Detection Engineering

What is Detection Engineering?

Detection Engineering is the capability to author, interpret and model threats to deliver modern and effective threat detections. The main output of detection engineering are ‘detectors‘ which are analytics that capture the tactics, techniques and procedures of adversaries.

Detection as Code

Detection as Code” is referencing a more systematic, flexible and comprehensive approach to threat detection that follows an Alert Development Lifecycle, similar to the Software Development Lifecycle (SDLC).

Flow of Detections as Code (Source)

The Detection Engineering Process


Detection Engineering Languages

Detection Engineering Categorization

The Detection Engineer Role

Where does a detection engineer fit in?

A detection engineer would work with a security operations center or cyber incident response team to supply the security platform(s) with detectors. This role would work closely with incident responders, threat hunters, and security engineers to develop, deploy, and maintain a library of detectors. Moreover, detection engineers are usually part of a detection and response team which has cross-competencies within the security domain.

What does a detection engineer do?

  • Build new detection capabilities based upon research, analysis of threat actor methodology,
  • Testing of new attack techniques using data collected from a variety of embedded devices, firewalls, network devices, and hosts
  • Define and tune data sources to better identify and stop threat actor activity
  • Translate threat intelligence into actionable detection methods
  • Technical point of contact to guide and mentor fellow teammates and maintain exceptional quality of deliverables
  • Understand open and proprietary protocols to identify software, devices, configurations, and vulnerabilities
  • Build new detection capabilities based upon research, analysis of threat actor methodology, and testing of new attack techniques

What does it take to be a detection engineer?

  • Expert level knowledge of Windows/Linux OS
  • Digital forensic and intrusion analysis expertise
  • Experience in:
    • Security Operations
    • Threat Hunting
    • Offensive Operations
    • Threat Emulation
    • Security Tool Development
  • Certifications (GIAC: GCIH, GCFA, GNFA, GCTI)
  • Coding experience (Python, SQL, etc.) and the ability to create and understand pseudo-code

Detection Engineering Resources



Red Canary



Anton Chuvakin