Detection Engineering
What is Detection Engineering?
Detection EngineeringThe discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques.
Detection engineering treats SIEM rules, EDR analytics, and threat-hunting queries like software: scoped by threat models, written from telemetry contracts, version-controlled, peer-reviewed, unit tested, and deployed via pipelines. Engineers map detections to MITRE ATT&CK techniques, document false-positive triage, set ownership, and track precision and recall over time. The practice replaces ad hoc tweaks in SIEM consoles with rigorous change management and reusable building blocks (parsers, lookups, content packs). Mature programs include backtests, breach-and-attack simulation, telemetry gap analysis, and retirement of low-value rules to keep the detection catalog healthy.
● Examples
- 01
Storing Sigma rules in Git with CI tests that run sample logs through a pipeline before deployment.
- 02
Mapping each rule to ATT&CK technique IDs and reporting coverage gaps to the SOC manager.
● Frequently asked questions
What is Detection Engineering?
The discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques. It belongs to the Defense & Operations category of cybersecurity.
What does Detection Engineering mean?
The discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques.
How does Detection Engineering work?
Detection engineering treats SIEM rules, EDR analytics, and threat-hunting queries like software: scoped by threat models, written from telemetry contracts, version-controlled, peer-reviewed, unit tested, and deployed via pipelines. Engineers map detections to MITRE ATT&CK techniques, document false-positive triage, set ownership, and track precision and recall over time. The practice replaces ad hoc tweaks in SIEM consoles with rigorous change management and reusable building blocks (parsers, lookups, content packs). Mature programs include backtests, breach-and-attack simulation, telemetry gap analysis, and retirement of low-value rules to keep the detection catalog healthy.
How do you defend against Detection Engineering?
Defences for Detection Engineering typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Detection Engineering?
Common alternative names include: Detection-as-code, DetEng.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 628
Log Correlation
Joining events from multiple log sources by shared fields, time windows, or sequence to reveal multi-stage activity that individual logs cannot show.
- defense-ops№ 406
False Positive
A security alert that flags benign activity as malicious, costing analyst time and eroding trust in the detection that produced it.
● See also
- № 041Alert Fatigue
- № 405False Negative
- № 1040SIEM Rule Tuning
- № 070Attack Pattern
- № 1081Splunk SPL Query