What it does

When you click on a technique (or select a row that contains multiple techniques), Insights automatically extracts the technique IDs and builds a detailed technical profile for each TTP. This includes operational details (how it is typically performed), defensive guidance (how it can be detected and mitigated), and Merlino-specific metrics that quantify how the technique is represented across your datasets.

Supported selections

• Single technique: click a cell containing one TTP to open its complete profile.
• Multiple techniques in one cell: select a cell containing multiple TTP references; Insights expands each technique and aggregates results.
• Row or record-level selection: select a row from coverage or catalogue tables to calculate technique metrics in that exact context.
• Cross-table context: Insights can correlate information across Techniques, Tests, Detections, Data Sources, and other Merlino tables.

Technique intelligence (per TTP)

For every identified technique/sub-technique, Insights surfaces structured intelligence aligned to MITRE ATT&CK:

• Procedures: practical examples of how the technique is executed (the “how it happens” layer).
• Detections: defensive guidance on detection opportunities and expected telemetry signals.
• Mitigations: recommended mitigation approaches and hardening guidance.
• References: quick links to authoritative technique details for further investigation.

Merlino statistics (calculated from your data)

Insights goes beyond reference intelligence by computing technique statistics directly from the content of your workbook. These metrics help you quantify coverage, validation, and quality in context, rather than relying on generic assumptions.

Coverage metrics

• Technique Coverage: how much the technique is covered based on your current mapping and configuration.
• Sub-technique Coverage: coverage breakdown across the technique’s sub-techniques (where applicable).
• Test Coverage: how many validation tests are linked to the technique and whether they are represented in your test catalogue.
• Data Source Coverage: whether the required telemetry sources are present and mapped for detection feasibility.
• Detections by Technique: number of detections mapped to the technique in your environment model.

Quality and consistency signals

• Consistency indicators: highlights mismatches (e.g., technique mapped to detections but missing data sources, or tests without technique mapping).
• Completeness checks: identifies missing fields, incomplete mappings, or partially defined coverage paths.
• CrossPick / correlation score: a compact signal that reflects how strongly the technique is connected across Merlino datasets.

Aggregation for multi-TTP selections

When a selection contains multiple TTPs, Insights automatically expands all techniques and returns both: (1) per-technique detail (procedures, detections, mitigations, metrics) and (2) an aggregated view that summarizes coverage and validation status across the entire set. This is useful when a single record represents a complex scenario (for example a campaign, a threat group profile, or a test plan) that naturally includes multiple techniques.

Why it matters

Insights reduces time lost switching between references, portals, and spreadsheets. It keeps threat understanding, detection engineering, and validation planning aligned inside the same operational workspace. The result is faster analysis, clearer prioritization, and reporting that is defensible because it is grounded in both external technique knowledge and the measurable reality of your Merlino data.

Typical uses

• Rapid technique review: understand a technique’s procedures and defensive guidance in seconds.
• Coverage validation: verify whether a technique is truly supported by detections, telemetry, and tests.
• Gap discovery: identify missing data sources, missing detections, or incomplete test mapping for critical techniques.
• Evidence-driven reporting: produce technique-level summaries backed by measurable workbook statistics.

Note: Insights is designed to work with both single-TTP and multi-TTP selections. The richer your Merlino mappings (tests, detections, data sources, assets), the more precise and actionable the resulting technique statistics become.