Detection Engineering
Definition
Detection engineering is the discipline of turning attacker and system behavior into reliable, explainable, operationally useful telemetry, analytics, alerts, and response evidence.
Before this branch: - Foundations (Phase 0). - Networking — you cannot detect what you cannot reason about. - Offensive Security / Recon — read each detection note paired with its offensive counterpart.
Why it matters
Modern cybersecurity is telemetry warfare. Attackers try to control what defenders can observe, correlate, retain, and interpret. Defenders win less by hoping for perfect prevention and more by engineering visibility across endpoints, networks, identities, cloud control planes, and application boundaries.
This branch is not vendor-centric and does not teach shallow tool operation. It explains the detection surfaces, sensor limits, behavioral patterns, and correlation tradeoffs that make tools useful.
Branch spine
- network-telemetry-sources-and-visibility
- zeek-suricata-and-netflow-analysis
- ids-ips-and-behavioral-detection-pipelines
- behavioral-detection-vs-signature-detection
- false-positives-false-negatives-and-detection-tradeoffs
- telemetry-normalization-correlation-and-enrichment
- encrypted-traffic-analysis-and-metadata-leakage
- scan-anomaly-detection-and-fingerprint-analysis
- detection-evasion-myths-and-modern-limitations
- edr-network-observability-and-process-correlation
- attack-path-correlation-and-kill-chain-observability
Study order
1. Visibility before rules
- network-telemetry-sources-and-visibility - what packets, flows, logs, endpoint sensors, and cloud logs can and cannot see.
- zeek-suricata-and-netflow-analysis - how three common network telemetry layers complement and contradict each other.
2. Detection pipeline design
- ids-ips-and-behavioral-detection-pipelines - how signature, anomaly, behavioral, enrichment, correlation, and response stages fit together.
- behavioral-detection-vs-signature-detection - why mature detection blends static indicators, IOAs, behavioral analytics, and sequence logic.
- false-positives-false-negatives-and-detection-tradeoffs - why detection is precision/recall and operational-capacity engineering, not binary truth.
- telemetry-normalization-correlation-and-enrichment - why schemas, enrichment, entity resolution, timestamps, and joins often decide detection quality.
3. Scan behavior as a detection case study
- scan-anomaly-detection-and-fingerprint-analysis - why scanning is not a single event but a behavioral pattern across timing, fan-out, TCP/IP shape, TLS fingerprints, and scan-to-exploit transitions.
- detection-evasion-myths-and-modern-limitations - how to test old evasion claims against modern multi-sensor telemetry.
4. Encrypted traffic and metadata
- encrypted-traffic-analysis-and-metadata-leakage - why encryption hides content but not all behavior, metadata, or endpoint context.
5. Endpoint-network and attack-path correlation
- edr-network-observability-and-process-correlation - why modern defense changed when network events became joinable to processes, users, hashes, and parent chains.
- attack-path-correlation-and-kill-chain-observability - why modern detection often detects relationships between events rather than isolated events.
6. Host-side telemetry (Windows)
- windows-event-logs - the 30 Event IDs that carry most Windows security telemetry, the audit-policy preconditions that make them appear, and the Event-ID-sequence patterns that drive Windows-targeted attack detection.
Core claims
- Modern stealth is not "slow packets" or "fragmentation tricks"; it is managing telemetry across many sensors.
- Encrypted traffic still leaks metadata: timing, endpoints, sizes, DNS, SNI where visible, ALPN, JA3/JA4-style fingerprints, process ancestry, cloud logs, and identity context.
- NetFlow/IPFIX, Zeek, Suricata, EDR, cloud flow logs, WAF logs, and SIEM detections are different evidence layers, not interchangeable labels.
- Detection quality depends on sensor placement, capture loss, timestamps, entity resolution, baselines, correlation windows, and triage evidence.
- False positives and false negatives are engineering feedback, not embarrassing exceptions.
- Detection maturity moves from brittle artifact matching toward behavior and sequence modeling, while still using signatures where they are precise.
Cross-branch anchors
Offensive security
- Active Recon
- Host and Port Discovery
- Nmap Timing and Evasion
- Masscan Internet-Scale Scanning
- RustScan and NSE Pipeline
- Packet Fragmentation and Decoy Scans
- Cloaking and Security Evasion
Networking
- TCP/IP Basics
- Packet Analysis
- Wireshark Workflows
- Nmap Scanning
- Firewalls and Network Boundaries
- Service Enumeration
- TLS and HTTPS
Cloud and playbooks
Internal conceptual hubs
- behavioral-detection-vs-signature-detection
- false-positives-false-negatives-and-detection-tradeoffs
- telemetry-normalization-correlation-and-enrichment
- encrypted-traffic-analysis-and-metadata-leakage
- detection-evasion-myths-and-modern-limitations
- attack-path-correlation-and-kill-chain-observability
Suggested future atomic notes
- correlation-windows-and-entity-resolution
- tls-fingerprinting-for-detection
- tap-vs-span-sensor-placement
- cloud-flow-logs-and-network-detection
- detection-as-code-and-rule-lifecycle
- alert-triage-and-evidence-quality
- honeyports-and-tarpit-detection
- threat-hunting-with-zeek
- scan-to-exploit-transition-detection
- detection-coverage-vs-attack-coverage
- ecs-and-otel-for-security-telemetry
- precision-and-recall-for-security-detections
- attack-graph-detection
- beaconing-analysis
References
- Mitigation / Operations: CISA Best Practices for Event Logging and Threat Detection - https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
- Foundational: MITRE ATT&CK Data Sources - https://attack.mitre.org/datasources/
- Official Tool Docs: Zeek Logs - https://docs.zeek.org/en/current/logs/
- Official Tool Docs: Suricata EVE JSON Output - https://docs.suricata.io/en/latest/output/eve/eve-json-output.html