Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A test metric requiring every decision point (if/else, loops) to be exercised both true and false; stronger than statement coverage, weaker than path coverage.
Decision Branch Coverage Definition: A test metric requiring every decision point (if/else, loops) to be exercised both true and false; stronger than statement coverage, weaker than path coverage.
Decision (branch) coverage is a structural software-testing metric that measures whether every decision point in the code, such as an if-else or loop condition, has been exercised for both its true and false outcomes. By forcing tests to take each branch, it goes beyond statement coverage, which only confirms that lines ran, and provides stronger evidence that control flow has been validated.
It works by instrumenting the code to record which branches execute during a test run. A coverage tool maps each decision to its possible outcomes and reports the percentage taken. Achieving full decision coverage means designing test cases that drive every conditional both ways, including loop entry and exit and the implicit false branch of an if statement with no else. Tools then surface untested branches so teams can add cases.
This matters in security because untested branches frequently hide the dangerous edge cases: the error handler that never runs, the authentication-failure path, or the input-validation reject branch. Decision coverage alone is not sufficient for safety- or security-critical software, however, because it does not test every combination of sub-conditions within a compound decision; that requires condition coverage or the stronger MC/DC (Modified Condition/Decision Coverage) mandated by standards like DO-178C for avionics. Frameworks such as ISO/IEC 29119 emphasize tracking and thresholding these metrics.
For example, a financial services platform might mandate at least 85 percent decision coverage for any security-critical module, with evidence required in test reports before release approval. A reviewer notices that the false branch of an access-control check, the path that denies a request, was never executed by the test suite. Adding a test for the denial case reveals that the deny branch incorrectly logged but still returned success, a serious authorization flaw that statement coverage would have masked.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →