agentic-threat-hunting-framework 0.3.1__py3-none-any.whl → 0.5.0__py3-none-any.whl

{agentic_threat_hunting_framework-0.3.1.dist-info → agentic_threat_hunting_framework-0.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-threat-hunting-framework
-Version: 0.3.1
+Version: 0.5.0
 Summary: Agentic Threat Hunting Framework - Memory and AI for threat hunters
 Author-email: Sydney Marrone <athf@nebulock.io>
 Maintainer-email: Sydney Marrone <athf@nebulock.io>
@@ -33,6 +33,7 @@ Requires-Dist: click>=8.0.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: rich>=10.0.0
 Requires-Dist: jinja2>=3.0.0
+Requires-Dist: python-dotenv>=0.19.0
 Requires-Dist: importlib_resources>=5.0.0; python_version < "3.9"
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0.0; extra == "dev"
@@ -49,6 +50,8 @@ Requires-Dist: mkdocs>=1.5.0; extra == "docs"
 Requires-Dist: mkdocs-material>=9.0.0; extra == "docs"
 Provides-Extra: similarity
 Requires-Dist: scikit-learn>=1.0.0; extra == "similarity"
+Provides-Extra: splunk
+Requires-Dist: requests>=2.25.0; extra == "splunk"
 Dynamic: license-file
 
 # Agentic Threat Hunting Framework (ATHF)

{agentic_threat_hunting_framework-0.3.1.dist-info → agentic_threat_hunting_framework-0.5.0.dist-info}/RECORD

@@ -1,39 +1,49 @@
-agentic_threat_hunting_framework-0.3.1.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
+agentic_threat_hunting_framework-0.5.0.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
 athf/__init__.py,sha256=OrjZe8P97_BTEkscapnwSsqKSjwXNP9d8-HtGr19Ni0,241
-athf/__version__.py,sha256=BCXUHJGbpcGJIqpp7wAIo-a46Xl8TlClrdkqx9_kTW8,59
-athf/cli.py,sha256=rkg_Nx9Yy_UqTXBOh-pwaiD-lXO0_IXQMA1SQpDj7g0,4639
+athf/__version__.py,sha256=wCIQoU9b7qKcSNQiIOgHaD2buzBC-dlQYtvg8X5WS4A,59
+athf/cli.py,sha256=108PnDRlaytJj9KzjzcTLljB3DeerMIXZOeAQJrmtPU,5052
+athf/plugin_system.py,sha256=c_9-oUiR6tuYpWpEmeVRayU8-TXlkjvZC3EUxuYWW4M,1515
 athf/agents/__init__.py,sha256=iaSJpvnXm9rz4QS7gBrsaLEjm49uvsMs4BLPOJeyp78,346
 athf/agents/base.py,sha256=lnVDIOQUOyP-Apa9UM2E1mRXUPnNJ4hVqQXOwVw2u4c,4286
 athf/agents/llm/__init__.py,sha256=qSGA-NaInjsDkMpGQwnTz3S1OgCVlzetpMcDS_to1co,671
 athf/agents/llm/hunt_researcher.py,sha256=dIyD2Izh3zdf62kCHug1DwXFgmWhOMQUTim7qM3UAIs,27071
 athf/agents/llm/hypothesis_generator.py,sha256=XkbJz8IS4zwQjEy-ZD0zy2XW5uRnAy87Lii-5XTY0WU,8564
-athf/commands/__init__.py,sha256=KbpUcLPjmltq5a_m1MjhrIe4sk3DvqsnAw1wCAZfZNo,85
-athf/commands/agent.py,sha256=k-NWiLppt2oWbiJ-hx1inkK51jhfsAYiFhixbzzQmQI,16565
+athf/commands/__init__.py,sha256=-ZOfg6uV1eSh7RDW7dKzdufuYvQTT0KGMF4JB6waHsY,635
+athf/commands/agent.py,sha256=c7ZeZa3OArXyXTgVjmUB2JXa3m9IpLFJ_FEVDhaDLE8,19000
 athf/commands/context.py,sha256=V-at81-OgKcLY-In48-AccTnHfTgdofmnjE8S5kypoI,12678
 athf/commands/env.py,sha256=JPKRsv48cgsIAjSFaGJ1-Nu0nQKGSVg4AbiFxb9jVX4,11887
-athf/commands/hunt.py,sha256=PcYz0Zj9qqB10s9mkbfHk-hl2IbcfJekeB6cA2exXPo,22991
+athf/commands/hunt.py,sha256=aQdgNddqy_VrxZOkxhuPxIr4KLZtX5a2ZLb9079vLlw,25169
 athf/commands/init.py,sha256=Qn0iETNyuQvM-ySqCeoDz-pPemeuzROX_karQF5yN_o,12685
 athf/commands/investigate.py,sha256=mK_id5vjfN_ukqB_-fyia0FNa0pBmtn0Xv6CKHQI1Qo,24663
 athf/commands/research.py,sha256=FrLph4agaGQ_rIxMh0OQwh1MIGDFtj40zJ3E1ZFwaAw,18112
 athf/commands/similar.py,sha256=FTTVr4zzP9bdJrirscp6pOxdQbE8zot6pa20-_TYiuo,11804
+athf/commands/splunk.py,sha256=7n7Jl1ExqZCNxUhG0kAKgAvZMqbIoGSgx2Moq7vAu-Y,11622
 athf/core/__init__.py,sha256=yG7C8ljx3UW4QZoYvDjUxsWHlbS8M-GLGB7Je7rRfqo,31
 athf/core/attack_matrix.py,sha256=QZKKmxckQ6-U7lqVdGUJoj2jEAhP3Juvr3sqaNx2oTw,3238
+athf/core/clickhouse_connection.py,sha256=8thmJvd2pUeeRZmDE7K491NgbC0myNZsdA29ooJRfVM,13561
 athf/core/hunt_manager.py,sha256=PFsg8Ecg94NCpuFZpApo82lyORkgK5IfOIih-7-XsmM,11580
 athf/core/hunt_parser.py,sha256=FUj0yyBIcZnaS9aItMImeBDhegQwpkewIwUMNXW_ZWU,5122
 athf/core/investigation_parser.py,sha256=wbfjnq4gFgIc0a4bHIAnidVNPhbHDpIXWY1SGLk0Xls,6804
+athf/core/metrics_tracker.py,sha256=VYEiO5QVteTtR4ddyHkL61KrO4QVNUDdNaDOVFcHy4Q,18873
+athf/core/query_executor.py,sha256=OtzUkxoOdDC4ZErVIbf0Qov82uHRJ8dJ965r4pLbiVA,6271
+athf/core/query_parser.py,sha256=Uz3ZMpd4YWKLPoge16uKZLlcMQrg49Z0NLXSceg893w,6722
+athf/core/query_suggester.py,sha256=i3P624tXb9uRKGxTpcSZx4ZVbOwnCiJqLnkxQD_UqyA,7736
+athf/core/query_validator.py,sha256=mfwdtLcPZS6ON4AlR-4d8YbQ12cqpnIq6526obdPDx8,9101
 athf/core/research_manager.py,sha256=i4fUjuZJcAik8I4pwbLkQlu6cuxkWDlqaIRQrzAfB0s,14512
-athf/core/template_engine.py,sha256=vNTVhlxIXZpxU7VmQyrqCSt6ORS0IVjAV54TOmUDMTE,5636
+athf/core/session_manager.py,sha256=8Mz082ex87VXPiSFYRFNAb9e3ED6luCy0Q6zilyaz9A,25108
+athf/core/splunk_client.py,sha256=Xib2zVwV2l8eChzqUahI3PZ7Z2XS2wz01sPbF1E0Q18,11611
+athf/core/template_engine.py,sha256=Awp0n9E5Q1dYA35XDKKAd5VJLdpaDl2N967hackUVa8,6010
 athf/core/web_search.py,sha256=B9IhmwH7gy2RVA6WSN3L7yGp3Q4L8OsiiwcEvnnZejU,10320
 athf/data/__init__.py,sha256=QtgONloCaS3E9Ow995FMxyy6BbszpfmYeWpySQ2b9Mc,502
-athf/data/docs/CHANGELOG.md,sha256=2omJArkID-VADL0gNDfBSS0_E9GnP9OfZLn9ls-l5eA,7074
-athf/data/docs/CLI_REFERENCE.md,sha256=zqUp-tu8OAcqzpOwx3XvzEq7UV6woDraUOcWasZI0a8,43748
+athf/data/docs/CHANGELOG.md,sha256=JKkzzs1n5jSERHFi6fDt6sYEe52MSaY127dfzthkUA8,8655
+athf/data/docs/CLI_REFERENCE.md,sha256=pb76UqkY_WHJMBEXwEmK0TJR8kcGzoBPlJ0WdGMKDQM,54875
 athf/data/docs/INSTALL.md,sha256=JOWxk6q2-rdpgCnWdSPb3-Cp8rX1y4nQm7ObKz2G0uM,13117
 athf/data/docs/README.md,sha256=rp-XQZeqteXJz7M2qKX3sl6o0AVfhGmz8GcNNKAt8pM,1061
 athf/data/docs/environment.md,sha256=K88NBWZM2bI1Jztd0ORa6AYaMgPVjVB-K2fJl8S5-g8,8306
-athf/data/docs/getting-started.md,sha256=j4SAXe-Rm1RhYBDvWaNpV8XS0rc_mZ2Ew0yPCxE4_wQ,14156
-athf/data/docs/level4-agentic-workflows.md,sha256=DX54qu8LbJysjDfQLGSEPSO_Q6BUACLpa-XCsR6xUp4,13439
+athf/data/docs/getting-started.md,sha256=dUCpXHzucRLfUYzDylvnCtdqv9VCukfQCtGg7hTGmrI,15316
+athf/data/docs/level4-agentic-workflows.md,sha256=68crKsDaLyrgxVG37nPIuJyO9NobLi09Obv7D1AnpYs,14123
 athf/data/docs/lock-pattern.md,sha256=eICjNh5SAgIhkOYBDhHg1tgw4A29xgnRDWC9vH1wLEQ,4863
-athf/data/docs/maturity-model.md,sha256=S2m8JSQDe9R5ROBWS4Gy0-sRF5I7mo-CI3cUnmNpxmk,16347
+athf/data/docs/maturity-model.md,sha256=O1FDIKPkO9twNdZmA0w-TUwPvLP331tul2fPpUnCXD4,18181
 athf/data/docs/why-athf.md,sha256=rIoUb7iqdZKbuWNyRlGxhZrRkLx7gWAGS-kurEZDt04,2148
 athf/data/hunts/FORMAT_GUIDELINES.md,sha256=lMyBekmOzhtO1olO1P-M0Gi_n5oY60k7qkRZE63sTgw,15010
 athf/data/hunts/H-0001.md,sha256=rdUIpQ_uN8bx7XS1ED85rW5aRKxFOpMg0X7PANY7eCY,23220
@@ -49,8 +59,8 @@ athf/data/prompts/ai-workflow.md,sha256=rZtOcGuAEi35qx7182TwHJEORdz1-RxkZMBVkg61
 athf/data/prompts/basic-prompts.md,sha256=2bunpO35RoBdJWYthXVi40RNl2UWrfwOaFthBLHF5sU,8463
 athf/data/templates/HUNT_LOCK.md,sha256=zXxHaKMWbRDLewLTegYJMbXRM72s9gFFvjdwFfGNeJE,7386
 athf/utils/__init__.py,sha256=aEAPI1xnAsowOtc036cCb9ZOek5nrrfevu8PElhbNgk,30
-agentic_threat_hunting_framework-0.3.1.dist-info/METADATA,sha256=KgED__EriZvPR42CCSDQHf7md832CFyd7RyRTbdtQbU,15838
-agentic_threat_hunting_framework-0.3.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-agentic_threat_hunting_framework-0.3.1.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
-agentic_threat_hunting_framework-0.3.1.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
-agentic_threat_hunting_framework-0.3.1.dist-info/RECORD,,
+agentic_threat_hunting_framework-0.5.0.dist-info/METADATA,sha256=mM_lQGR-f8k7s905FXJ5xucVAoc6hp5yrq8cQmKJ-T0,15949
+agentic_threat_hunting_framework-0.5.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+agentic_threat_hunting_framework-0.5.0.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
+agentic_threat_hunting_framework-0.5.0.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
+agentic_threat_hunting_framework-0.5.0.dist-info/RECORD,,

{agentic_threat_hunting_framework-0.3.1.dist-info → agentic_threat_hunting_framework-0.5.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.9.0)
+Generator: setuptools (80.10.1)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

athf/__version__.py

@@ -1,3 +1,3 @@
 """Version information for ATHF."""
 
-__version__ = "0.3.1"
+__version__ = "0.4.0"

athf/cli.py

@@ -3,11 +3,15 @@
 import random
 
 import click
+from dotenv import load_dotenv
 from rich.console import Console
 
-from athf.__version__ import __version__
-from athf.commands import context, env, hunt, init, investigate, research, similar
-from athf.commands.agent import agent
+# Load .env file from current directory (if it exists)
+load_dotenv()
+
+from athf.__version__ import __version__  # noqa: E402
+from athf.commands import context, env, hunt, init, investigate, research, similar, splunk  # noqa: E402
+from athf.commands.agent import agent  # noqa: E402
 
 console = Console()
 
@@ -78,19 +82,30 @@ def cli() -> None:
 
 
 # Register command groups
-cli.add_command(init.init)
-cli.add_command(hunt.hunt)
-cli.add_command(investigate.investigate)
-cli.add_command(research.research)
+cli.add_command(init)
+cli.add_command(hunt)
+cli.add_command(investigate)
+cli.add_command(research)
 
 # Phase 1 commands (env, context, similar)
-cli.add_command(env.env)
-cli.add_command(context.context)
-cli.add_command(similar.similar)
+cli.add_command(env)
+cli.add_command(context)
+cli.add_command(similar)
 
 # Agent commands
 cli.add_command(agent)
 
+# Integration commands (optional, requires additional dependencies)
+if splunk is not None:
+    cli.add_command(splunk)
+
+# Load and register plugins
+from athf.plugin_system import PluginRegistry
+
+PluginRegistry.load_plugins()
+for name, cmd in PluginRegistry._commands.items():
+    cli.add_command(cmd, name=name)
+
 
 @cli.command(hidden=True)
 def wisdom() -> None:

athf/commands/__init__.py

@@ -1,5 +1,26 @@
-"""ATHF CLI commands."""
+"""ATHF CLI commands (base commands only)."""
 
-from athf.commands.agent import agent
+from athf.commands.context import context
+from athf.commands.env import env
+from athf.commands.hunt import hunt
+from athf.commands.init import init
+from athf.commands.investigate import investigate
+from athf.commands.research import research
+from athf.commands.similar import similar
 
-__all__ = ["agent"]
+# Optional: Splunk integration (requires requests package)
+try:
+    from athf.commands.splunk import splunk
+except ImportError:
+    splunk = None  # type: ignore[assignment]
+
+__all__ = [
+    "init",
+    "hunt",
+    "investigate",
+    "research",
+    "context",
+    "similar",
+    "env",
+    "splunk",
+]

athf/commands/agent.py

@@ -125,6 +125,7 @@ def info(agent_name: str) -> None:
 
         console.print("\n[bold]Usage:[/bold]")
         console.print('  athf agent run hypothesis-generator --threat-intel "APT29 targeting SaaS"')
+        console.print('  athf agent run hypothesis-generator --threat-intel "..." --research R-0001')
         console.print()
 
     elif agent_name == "hunt-researcher":
@@ -170,6 +171,7 @@ def info(agent_name: str) -> None:
 @agent.command()
 @click.argument("agent_name")
 @click.option("--threat-intel", help="Threat intelligence context (for hypothesis-generator)")
+@click.option("--research", help="Research document ID (e.g., R-0001) to load context from")
 @click.option("--topic", help="Research topic (for hunt-researcher)")
 @click.option("--technique", help="MITRE ATT&CK technique (for hunt-researcher)")
 @click.option(
@@ -191,6 +193,7 @@ def info(agent_name: str) -> None:
 def run(  # noqa: C901
     agent_name: str,
     threat_intel: Optional[str],
+    research: Optional[str],
     topic: Optional[str],
     technique: Optional[str],
     depth: str,
@@ -208,6 +211,7 @@ def run(  # noqa: C901
       # Hypothesis Generator
       athf agent run hypothesis-generator --threat-intel "APT29 targeting SaaS applications"
       athf agent run hypothesis-generator --threat-intel "Insider threat data exfiltration" --tactic collection
+      athf agent run hypothesis-generator --threat-intel "Credential dumping" --research R-0001
 
       # Hunt Researcher
       athf agent run hunt-researcher --topic "LSASS dumping"
@@ -232,6 +236,32 @@ def run(  # noqa: C901
             # Try to load past hunts and environment data if available
             past_hunts: List[dict[str, Any]] = []
             environment = {}
+            research_context = None
+
+            # Load research document if provided
+            if research:
+                try:
+                    from pathlib import Path
+
+                    from athf.core.research_manager import ResearchManager
+
+                    research_mgr = ResearchManager(Path.cwd())
+                    research_doc = research_mgr.get_research(research)
+
+                    if research_doc:
+                        # Extract relevant research context
+                        research_context = {
+                            "research_id": research_doc.get("metadata", {}).get("research_id"),
+                            "topic": research_doc.get("metadata", {}).get("topic"),
+                            "recommended_hypothesis": research_doc.get("synthesis", {}).get("recommended_hypothesis"),
+                            "gaps": research_doc.get("synthesis", {}).get("gaps_identified", []),
+                            "key_findings": research_doc.get("synthesis", {}).get("key_findings", []),
+                        }
+                        console.print(f"[green]✓ Loaded research context from {research}[/green]\n")
+                    else:
+                        console.print(f"[yellow]⚠ Research document {research} not found[/yellow]\n")
+                except Exception as e:
+                    console.print(f"[yellow]⚠ Could not load research document: {e}[/yellow]\n")
 
             # Try to load environment.md if it exists
             try:
@@ -252,10 +282,22 @@ def run(  # noqa: C901
                     "platforms": ["Windows", "macOS", "Linux"],
                 }
 
+            # If research context is provided, append it to threat intel
+            threat_intel_with_research = threat_intel
+            if research_context:
+                threat_intel_with_research = (
+                    f"{threat_intel}\n\n"
+                    f"Research Context from {research_context['research_id']}:\n"
+                    f"- Topic: {research_context['topic']}\n"
+                    f"- Recommended Hypothesis: {research_context.get('recommended_hypothesis', 'N/A')}\n"
+                )
+                if research_context.get("gaps"):
+                    threat_intel_with_research += f"- Gaps: {', '.join(research_context['gaps'][:3])}\n"
+
             # Execute agent
             hypothesis_result = hypothesis_agent.execute(
                 HypothesisGenerationInput(
-                    threat_intel=threat_intel,
+                    threat_intel=threat_intel_with_research,
                     past_hunts=past_hunts,
                     environment=environment,
                 )

athf/commands/hunt.py

@@ -40,6 +40,9 @@ Examples:
   # Non-interactive with all options
   athf hunt new --technique T1003.001 --title "LSASS Dumping" --non-interactive
 
+  # Link research document to hunt
+  athf hunt new --research R-0001 --title "Hunt Title" --non-interactive
+
   # List hunts with filters
   athf hunt list --status completed --tactic credential-access
 
@@ -52,6 +55,9 @@ Examples:
   # Show coverage gaps
   athf hunt coverage
 
+  # Filter coverage by tactic
+  athf hunt coverage --tactic credential-access
+
   # Validate hunt structure
   athf hunt validate H-0042
 
@@ -96,6 +102,7 @@ def hunt() -> None:
 @click.option("--location", help="Location/scope (for ABLE framework)")
 @click.option("--evidence", help="Evidence description (for ABLE framework)")
 @click.option("--hunter", help="Hunter name", default="AI Assistant")
+@click.option("--research", help="Research document ID (e.g., R-0001) this hunt is based on")
 def new(
     technique: Optional[str],
     title: Optional[str],
@@ -110,6 +117,7 @@ def new(
     location: Optional[str],
     evidence: Optional[str],
     hunter: Optional[str],
+    research: Optional[str],
 ) -> None:
     """Create a new hunt hypothesis with LOCK structure.
 
@@ -119,6 +127,7 @@ def new(
     • YAML frontmatter with metadata
     • LOCK pattern sections (Learn, Observe, Check, Keep)
     • MITRE ATT&CK mapping
+    • Optional link to research document
 
     \b
     Interactive mode (default):
@@ -131,6 +140,11 @@ def new(
       Example: athf hunt new --technique T1003.001 --title "LSASS Dumping" \\
                --tactic credential-access --platform Windows --non-interactive
 
+    \b
+    With research document:
+      Link a pre-hunt research document to the hunt.
+      Example: athf hunt new --research R-0001 --title "Hunt Title" --non-interactive
+
     \b
     After creation:
       1. Edit hunts/H-XXXX.md to flesh out your hypothesis
@@ -155,6 +169,13 @@ def new(
 
     console.print(f"[bold]Hunt ID:[/bold] {hunt_id}")
 
+    # Validate research document if provided
+    if research:
+        research_file = Path("research") / f"{research}.md"
+        if not research_file.exists():
+            console.print(f"[yellow]Warning: Research document {research} not found at {research_file}[/yellow]")
+            console.print("[yellow]Hunt will still be created, but research link may be broken.[/yellow]\n")
+
     # Gather hunt details
     if non_interactive:
         if not title:
@@ -209,6 +230,7 @@ def new(
         behavior=behavior,
         location=location,
         evidence=evidence,
+        spawned_from=research,
     )
 
     # Write hunt file
@@ -529,8 +551,9 @@ def _render_progress_bar(covered: int, total: int, width: int = 20) -> str:
 
 
 @hunt.command()
+@click.option("--tactic", help="Filter by specific tactic (or 'all' for all tactics)")
 @click.option("--detailed", is_flag=True, help="Show detailed technique coverage with hunt references")
-def coverage(detailed: bool) -> None:
+def coverage(tactic: Optional[str], detailed: bool) -> None:
     """Show MITRE ATT&CK technique coverage across hunts.
 
     \b
@@ -542,11 +565,17 @@ def coverage(detailed: bool) -> None:
 
     \b
     Examples:
-      # Show coverage overview
+      # Show coverage overview for all tactics
       athf hunt coverage
 
-      # Show detailed technique mapping
-      athf hunt coverage --detailed
+      # Show all tactics explicitly
+      athf hunt coverage --tactic all
+
+      # Show coverage for a specific tactic
+      athf hunt coverage --tactic credential-access
+
+      # Show detailed technique mapping for execution tactic
+      athf hunt coverage --tactic execution --detailed
 
     \b
     Note on technique counts:
@@ -578,12 +607,31 @@ def coverage(detailed: bool) -> None:
     summary = coverage["summary"]
     by_tactic = coverage["by_tactic"]
 
+    # Determine which tactics to display
+    tactics_to_display = []
+    if tactic and tactic.lower() != "all":
+        # Validate tactic exists
+        if tactic not in ATTACK_TACTICS:
+            console.print(f"[red]Error: Unknown tactic '{tactic}'[/red]")
+            console.print("\n[bold]Valid tactics:[/bold]")
+            for tactic_key in get_sorted_tactics():
+                console.print(f"  • {tactic_key}")
+            return
+        tactics_to_display = [tactic]
+    else:
+        # Show all tactics
+        tactics_to_display = get_sorted_tactics()
+
     # Display title
-    console.print("\n[bold]MITRE ATT&CK Coverage[/bold]")
+    if tactic and tactic.lower() != "all":
+        tactic_display_name = ATTACK_TACTICS[tactic]["name"]
+        console.print(f"\n[bold]MITRE ATT&CK Coverage - {tactic_display_name}[/bold]")
+    else:
+        console.print("\n[bold]MITRE ATT&CK Coverage[/bold]")
     console.print("─" * 60 + "\n")
 
-    # Display all tactics in ATT&CK order with hunt counts
-    for tactic_key in get_sorted_tactics():
+    # Display selected tactics in ATT&CK order with hunt counts
+    for tactic_key in tactics_to_display:
         data = by_tactic.get(tactic_key, {})
         tactic_name = ATTACK_TACTICS[tactic_key]["name"]
 
@@ -596,16 +644,19 @@ def coverage(detailed: bool) -> None:
         else:
             console.print(f"{tactic_name:<24} [dim]no coverage[/dim]")
 
-    # Display overall coverage
-    console.print(
-        f"\n[bold]Overall: {summary['unique_techniques']}/{summary['total_techniques']} techniques ({summary['overall_coverage_pct']:.0f}%)[/bold]\n"
-    )
+    # Display overall coverage only if showing all tactics
+    if not tactic or tactic.lower() == "all":
+        console.print(
+            f"\n[bold]Overall: {summary['unique_techniques']}/{summary['total_techniques']} techniques ({summary['overall_coverage_pct']:.0f}%)[/bold]\n"
+        )
+    else:
+        console.print()
 
     # Display detailed technique coverage if requested
     if detailed:
         console.print("\n[bold cyan]🔍 Detailed Technique Coverage[/bold cyan]\n")
 
-        for tactic_key in get_sorted_tactics():
+        for tactic_key in tactics_to_display:
             data = by_tactic.get(tactic_key, {})
             if data.get("hunt_count", 0) == 0:
                 continue  # Skip tactics with no hunts in detailed view