections can then be deployed directly into the organization’s environment.
“If I want to cover for Scattered Spider, it automatically maps it against the detections that you have in your environment, and it tells you, ‘Hey, you’re covered on six of the 17 TTPs. You need to put detections in place for these to be able to be fully covered,'” Beckwith said. “And so you’re able to automatically grab those detections and plug them directly into your SIEM platform or into Cribl.”
From IOC-Based Detections to TTP-Based Detections
Advances in artificial intelligence have changed how defenders need to detect attacks, with indicator-of-compromise-based detections becoming less effective because those indicators change constantly. Organizations instead need to focus on behavioral detection based on attacker tactics and techniques because those behaviors remain more consistent than technical indicators that attackers can quickly alter, she said.
“AI is pushing us up the pyramid of pain,” she said. “We are no longer focused on IOC-based detections. We’re focused on the TTP-based detections, and that’s where CardinalOps comes in because it can tell you whether you’re covered or not. And so, if you have coverage for all of the TTPs or a good majority of them, then you’re more likely to protect against those adversaries based on those TTPs.”
CardinalOps automatically generates detections using each SIEM’s native query language, whether customers use Splunk, Google SecOps or another platform. This reduces operational overhead while preserving organizations’ flexibility to migrate between security platforms in the future. Beckwith said maintaining customer choice and avoiding vendor lock-in remains one of Cribl’s core values.
“It’s really important to us as a company to remain vendor agnostic,” Beckwith said. “It’s one of the things that we’ve been so successful at to date is really allowing you to have that choice, control and flexibility with your data. It doesn’t matter what your data looks like when you bring it to us. It doesn’t matter where you’re pushing the data, whether it’s to our data lake or somebody else’s data lake.”
The acquisition helps CardinalOps operate directly within Cribl’s telemetry pipeline rather than functioning solely through external integrations, Beckwith said. Previously, detections were generated and ultimately executed after data reached the SIEM. With tighter integration, detections can now be pushed much closer to incoming telemetry, allowing organizations to identify suspicious activity sooner.
“We’re not just buying a company’s source code,” Beckwith said. “We’re buying the team itself, the value that they bring. They have a phenomenal team of engineers, and we’re really looking to partner and gain that experience that we don’t have internally on these particular issues.”
