Detection engineering
Detection rules and SOAR playbooks that fire on real attacks, not on noise.
What we ship
Detection rules tied to MITRE ATT&CK techniques with coverage gaps documented. SOAR playbooks that triage, enrich, and only escalate when human attention is warranted. Custom connectors when the vendor option does not exist.
On Microsoft Sentinel: analytics rules with KQL transforms at ingestion to cut noise, watchlists for asset context, Logic Apps for SOAR, MMA-to-AMA migration done right (see our field notes on this).
Coverage versus noise
More rules is not better. We start with what you cannot afford to miss and work outward, retiring rules that fire on benign activity. Every engagement includes a rule retirement list: detection rules currently in production that are pure noise.
Multi-SIEM experience
We have shipped on Sentinel, Splunk, Chronicle, Elastic, and QRadar. When the question is 'which SIEM,' the answer depends on your existing data sources, license posture, and team. We have written up the comparisons.
Six production KQL rules, MIT licensed.
The detection-engineering engagement starts with the same six rules we open-sourced last quarter. Pull the pack, run it against your tenant, see the noise pattern before the discovery call.
Deliverables, by line item.
- Detection rule pack mapped to MITRE ATT&CK
- SOAR playbooks with triage logic and human-loop checkpoints
- Custom connectors where vendor options do not fit
- Rule retirement plan with noise metrics
- On-call runbook for the top ten incident types