// The Search That Led Me Here
Like many practitioners, I spent a long time doing detection engineering the way many practitioners do — learning through experience, adapting to new threats, and refining my approach as I went.
I wasn't new to security. I understood the threats, the TTPs, and the tooling. When building detections, I would identify gaps, evaluate available signals, and create rules based on the information and context I had at the time. Sometimes I'd reference a MITRE ATT&CK technique. Other times I'd build on existing detections or insights from colleagues. The approach worked, but it was largely driven by individual experience rather than a clearly defined framework.
That flexibility had its advantages. It allowed me to move quickly and respond to emerging threats. But as environments grew more complex, I started noticing challenges that many detection teams face: maintaining consistency across detections, measuring coverage, prioritizing engineering efforts, and ensuring that detections remained effective over time.
I knew there was an opportunity to make the process more structured. I just hadn't found a framework that brought all the pieces together.
I read blog posts, explored open-source detection repositories, and spent plenty of time navigating ATT&CK. Each resource provided valuable insights — a better query here, a useful data source there — but I was still looking for a cohesive methodology that connected detection development, validation, maintenance, and continuous improvement.
Then I picked up Practical Detection Engineering, and things started clicking.
What stood out wasn't that it introduced completely new concepts. Rather, it organized many of the ideas and practices I had encountered into a comprehensive engineering lifecycle. The book treats detection engineering much like software engineering treats product development — with clear phases, defined inputs and outputs, feedback loops, and continuous improvement. It shifted my perspective from building individual detections to building a repeatable system for producing and maintaining effective detections over time.
Below are my notes from the core framework. If you're a detection engineer looking to bring more structure and consistency to your work, this is what the framework looks like.
// The DE Life Cycle
The Detection Engineering life cycle consists of six sequential phases, supported by four continuous activities that run in parallel throughout the entire program.
Input: Findings from detection requirement sources
Output: Structured detection requirements
Input: Detection requirement from Phase 1
Output: Triaged and prioritized detection requirement
Input: Triaged detection requirement
Output: Technical specifications and data engineering requirements
Input: Technical specifications from Investigate
Output: Detection code
Input: Detection code from Develop
Output: Validated, production-ready detection
Input: Validated detection
Output: Live detection running in production
Alongside these phases, four continuous activities keep the program healthy over time:
These aren't phases you complete and move on from. They're ongoing disciplines that keep your detection content aligned with a shifting threat landscape and a growing attack surface.
01 Requirements Discovery
Every detection starts as a requirement. This phase collects those requirements from multiple sources — threat intelligence feeds, forensic investigations, SOC tickets, red team findings, industry TTPs — and structures them so the next phase can evaluate them meaningfully.
A complete detection requirement should capture six key fields:
Who raised this requirement, including the specific individual if possible. Closing the loop by notifying them once a detection is built builds trust and encourages better future submissions.
What exactly needs to be detected? This can range from highly technical ("detect when new files are written to a web server code directory") to business-level ("notify the security team if an end user runs unauthorized remote administration software"). Both are valid — the detection engineer will translate them later.
Why does this detection matter now? Was it triggered by a forensic investigation of an actual attack? A blog post about an emerging technique? Or TTPs observed against companies in your sector? The reason helps prioritize during triage.
Under what conditions should an alert not fire? For example, an authorized developer modifying a sensitive directory shouldn't trigger an alert. Exceptions defined upfront reduce false positives before the detection is even written.
Where should the detection apply? The scope constrains the detection, informs the engineer about available telemetry, and can surface limitations early.
Malware samples, logs, PCAPs, or any other data that can be used to build or validate the detection. Requirements coming from the SOC, IR teams, or threat hunters should include artifacts collected during their investigation.
02 Triage
As your requirements backlog grows, you need a principled way to decide what to build next. A simple first-in-first-out queue won't cut it — it ignores the changing threat landscape and your organization's evolving attack surface.
Triage decisions should factor in:
- Severity — How damaging could this threat be if it materializes?
- Organizational alignment — Is this threat actively targeting your industry, technology stack, or geography?
- Detection coverage — Do you already have partial coverage? Would this fill a critical gap?
- Active exploits — Is this being exploited in the wild right now?
Most requirements are independent, so the DE team can freely pick the highest-priority item from the backlog on each cycle. The goal is a dynamic, threat-informed queue — not a mechanical FIFO list.
03 Investigate
The Investigate phase converts a high-level detection requirement into a precise technical specification. This is where gaps get surfaced: if the data you need isn't being collected, you discover that here — before wasting development time.
This phase breaks down into four steps:
- Identify the data source — Which logs, telemetry, or event streams will feed this detection?
- Determine detection indicator types — Are you looking for a process name, a network connection pattern, a file hash, a sequence of events?
- Research — Dig into how the technique actually works. Understand normal vs. abnormal behavior in your environment.
- Establish validation criteria — How will you know the detection is working correctly? Define your success conditions before you write a single line of code.
04 Develop
With a technical specification in hand, this phase designs, builds, and unit-tests the detection implementation. Detections are commonly implemented as queries run against one or more data sources, and depending on your environment, data pipelines or intermediary stores may need to be built to make the right telemetry available.
The development process has three sub-processes:
- Design — Architect the detection logic based on the technical specification.
- Development — Implement the detection query or rule in the appropriate language or platform.
- Unit testing — Validate the implementation against both known-bad and known-good samples in isolation.
A critical principle here is keeping both short-term and long-term objectives in mind. A quick-and-dirty detection that works today can become a maintenance burden tomorrow if it wasn't designed with the broader detection ecosystem in mind.
05 Test
Testing validates that your detection actually works and isn't excessively noisy before it reaches production. Critically, testing isn't a gate at the end of development — it's a continuous activity that should guide development from the very beginning.
Known bad
Telemetry that represents actual adversary activity. This can come from sandbox simulations of the attack, real incident data, or mock data crafted to represent expected attacker behavior.
Known good
Telemetry captured from normal, benign activity in a clean environment. Ideally sourced from your production environment so the tests are representative of real-world conditions — not just a clean-room simulation.
Ad hoc tests written during this phase should target three goals:
- False positive identification — What legitimate activity could trigger this detection incorrectly? Minimizing the false positive rate is a primary testing objective.
- Evasion potential — What variations of the technique could bypass the detection? While red teams own adversarial testing, detection engineers should identify the obvious bypasses before deployment.
- Completeness gaps — Is the detection too narrowly defined? Are there permutations of the event it would miss entirely?
// Why This Framework Changed How I Work
What makes the DE life cycle powerful isn't any single phase — it's the feedback loop. Requirements inform triage, investigation surfaces data gaps, testing drives development back, and the four continuous activities keep the entire program honest over time.
Before I had this structure, I was producing individual detections. Now I'm building a detection program. The difference is everything.
If you've been approaching detection engineering the same way I used to — by instinct, by habit, by urgency — I'd strongly recommend picking up Practical Detection Engineering. What's summarized here is just the framework. The book goes much deeper into each phase, with practical guidance on tooling, metrics, and how to scale this inside a real team.