Detection engineering
Detections written to your stack, tuned against your telemetry, validated with adversary emulation. We ship one shippable detection per sprint with the runbook your analysts will actually use.
- Cadence
- Two- to six-week sprints
- Deliverables
- Detection content (SIEM, XDR, EDR), telemetry source mapping, validation harness, analyst runbook
- Scope
- Existing telemetry by default; new sources by agreement
- Engagement model
- Discovery → scope → build → validate → handover
- Validation
- Atomic Red Team-style emulation against the detection before handover
- Quality bar
- False-positive rate quoted up front; alert volume sized to the team that will triage it
What this service is
We build detections for the threats that actually concern your sector, in the SIEM you already operate, in the rule format your analysts can modify and re-run. The detection is not the deliverable; the detection plus its tested runbook plus its source-of-record telemetry mapping is the deliverable.
What this service is not
It is not a “buy our SIEM” pitch. We do not resell detection platforms. We do not deliver detections that we have not run against the telemetry that the customer’s detections will run against; if the customer’s schema differs from our development environment, we adjust during the sprint.
What you get on day one of an engagement
A short questionnaire on the threats you most want to detect against the systems you most need to defend. Within five working days we respond with a draft detection roadmap (eight to twelve detections, ranked) and a quote per detection.
Get in touch about detection engineering
Engagement starts with a short discovery call. We respond to all inbound within five working days. Encrypt sensitive details with our PGP key.