// The Search That Led Me Here

Like many practitioners, I spent a long time doing detection engineering the way many practitioners do — learning through experience, adapting to new threats, and refining my approach as I went.

I wasn't new to security. I understood the threats, the TTPs, and the tooling. When building detections, I would identify gaps, evaluate available signals, and create rules based on the information and context I had at the time. Sometimes I'd reference a MITRE ATT&CK technique. Other times I'd build on existing detections or insights from colleagues. The approach worked, but it was largely driven by individual experience rather than a clearly defined framework.

That flexibility had its advantages. It allowed me to move quickly and respond to emerging threats. But as environments grew more complex, I started noticing challenges that many detection teams face: maintaining consistency across detections, measuring coverage, prioritizing engineering efforts, and ensuring that detections remained effective over time.

I knew there was an opportunity to make the process more structured. I just hadn't found a framework that brought all the pieces together.

I read blog posts, explored open-source detection repositories, and spent plenty of time navigating ATT&CK. Each resource provided valuable insights — a better query here, a useful data source there — but I was still looking for a cohesive methodology that connected detection development, validation, maintenance, and continuous improvement.

Then I picked up Practical Detection Engineering, and things started clicking.

What stood out wasn't that it introduced completely new concepts. Rather, it organized many of the ideas and practices I had encountered into a comprehensive engineering lifecycle. The book treats detection engineering much like software engineering treats product development — with clear phases, defined inputs and outputs, feedback loops, and continuous improvement. It shifted my perspective from building individual detections to building a repeatable system for producing and maintaining effective detections over time.

Below are my notes from the core framework. If you're a detection engineer looking to bring more structure and consistency to your work, this is what the framework looks like.

// The DE Life Cycle

The Detection Engineering life cycle consists of six sequential phases, supported by four continuous activities that run in parallel throughout the entire program.

Phase 1
Requirements Discovery

Input: Findings from detection requirement sources

Output: Structured detection requirements

Phase 2
Triage

Input: Detection requirement from Phase 1

Output: Triaged and prioritized detection requirement

Phase 3
Investigate

Input: Triaged detection requirement

Output: Technical specifications and data engineering requirements

Phase 4
Develop

Input: Technical specifications from Investigate

Output: Detection code

Phase 5
Test

Input: Detection code from Develop

Output: Validated, production-ready detection

Phase 6
Deploy

Input: Validated detection

Output: Live detection running in production

Alongside these phases, four continuous activities keep the program healthy over time:

Monitoring
Maintenance
Metrics
Comprehensive validation

These aren't phases you complete and move on from. They're ongoing disciplines that keep your detection content aligned with a shifting threat landscape and a growing attack surface.

DE Life Cycle — Flow Diagram
CONTINUOUS ACTIVITIES Monitoring Maintenance Metrics Comprehensive Validation PHASE 1 Requirements Discovery PHASE 2 Triage PHASE 3 Investigate PHASE 4 Develop PHASE 5 Test PHASE 6 Deploy feedback loop

01 Requirements Discovery

Every detection starts as a requirement. This phase collects those requirements from multiple sources — threat intelligence feeds, forensic investigations, SOC tickets, red team findings, industry TTPs — and structures them so the next phase can evaluate them meaningfully.

A complete detection requirement should capture six key fields:

Requesting organization

Who raised this requirement, including the specific individual if possible. Closing the loop by notifying them once a detection is built builds trust and encourages better future submissions.

Description

What exactly needs to be detected? This can range from highly technical ("detect when new files are written to a web server code directory") to business-level ("notify the security team if an end user runs unauthorized remote administration software"). Both are valid — the detection engineer will translate them later.

Reason

Why does this detection matter now? Was it triggered by a forensic investigation of an actual attack? A blog post about an emerging technique? Or TTPs observed against companies in your sector? The reason helps prioritize during triage.

Exceptions

Under what conditions should an alert not fire? For example, an authorized developer modifying a sensitive directory shouldn't trigger an alert. Exceptions defined upfront reduce false positives before the detection is even written.

Scope

Where should the detection apply? The scope constrains the detection, informs the engineer about available telemetry, and can surface limitations early.

Evidence

Malware samples, logs, PCAPs, or any other data that can be used to build or validate the detection. Requirements coming from the SOC, IR teams, or threat hunters should include artifacts collected during their investigation.

02 Triage

As your requirements backlog grows, you need a principled way to decide what to build next. A simple first-in-first-out queue won't cut it — it ignores the changing threat landscape and your organization's evolving attack surface.

Triage decisions should factor in:

  • Severity — How damaging could this threat be if it materializes?
  • Organizational alignment — Is this threat actively targeting your industry, technology stack, or geography?
  • Detection coverage — Do you already have partial coverage? Would this fill a critical gap?
  • Active exploits — Is this being exploited in the wild right now?

Most requirements are independent, so the DE team can freely pick the highest-priority item from the backlog on each cycle. The goal is a dynamic, threat-informed queue — not a mechanical FIFO list.

Triage — Priority Decision Factors
Severity How damaging if it materializes? HIGH IMPACT 🎯 Org Alignment Targeting your industry, stack, or geography? RELEVANCE Coverage Gap Fills a critical blind spot in defences? COVERAGE 🔴 Active Exploits Exploited in the wild right now? URGENCY

03 Investigate

The Investigate phase converts a high-level detection requirement into a precise technical specification. This is where gaps get surfaced: if the data you need isn't being collected, you discover that here — before wasting development time.

This phase breaks down into four steps:

  1. Identify the data source — Which logs, telemetry, or event streams will feed this detection?
  2. Determine detection indicator types — Are you looking for a process name, a network connection pattern, a file hash, a sequence of events?
  3. Research — Dig into how the technique actually works. Understand normal vs. abnormal behavior in your environment.
  4. Establish validation criteria — How will you know the detection is working correctly? Define your success conditions before you write a single line of code.

04 Develop

With a technical specification in hand, this phase designs, builds, and unit-tests the detection implementation. Detections are commonly implemented as queries run against one or more data sources, and depending on your environment, data pipelines or intermediary stores may need to be built to make the right telemetry available.

The development process has three sub-processes:

  • Design — Architect the detection logic based on the technical specification.
  • Development — Implement the detection query or rule in the appropriate language or platform.
  • Unit testing — Validate the implementation against both known-bad and known-good samples in isolation.

A critical principle here is keeping both short-term and long-term objectives in mind. A quick-and-dirty detection that works today can become a maintenance burden tomorrow if it wasn't designed with the broader detection ecosystem in mind.

05 Test

Testing validates that your detection actually works and isn't excessively noisy before it reaches production. Critically, testing isn't a gate at the end of development — it's a continuous activity that should guide development from the very beginning.

Known bad

Telemetry that represents actual adversary activity. This can come from sandbox simulations of the attack, real incident data, or mock data crafted to represent expected attacker behavior.

Known good

Telemetry captured from normal, benign activity in a clean environment. Ideally sourced from your production environment so the tests are representative of real-world conditions — not just a clean-room simulation.

Testing — Coverage Framework
KNOWN BAD Adversary activity telemetry 🧪 Sandbox sim 📋 Incident data 🎭 Mock data Evasion potential Completeness gaps VS KNOWN GOOD Normal, benign activity telemetry 🏢 Production env 🔍 Clean env Baseline logs False positive identification Representative real-world coverage

Ad hoc tests written during this phase should target three goals:

  • False positive identification — What legitimate activity could trigger this detection incorrectly? Minimizing the false positive rate is a primary testing objective.
  • Evasion potential — What variations of the technique could bypass the detection? While red teams own adversarial testing, detection engineers should identify the obvious bypasses before deployment.
  • Completeness gaps — Is the detection too narrowly defined? Are there permutations of the event it would miss entirely?

// Why This Framework Changed How I Work

What makes the DE life cycle powerful isn't any single phase — it's the feedback loop. Requirements inform triage, investigation surfaces data gaps, testing drives development back, and the four continuous activities keep the entire program honest over time.

Before I had this structure, I was producing individual detections. Now I'm building a detection program. The difference is everything.

If you've been approaching detection engineering the same way I used to — by instinct, by habit, by urgency — I'd strongly recommend picking up Practical Detection Engineering. What's summarized here is just the framework. The book goes much deeper into each phase, with practical guidance on tooling, metrics, and how to scale this inside a real team.

// Based on notes from Practical Detection Engineering