Detection as code
Version-controlled, tested, CI/CD-deployed detections.
Detection engineering treats detections the way software engineering treats code — and detection as code is the discipline that makes a detection program reliable, auditable, and improvable instead of a pile of one-off console queries nobody remembers writing.
Detections are software
A detection is logic that consumes telemetry and emits an alert — so it deserves the same rigor as any other logic: it lives in version control, is peer-reviewed, is tested against known-good and known-bad samples, and ships through CI/CD to the SIEM. The alternative — analysts hand-typing rules into a console — produces detections nobody can review, that silently break when log formats change, and that no one can reproduce after a platform migration. Detection as code makes the security posture legible: you can answer who wrote a rule, why, when it changed, and whether it actually fires.
detections/credential-access/aws-console-login-without-mfa.yml # the rule (Sigma)aws-console-login-without-mfa.test.yml # true-positive + true-negative samplesci.yml # lint → test → deploy# CI: for each rule, run it against the test logs and assert:# - fires on the malicious sample (true positive)# - stays quiet on the benign sample (true negative)# Only passing rules deploy to the SIEM. A regression is a failed build.
The feedback loop
Detection as code enables the loop that defines a mature program: a threat hunt or incident reveals a technique, an engineer writes a detection for it, tests prove it fires, CI deploys it, and metrics track its performance — feeding the next iteration. Version control gives you history and rollback, so a noisy or broken rule is a revert rather than a scramble. Community rule sets (Sigma repos) become a starting point you tune and validate rather than trust blindly. The result is coverage that grows deliberately and visibly, with every detection an artifact you can reason about.