CoursesDetection engineeringDeception & alert quality

Metrics & the loop

Coverage, MTTD, precision — measure and improve.

Advanced25 min · lesson 15 of 15

A detection program you cannot measure is one you cannot improve. The final discipline is metrics — coverage, quality, and speed — that turn detection engineering from an activity into a program with direction and demonstrable value.

Coverage, quality, speed

Three families of metric matter. Coverage: measured against the ATT&CK techniques relevant to your environment — which can you detect, and where are the gaps? — not the raw rule count, which says nothing about what you actually catch. Quality: precision and false-positive rate, because a program drowning in noise is failing regardless of coverage. Speed: mean time to detect (MTTD) and mean time to respond (MTTR), because catching an intrusion quickly bounds the damage. Rule count, alert volume, and number of tools are vanity metrics — they measure activity, not outcomes. Track the ones that reflect whether you actually detect real threats, accurately, and fast.

measure outcomes, not activity
# VANITY (activity): MEANINGFUL (outcomes):
# number of rules ATT&CK coverage: techniques detected / relevant
# alerts per day precision: true positives / total alerts
# tools purchased MTTD / MTTR: how fast we detect and respond
#
# A dashboard with 900 rules and 5,000 daily alerts can have WORSE real
# coverage and precision than a tuned program with 200 rules. Measure the right things.

The improvement loop

Metrics close the loop that runs through this entire course. ATT&CK coverage gaps become hunting hypotheses and new detections. A rising false-positive rate signals rules to tune. A slow MTTD points to missing telemetry or automation to add. Each incident’s post-mortem asks which steps were detected and feeds the misses back as new, tested detections. Run this continuously and the program compounds: coverage grows, precision rises, and detection time falls, all visibly. That is the essence of detection engineering — not a static set of rules, but a measured, iterating system where hunting, detection-as-code, response, and forensics all feed one another toward better outcomes.

A measured detection program
measure
coverage (ATT&CK)
techniques you can detect
quality (precision, FP rate)
signal not noise
speed (MTTD/MTTR)
bound the damage
improve
gaps → hunts → detections
grow coverage
incidents → retros → rules
compound over time
Measure outcomes, not activity. Coverage, precision, and speed drive a loop where every hunt and incident improves the program.
Rule count and alert volume are vanity metrics
A large number of rules or alerts measures activity, not effectiveness — a program can have thousands of both and still miss real intrusions while drowning responders. Measure ATT&CK coverage, precision, and detection speed; those reflect whether you actually catch threats, and they are what should drive the program.