read-only · no agents no simulations your logs never leave live in days SIEM-agnostic

Continuous detection assurance

Know which of your detections actually work.

The residual risk your board tracks is only covered if your detections actually fire. Dectyl proves they do.

Believed coverage vs. verified coverage

You think you're covered. Dectyl tells you if you really are.

Most of your defenses are configured, not verified. Dectyl proves what would actually fire against the threats aimed at you, from your own telemetry, and shows you exactly how to close it.

When your board asks if you're covered

Your board asks if you're ready for Scattered Spider. Now you can answer with a number.

Dectyl models the threats actually targeting you and gives you a verified readiness score for each, plus the three fixes that move it most, in days not a quarter.

01Verify what actually fires: proven from your telemetry's health, not your logs, not a simulation.
02Get the few fixes that move risk most this week, ranked by lift per hour of effort.
03Prove each fix landed, and turn coverage into board-ready evidence.

Dectyl is the detection-engineering team you can't hire. It verifies the detections you already own can fire, not just that they're configured, hands your team the few fixes that move risk most, and proves each one landed. Read-only. No simulations. No rip-and-replace.

readiness enginedemo tenant
Readiness Engine
48% confidence
Scattered Spider87% · 72% confBlackCat Ransomware54% · 48% confInsider Exfiltration18% · 41% conf
54%readiness
BlackCat Ransomware22 techniques · 7 critical
→ 71% with recommended detections
Coverage61%
Telemetry52%
Validation38%
Reliability64%
Why this score
3 of 7 critical techniques have no recent validation
Reliability degraded by 2 flapping rules

Per-threat readiness from four pillars: coverage · telemetry · validation · reliability. Representative demo tenant.

Value in days

You'll have answers in days, not next quarter.

Connected read-only in days. The few fixes that matter in week one. Board-ready proof in a month. Sharper every month it runs.

Days 1-3

First verified read

Connect read-only. No agents, no simulations. See which of your detections can actually fire. A real number, not a config audit.

Week one

The fixes that matter

A ranked, owned action list, not a backlog of everything. AI drafts each fix with a runbook; your team approves. You fix the few things that move risk most.

Month one

Board-ready proof

Every fix re-tested, every lift verified. A readiness report your CISO puts on a board slide, in language the audit committee reads.

Every month after

Precision that compounds

Accurate from day one, and it compounds. Every validated mapping sharpens its scoring and prioritization. Drift caught the day it happens.

01Readiness Engine

One number that tells you how ready you actually are.

Not "is this rule configured?" but "can it actually fire against the threats that matter?" One number per threat, scored the same way every day.

  • Verifies detections actually fire: can-fire validation, not a configured-rule count.
  • Scores coverage, telemetry, validation and reliability into one readiness number per threat.
  • Every number traceable.
  • Prioritizes what matters: weighted by asset criticality and KEV activity.
readiness / scattered-spider
Scattered Spider
14 techniques · 4 critical · asset crit 90%
87%
Biggest blind spot
MFA fatigue / push bombing T1621, readiness 34%
Capability breakdown
Initial Access92%
Credential Access · 2 critical38%
Persistence · no detections41%
02Coverage

Know what you actually detect, in a day, not a quarter.

A technique isn't covered or uncovered. It has many procedures, and a rule only covers some. Dectyl shows how many of each technique's procedures a detection can actually fire on.

  • Maps detections to MITRE ATT&CK and shows what's covered, partial, or blind.
  • Tells you honestly what it can't assess, never marks an unassessable procedure as covered.
  • Surfaces what's actively exploited (CISA KEV) first, so effort goes to the highest-leverage fixes.
  • Tracks progress over time as you close gaps and ship detections.
coverage / att&ck matrix
Procedures covered
312
Blind
147
Not assessable
88
Credential Access
Brute Force
T1110
4 / 6
OS Credential Dumping
T1003
3 / 9
Defense Evasion
Indicator Removal
T1070
5 / 7
System Binary Proxy Exec
T1218
3 / 7
Lateral Movement
Remote Services
T1021
6 / 7
Alt. Auth Material
T1550
2 / 5
Impact
Data Encrypted
T1486
1 / 7
Inhibit Recovery
T1490
0 / 5
CoveredPartialBlindNot assessable
03Action Queue

The few things to fix this week: ranked, owned, verified.

We don't hand you a coverage score. We hand your team the few fixes that move risk most this week, ordered by lift per unit of effort, and prove each one landed. Managed execution, not another posture report.

  • Every gap becomes an action, ranked by business impact, not technical severity.
  • AI recommends the fix with a numbered runbook; a human approves it.
  • Dectyl re-tests after you ship and confirms the lift actually landed.
  • Readiness updates automatically: the loop is managed end to end.
action queue · ranked by lift / effort
1
DetectionRecommended
Add push-bombing detection for MFA fatigue (T1621)
detection engineer↑ 19 pts predicted lift~hours
2
DetectionChokepoint
Cover shadow-copy deletion before encryption (T1490)
detection engineer↑ 17 pts predicted lift~hours
3
TelemetryIn progress
Onboard EDR process-creation logs for 3 hosts
platform engineer↑ 14 pts predicted lift~days
4
ValidationVerified
Confirmed valid-accounts rule fires on token replay
predicted 8 → realized 10 pts~mins
04AI threat readiness

See AI-native attacks the same way you see everything else.

The AI attack surface (prompt injection, tool abuse, agent lateral movement) deserves the same can-fire verification as the rest of your stack. Dectyl extends the same readiness engine to it, scored against MITRE ATLAS. One loop across SIEM and AI, not a separate product to buy.

Prompt Injection

Adversarial instructions smuggled through user input or retrieved content that hijack an agent's behavior.

ATLAS · AML.T0051

Tool Abuse

An agent coerced into invoking its own tools (code exec, file, or API calls) for the attacker's ends.

ATLAS · AML.T0053

Agent Lateral Movement

One compromised agent pivoting across connected agents, tools, and identities inside the org.

ATLAS · AML.T0048

Model Supply Chain

Backdoored weights, poisoned fine-tunes, or tampered model artifacts entering production.

ATLAS · AML.T0010

AI Exfiltration

Sensitive data drained through model outputs, context windows, or agent tool channels.

ATLAS · AML.T0024
ai readiness / atlas coverageone loop · SIEM + AI surface
Prompt Injection AML.T00512 of 9 procedures22%
Tool Abuse AML.T00535 of 11 procedures48%
Agent Lateral Movement AML.T00481 of 8 procedures14%
Model Supply Chain AML.T00106 of 7 procedures81%
AI Exfiltration AML.T00244 of 10 procedures43%

AI readiness scored on the same can-fire basis as the rest of your stack, not a separate product.

05Threat Canvas

Ask the question your board asks, and get a straight coverage answer.

Ask the question a board actually asks, "what's our coverage against a worm that moves laterally?" and the AI decomposes it into the kill-chain it would have to traverse.

  • Business scenarios, not technique IDs: describe the threat in plain language.
  • AI decomposition maps it to ATT&CK stages of alternative techniques (AND / OR).
  • Marks chokepoints: the steps where one detection defends the whole path.
  • Continuous learning: the model sharpens with every validated mapping.
threat canvas / decomposition
askWhat's my coverage against a worm that moves laterally?
Initial Access
Exploit public-facing app
T1190
chokepoint · covered
Lateral Movement
Remote services
T1021
partial
or
Admin shares
T1021.002
AI-drafted
Cred Access
OS credential dumping
T1003
blind
Impact
Data encrypted
T1486
covered

Every step scored on detections that actually fire, so the gap that gets you surfaces first. Illustrative.

06Coverage Drift

Catch coverage changes the day they happen, and know exactly why.

Detections drift: a log source changes format, a rule starts flapping, telemetry stops. Dectyl watches continuously and attributes every change to a cause, so nothing slips by unnoticed.

  • What changed since the last snapshot: wins and erosion, side by side.
  • Why readiness moved: attributed to the exact pillar that changed.
  • Which rule broke, which telemetry disappeared, which validation failed.
  • The continuous-monitoring story: posture is measured, never assumed.
coverage drift / last 30 days
Overall readiness
67%▲ 6 pts
Wins · realized lift
+17 pts
5 detections verified
Erosion · caught & attributed
−11 pts
2 rules · 1 telemetry source
Rule broke brute-force / T1110log format changed
Telemetry lost EDR proc-create3 hosts stopped shipping
Validation failed T1562.001replay no longer fires
07Incident Review

Learn from every incident, and predict the next.

Import a resolved incident and Dectyl reconstructs the attack path, shows where your detections would fire against it today, and turns any gaps into tracked, verified fixes.

  • Import an incident and reconstruct the attack path step by step.
  • See exactly where your detections would fire against it today.
  • Turn any gaps into ranked, owned fixes, mapped to the steps that matter.
  • Predict whether it would be caught today against your current stack.
incident review / reconstructed path
Phishing: spearphishing voice T1566.004
✓ caught, vishing rule fired
MFA fatigue / push bombing T1621
✗ missed, no detection existed
OS credential dumping T1003
✗ missed, telemetry not onboarded
Data encrypted for impact T1486
✓ caught, too late in the chain
Would it be caught today? Partially. The two shipped fixes (T1621, T1003) now close the chain at credential access. The breach would be contained before impact. 2 of 4 steps newly covered.
08AI across the platform

AI powers the platform. It isn't another product.

The same engine reasons across every surface. Deterministic where you need trust (your rules are parsed, not guessed) and AI everywhere it amplifies your team's judgment.

01Rule generationProposes Sigma/KQL detections for open gaps, with FP risk and the technique covered.
02Threat decompositionBreaks a business scenario into the ATT&CK kill-chain it would traverse.
03Threat Canvas generationDrafts the decomposition graph: stages, alternatives, and chokepoints.
04Root-cause analysisReconstructs incidents and attributes each readiness delta to a cause.
05PrioritizationRanks every gap by readiness lift per unit of effort and business impact.
06Executive reportingWrites board-ready posture summaries in language a non-technical committee reads.
Trust by design
Read-only, no simulationsNever writes to your stack, never runs attacks. Proven, not simulated. Checks your telemetry's health, not your logs.
No agents, no ingestionNothing deployed to endpoints. No log pipeline to feed.
Human approval requiredNo detection auto-deploys. Your team reviews, edits, approves.
Fully auditableEvery change versioned and traceable. SIEM-agnostic, no lock-in.

See the full data-flow architecture: what crosses the boundary and what never does →

09Reports

Readiness your CISO can put on a board slide.

Posture, deltas, KEV exposure and recommended actions, written for the audit committee, not the SOC. CISOs buy reporting; Dectyl ships it monthly.

Executive readiness reportPDF
Monthly readiness reportauto
Board reportPDF
AI readiness reportATLAS
KEV exposure reportweekly
Monthly readiness report
Security posture, May 2026
Overall readiness
67% ▲ 6
KEV exposure
0 open · 9 closed
Detections verified
142
Gaps closed (30d)
11
Executive summary

Readiness improved 6 points this month, led by ransomware-impact coverage. All nine KEV-listed techniques are now closed and verified; remaining gaps are queued by lift per effort for this sprint.

Why Dectyl

A different model for detection assurance.

The status quo measures coverage once and assumes it holds. Dectyl measures readiness continuously and proves it.

Current approach
  • Thousands of detections, unknown coverage
  • Annual point-in-time assessments
  • Manual, severity-based prioritization
  • No view of the AI attack surface
  • Static reporting, no incident learning
Dectyl
  • Continuous readiness, measured every day
  • Verified detections: can-fire, not configured
  • AI prioritization by lift per effort
  • AI readiness across SIEM and ATLAS
  • Incident learning + continuous validation
Pilot program

Free 30-day verified-coverage assessment.

We connect to your SIEM read-only (no agents, no simulations), verify what your detections can actually fire against, hand your team the few fixes that matter most, and prove the lift. No commitment. Your data never leaves your environment.