Detective Controls
What is Detective Controls?
Detective ControlsSecurity measures designed to identify and alert on malicious activity, policy violations, or anomalies after they occur in an environment.
Detective controls are safeguards that discover and signal security incidents rather than block them outright. They include SIEM correlation rules, IDS sensors, EDR telemetry, file-integrity monitoring, audit logs, and anomaly analytics. Their value lies in shortening the dwell time between compromise and discovery, feeding incident response, and providing forensic evidence. Detective controls complement preventive ones: when prevention fails, detection ensures the failure does not go unnoticed. Effectiveness is measured through coverage of the MITRE ATT&CK matrix, alert fidelity, and metrics such as MTTD.
● Examples
- 01
A SIEM rule that fires when a service account logs in interactively for the first time.
- 02
EDR alerting on suspicious PowerShell execution chained from a Word document.
● Frequently asked questions
What is Detective Controls?
Security measures designed to identify and alert on malicious activity, policy violations, or anomalies after they occur in an environment. It belongs to the Defense & Operations category of cybersecurity.
What does Detective Controls mean?
Security measures designed to identify and alert on malicious activity, policy violations, or anomalies after they occur in an environment.
How do you defend against Detective Controls?
Defences for Detective Controls typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Detective Controls?
Common alternative names include: Detection controls, Monitoring controls.