Security Monitoring Coverage Calculator

Estimate the percentage of your IT environment covered by security monitoring tools, weighted by asset criticality and monitoring depth.

Asset Inventory

Total Endpoints (workstations, laptops, desktops) Endpoints with EDR / AV Monitoring Total Servers (physical + virtual) Servers with SIEM / Log Monitoring Total Network Devices (routers, switches, firewalls) Network Devices with Flow / IDS Monitoring Total Cloud Workloads / Instances Cloud Workloads with CSPM / CloudTrail Monitoring

Criticality Weights (must sum to 100)

Endpoint Weight (%) Server Weight (%) Network Device Weight (%) Cloud Workload Weight (%)

Monitoring Depth Scores (1–5 per category)

1 = basic alerting only | 3 = log collection + correlation | 5 = full behavioral analytics + response

Endpoint Monitoring Depth Server Monitoring Depth Network Monitoring Depth Cloud Monitoring Depth

Fill in the fields above and click Calculate.

Formula

Step 1 — Raw Coverage per Category:
RawCov_i = Monitored Assets_i / Total Assets_i

Step 2 — Depth-Adjusted Effective Coverage per Category:
DepthNorm_i = (DepthScore_i − 1) / 4 (normalises 1–5 scale to 0–1)
EffCov_i = RawCov_i × (0.5 + 0.5 × DepthNorm_i)
A depth score of 1 caps effective coverage at 50% even if all assets are monitored; a depth score of 5 allows full 100% effective coverage.

Step 3 — Weighted Overall Coverage:
Coverage_overall = Σ (Weight_i / 100 × EffCov_i)
where weights reflect the relative business criticality of each asset category and must sum to 100.

Assumptions & References

Asset categories covered: endpoints, servers, network devices, and cloud workloads. OT/ICS and IoT devices should be added as custom categories if applicable.
The depth multiplier (0.5 + 0.5 × DepthNorm) is based on the principle that passive alerting alone (depth 1) provides at most 50% of the security value of full behavioral analytics (depth 5) — consistent with MITRE ATT&CK detection coverage guidance.
Criticality weights should reflect your organisation's risk register; the defaults (25/35/20/20) are illustrative only.
A score ≥ 85% is considered strong per CIS Control 13 (Network Monitoring and Defense) benchmarks.
NIST SP 800-137 (Continuous Monitoring) recommends 100% coverage of high-value assets; servers are weighted highest by default for this reason.
Cloud coverage assumes CSPM tools (e.g., AWS Security Hub, Azure Defender) or equivalent CloudTrail / audit log ingestion into a SIEM.
This calculator measures breadth × depth of monitoring, not detection efficacy. Validate with purple-team exercises and MITRE ATT&CK evaluations.
References: NIST SP 800-137, CIS Controls v8 (Controls 1, 2, 13), MITRE ATT&CK Detection Coverage methodology.

Security Monitoring Coverage Calculator

Asset Inventory

Criticality Weights (must sum to 100)

Monitoring Depth Scores (1–5 per category)

Formula

Assumptions & References

More Calculators

In the network

Network