Coverage reports have two readers. One wants a single number for a quarterly slide. The other wants the assets that number left out. Metric programs optimize for the first reader because that one signs the budget. The second reader is using the same report to pick a target.
Security Metric Theater
Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.
Mechanism
Executive dashboards reward a covered/total ratio because it compresses a security program into one reportable figure. Engineers know the adversary picks from the uncovered set, but "the list of hosts without EDR" doesn't fit on a slide. So the ratio gets optimized: roll out the easy tail, report the number climbing. The hard uncovered 3% (legacy boxes, contractor accounts, the exec who refused MFA) stays uncovered because those are the assets with no leverage on their owners. Also, those are the assets the attacker would target first. The metric goes up. The attack path stays where it was.
Audience capture compounds. The CISO reports up to a CEO who reports out to a board who reports to regulators who want one number. Once the metric lives in compliance attestations or gets wired to bonuses, it becomes self-protecting; you can't lower it without explaining why the program got worse. The number now resists revision more than it resists adversaries.
The split between easy and hard tail is structural, not a will problem. Managed corporate laptops, identity in your IdP, your VPN endpoints: easy to bring under coverage. SaaS apps your acquired company brought with them, vendor portals that won't talk SAML, executives who own a personal device that won't enroll: structurally hard, and exactly the surfaces an adversary searches.
The metric is also a target list. Anyone reading your annual security report knows where the holes are by inverting your published number.
Exhibits
Ivanti: The Vulnerability Subscription. Ivanti ships a patch, announces a CVE count, the dashboard looks productive. The actual coverage number (how many of their appliances still run the vulnerable class after the fix) never gets reported. The numerator is a headline; the denominator is the bug.
Boundaries
Not "the metric is useless." The failure is treating 97% as success when the uncovered 3% includes domain admins or internet-facing hosts. Report the numerator alongside the denominator, never instead of. A coverage ratio paired with the list of exceptions is a real artifact. A coverage ratio alone is a press release.
Not "only 100% is acceptable." 100% coverage is a budget fantasy and chasing it wastes the hours that should have gone into the uncovered set. The goal is knowing which specific assets are uncovered, whether the adversary can reach them, and what it would cost to either cover or remove them.
Defender playbook
Report coverage as the list of uncovered assets, not the percentage of covered ones. The denominator is the product. The numerator is marketing. Every quarterly report should name every exception and the reason it's an exception; if that list is too long to read, that is the finding.
Publish the uncovered set, not the coverage rate. The exec artifact should be "these 23 hosts and 6 accounts defend nothing," with names and owners. Make the attacker's target list the thing that has to shrink. Ratios are for slides. Lists are for work.
When a board or regulator demands a single number, give them the floor. "The least-protected privileged account in our environment has [X protection]" is honest about exposure. A worst-case number resists optimization-via-easy-tail-rolloff because lowering the floor requires covering the hard exceptions, which is the work that actually shrinks the attack surface.
Kinship
Trust Inversion. Both name a misalignment between who the security artifact serves and who actually attacks it. Trust Inversion is about the tools we trust becoming the attack surface; Metric Theater is about the reports we trust becoming the attacker's intelligence. Different artifact, same mistake: optimizing for the friendly audience.
Coverage is a mean. Compromise is a minimum. They're not the same number.