Back to Glossary

Detection Engineering

What is Detection Engineering?

Detection engineering is the disciplined practice of designing, developing, testing, and maintaining the detection rules, behavioral analytics, and correlation logic that enable a Security Operations Center (SOC) to identify attacker activity in telemetry data. Where traditional security monitoring often meant applying vendor-provided rule sets to a SIEM, detection engineering treats detection as an engineering discipline: requirements (what attacker behaviors must be detected?), design (what data sources and logic express this detection accurately?), testing (does the detection fire on true positives without excessive false positives?), deployment, and maintenance as the threat landscape evolves. Detection engineering has emerged as a critical security capability as organizations recognized that untuned SIEM deployments produce overwhelming alert volume with poor signal quality.

Description

Detection engineering is grounded in adversary knowledge — specifically, the MITRE ATT&CK framework, which documents the specific techniques that real threat actors use across the attack lifecycle. Effective detection engineering maps detection rules to ATT&CK techniques, enabling systematic measurement of coverage: which techniques are detected? Which leave blind spots? The Sigma rule format has emerged as a vendor-agnostic standard for sharing detection rules across SIEM platforms. Detection engineering requires: deep knowledge of attacker TTPs to write accurate detection logic; understanding of available telemetry sources (Windows Event Logs, Sysmon, EDR telemetry, network flows, authentication logs); statistical judgment to tune detection thresholds that minimize false positives without creating false negatives; and testing methodology — using purple teaming exercises to validate that detections fire correctly when real techniques are executed. The connection between offensive security and detection engineering is direct: pen testers and red teams generate the ground-truth adversarial activity that detection engineers use to test and tune their rules. Threat intelligence provides the adversary context that informs which ATT&CK techniques to prioritize in detection coverage. The ATT&CK maturity assessment video from Evolve Security demonstrates a methodology for measuring and improving detection coverage systematically.

Usage and Examples

A detection engineer receives a red team report documenting that attackers used PowerShell with encoded commands (ATT&CK T1059.001) to execute a payload without triggering any existing SIEM alerts. The engineer designs a new detection: PowerShell invocations with the -EncodedCommand flag should generate an alert with moderate confidence. After testing the rule in a staging environment with legitimate PowerShell traffic, they identify that automated backup scripts use encoded commands — a false positive source they tune out by adding the backup service account to an exclusion list. The tuned rule is deployed and validated with another controlled test: the red team executes the same technique and the alert fires within 30 seconds. The detection goes from 0% to 100% coverage for that specific technique. Multiplied across dozens of ATT&CK techniques over time, this detection engineering cycle transforms a noisy, low-signal SIEM into a high-fidelity detection platform.

How Does This Relate to Penetration Testing?

Detection engineering is the direct beneficiary of penetration testing and red team findings. Evolve Security's red team engagements produce detailed MITRE ATT&CK mapped findings that serve as the input specification for detection engineering work — documenting which techniques evaded existing detections and providing the execution context (specific commands, log artifacts, network signatures) that detection engineers need to write accurate rules. Purple teaming sessions take this integration further by involving detection engineers in real-time during technique execution, collapsing the typical weeks-long gap between red team findings and detection improvements into hours. Evolve Security's Red Team and purple teaming services provide the ATT&CK-mapped findings and collaborative testing framework that detection engineering programs need to systematically improve SOC coverage against real threat actor techniques.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Privilege Escalation

Prompt Injection

Proxy server

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.