Use case maturity
What is MaGMa?
MaGMa is a use case maturity framework designed to help organisations manage, assess, and improve their detection capabilities over time.
It provides structure for how detection logic should be defined, governed, and evolved — but it does not provide a system for measuring or operationalising that lifecycle on its own.
What is the MaGMa framework?
MaGMa (developed within the FI-ISAC community) is a framework for managing security monitoring use cases.
It focuses on:
- Management — how detection use cases are organised and governed
- Growth — how they evolve over time
- Metrics & Assessment — how maturity is evaluated
It introduces a structured way to think about detection as a lifecycle rather than a one-time activity.
Why MaGMa exists
Traditional detection engineering often lacks structure:
- Rules are created ad hoc
- Ownership is unclear
- Performance is not measured
- Improvements are reactive
MaGMa addresses this by introducing:
- Defined use case structure
- Lifecycle stages
- Maturity considerations
- Traceability to threat and business context
How MaGMa works
MaGMa frames detection use cases across three layers:
Business layer
Why the detection exists → risk, impact, and organisational priorities.
Threat layer
What behaviour is being detected → based on adversary activity (e.g. MITRE ATT&CK).
Operational layer
How detection is implemented → rules, telemetry, and tooling.
This creates traceability from:
Business risk → Threat → Detection logic
The limitation: MaGMa is a framework, not a system
MaGMa defines how detections should be structured and matured.
But it does not provide:
- Continuous measurement of detection effectiveness
- Visibility into real-world performance
- Automated validation against threats
- A persistent system of record
In practice, many organisations still rely on:
- Spreadsheets
- Static documentation
- Periodic reviews
This limits MaGMa’s impact.
From framework to operational model
To realise the value of MaGMa, organisations need to make it:
- Persistent — always up to date
- Measurable — based on real performance
- Connected — linked to threats, incidents, and validation
- Actionable — driving improvement decisions
Detections as assets
SecuMap operationalises MaGMa through a key concept:
Detections are treated as living assets
Each detection is:
- Mapped to threats (ATT&CK techniques)
- Measured for effectiveness (does it work?)
- Assessed for quality (noise, gaps, failures)
- Tracked over time
This transforms detection from static rules into:
- Managed assets
- With lifecycle, ownership, and performance
How SecuMap operationalises MaGMa
SecuMap acts as a Detection System of Record, bringing MaGMa to life by:
- Linking use cases to actual detection rules
- Measuring rule and technology effectiveness continuously
- Integrating validation results (e.g. BAS / purple team)
- Tracking improvement over time
This creates a closed loop:
Threat → Detection → Incident → Validation → Improvement
as described in the threat-to-detection operating loop on the Detection System of Record hub and in the SecuMap methodology.
From lifecycle to measurement
MaGMa defines the lifecycle.
SecuMap makes it:
- Measurable
- Continuous
- Operational
Instead of asking:
“Do we have this use case?”
You can answer:
- Is it working?
- How well is it working?
- Has it improved?
- Where should we invest next?
Connecting MaGMa and MITRE ATT&CK
Together:
- MITRE ATT&CK defines what to detect ( explainer)
- MaGMa defines how detections should be managed
- SecuMap (DSoR) makes both operational and measurable ( what is a DSoR?)
Why this matters
Without operationalisation:
- ATT&CK becomes static heatmaps
- MaGMa becomes documentation
With SecuMap:
- Detection becomes measurable
- Coverage becomes real
- Improvement becomes continuous
Next steps
Platform overview and detection engineering platform show how this connects to day-to-day workflows.