Detection Engineering

Articles about detection engineering from security operations practitioners.

Detection Engineering

What detection engineers actually do (job description vs. reality)

The detection engineer job description says: write detection rules, map to ATT&CK, tune false positives. Most of what the role actually requires (debugging broken log pipelines, maintaining exclusion lists nobody documented, writing the investigation context that keeps a detection actionable months after it ships) never makes it into the posting.

MKMarta K. · Jul 4, 2026
Detection Engineering

The 20 detections worth building before anything else

A green ATT&CK heatmap measures how many rules you've written, not whether any of them work. Start with the 20 detections that show up most often in real breach chains, validate each one, and only then expand.

MKMarta K. · Jun 19, 2026
Detection Engineering

What we got wrong in our first 100 detections

We shipped a hundred detections and the ATT&CK heatmap stayed green through fourteen broken rules, week-stale IOCs, and a log pipeline that had stopped exporting months earlier. Every failure traced to the same root: we treated detection engineering as rule writing and skipped the maintenance.

MKMarta K. · Jun 5, 2026
Detection Engineering

Sigma rules are essential, and also overrated

Sigma solved detection portability but not tuning, conversion fidelity, or cloud coverage. Where the format still delivers value and where teams over-rely on it.

MKMarta K. · Jun 3, 2026
Detection Engineering

Snort rules in 2026: still useful, still awkward

Learn where Snort still earns its rack space in 2026, where it's gone blind, and the keep/replace/de-scope call.

DCDaniel C. · May 26, 2026
Detection Engineering

What we got wrong about purple teaming in our first year

Year one of our purple program produced slide decks, not detections. Here's the structural diagnosis and the pipeline model that fixed it.

MKMarta K. · May 25, 2026
Detection Engineering

Detection engineering is a function, not a headcount

Detection engineering stalls when it's treated as a person, not a function. Here's what the function actually owns, and how to build it from Level 0.

MKMarta K. · May 11, 2026

Stay sharp on security operations

Practitioner takes on SOC modernization, detection engineering, threat hunting, and more. No fluff. No product pitches.

Detection Engineering | Future of SecOps