diff --git a/docs/use_cases.rst b/docs/use_cases.rst
index 55e8ffc..756c832 100644
--- a/docs/use_cases.rst
+++ b/docs/use_cases.rst
@@ -43,26 +43,42 @@ Understanding Current Visibility
- Understand which techniques you have visibility into given current set of tools and capabilities.
+
+
Filling Defensive Gaps
^^^^^^^^^^^^^^^^^^^^^^
*If I were to add Tool X, how does that coverage change?*
- Identify tools and capabilities to acquire or enable in order to fill gaps.
+
+
Find Potential Threats
^^^^^^^^^^^^^^^^^^^^^^
*I'm concerned about a recent threat report. Can I see it if it were to happen in my environment and where do I look?*
- Determine which tools and capabilities to use to find adversary behaviors.
+
+
User Stories
------------
This section describes user stories associated with organizational detection processes and
procedures, based on the roles and usage identified above.
-
+1. As an IR, I want to ensure I have complete visibility of an active security incident.
-
+ Use the mappings to take the observed adversary behaviors as described in ATT&CK to understand current visibility of potential suspicious activities and tie in actionable intelligence from CTI reporting.
+
+2. As a CISO or ISSO, I need to align defensive posture with the real-world threats targeting my industry.
+
+ Use the mappings to understand which of tools and capabilities provide visibility into specific real-world adversary techniques and where gaps may lie.
+
+3. As a SOC Analyst, I need visibility into threats launched against my organization.
+
+ Use the mappings for identified Data Sources associated with adversary techniques used to identify areas to look for additional indicators of potential suspicious activities.
+
+4. As a SE, I want to detect entire classes of adversarial behavior.
-
\ No newline at end of file
+ Build in defensive countermeasures for specific adversary TTPs, using the mappings to identify areas and fill in defensive coverage gaps by reconfiguring existing or adding additional tools or capabilities.