Detection Engineering · Published Jul 11, 2026 · Medium companion page

Newest Detection Engineering Techniques

A practical 1200km ecosystem page for the article about moving from individual SIEM rules to validated security telemetry: telemetry requirements, stateful correlation, risk scoring, identity/session detection, cloud/SaaS data-plane coverage, CI/CD, runtime detection, data lakes, and LLM/agent workflow telemetry.

Newest detection engineering techniques cover graphic

All 25 article figures are mirrored locally for the 1200km archive and linked into the detection-engineering ecosystem.

Executive Judgment

The central argument of the article is that modern detection engineering is no longer only rule writing. It is the engineering of a defensive loop: required telemetry, normalized fields, attacker-behavior hypotheses, detection logic, validation evidence, false-positive control, drift monitoring, and analyst feedback.

This page connects that argument to the 1200km ecosystem. Use AdversaryGraph for report/log ingestion and detection backlog context, Threat Matrix for ATT&CK navigation, observability validation for telemetry readiness, and the CTI research index for source-rated, evidence-traced analysis.

Detection engineering defensive loop infographic
The article frames detection as a loop: telemetry, behavior, logic, validation, measurement, and feedback.
Detection engineering practical conclusion infographic
The practical conclusion: threat-informed logic must be connected to reliable telemetry and validation.

How This Fits the 1200km Ecosystem

AdversaryGraph

Use it to extract ATT&CK techniques, IOCs, actor links, and detection candidates from reports, logs, malware findings, and asset context.

Threat Matrix

Use it as the canonical ATT&CK navigation layer for TTP links, platform references, and technique-level research pivots.

Validation Workflows

Use detection-as-code, replay tests, emulation, and SIEM result evidence to prove that a rule detects the claimed behavior.

Technique Map

The Medium article organizes the current detection-engineering stack into 13 practical techniques. The useful way to read them is not as separate tricks, but as a maturity path from data availability to stateful behavior, validation, and controlled automation.

1. Telemetry-first engineering

Define required log sources and fields before writing the rule.

2. Detection-as-code validation

Store rules in Git, but prove them with fixtures, replay, and emulation.

3. Stateful correlation

Link password spray, session use, SaaS actions, cloud roles, and workload context over time.

4. Risk-based alerting

Aggregate weak signals by entity with deduplication, caps, and time decay.

5. Identity and session abuse

Detect context shifts in token, device, ASN, country, app, and session behavior.

6. Cloud and SaaS data plane

Collect the read/export/query events that prove data access, not only admin activity.

7. CI/CD supply chain

Treat workflows, secrets, pull requests, OIDC trust, and signing authority as telemetry.

8. Runtime detection

Use eBPF/Falco-style runtime evidence for shells, token reads, and container escape indicators.

9. Rare-event analytics

Use peer group, first-seen, and entity-specific rarity instead of broad anomaly language.

10. Statistical change

Use baselines and z-scores only when the field semantics and baseline population are correct.

11. Data lakes and OCSF

Separate portable logic from high-fidelity native detections and schema-specific joins.

12. LLM/agent telemetry

Log prompt source, retrieval, tool calls, approvals, MCP servers, and agent retry loops.

13. AI-assisted engineering

Let LLMs draft or translate, but make the pipeline and analyst verify.

Modern detection engineering loop
Modern detection engineering loop: from threat model to telemetry, logic, test, deployment, measurement, and feedback.
Concrete outputs of the detection engineering loop
Each stage needs a concrete output: field contract, hypothesis, rule, test, dashboard, and owner.

Identity, Cloud, SaaS, and CI/CD

The strongest part of the article is its focus on valid-account and trusted-system abuse. Modern intrusions often use stolen credentials, session material, OAuth grants, service accounts, SaaS exports, or privileged CI/CD workflow context. That makes authentication, authorization, workflow, and data-plane telemetry detection inputs.

S3 data access detection plan
Technique 1: S3 data access coverage starts with the question of whether object-read telemetry exists.
S3 data access detection logic
Object-read count, baseline, peer group, bucket sensitivity, and new source context turn volume into a useful signal.
Detection-as-code metadata structure
Technique 2: detection-as-code needs metadata, required sources, required fields, validation fixtures, and deployment mode.
Password spray followed by successful login sequence
Technique 3: stateful detection links failed logins, success, and later SaaS or cloud activity by entity and time.
Session context shift detection
Technique 5: session abuse is often visible as context shift across device, location, ASN, user agent, app, and token use.
Privileged workflow touched by untrusted input
Technique 7: CI/CD security requires static workflow analysis and runtime evidence for privileged workflows touched by untrusted input.
Operational rule: if the attacker can act through a trusted identity, SaaS tenant, cloud role, or workflow token, that system must be in the telemetry plan.

Runtime, Data Lakes, and AI-Era Workflows

Runtime detection, OCSF-style data lakes, and LLM/agent telemetry are useful when they are treated as engineering systems with field contracts and validation. They are weak when treated as magic platforms that make missing telemetry, vague anomaly language, or untested rules acceptable.

Risk scoring pattern summary
Technique 4: weak-signal aggregation turns low-confidence events into a higher-value entity risk story.
Risk scoring SQL skeleton
Production risk scoring needs deduplication, caps, decay, and signal ownership, not a blind flat sum.
Shell in production container runtime detection
Technique 8: eBPF/runtime logic catches behavior such as an unexpected shell in a production container.
Peer-group analytics and first-seen detection
Technique 9: peer groups and first-seen analytics make anomaly detection specific enough to test.
SaaS bulk download statistical change detection
Technique 10: statistical change detection works only when field semantics, baseline windows, and population thresholds are correct.
Security data lake architecture
Technique 11: data lake architecture separates storage, schema contracts, enrichment, native query logic, and detection output.
Required telemetry for agent detection
Technique 12: agent detection starts with prompt, retrieval, model request, tool call, approval, and MCP telemetry.
Prompt injection leading to tool misuse detection
Prompt-injection detection needs to connect external content, instruction-like text, tool selection, and approval outcomes.

90-Day Implementation View

The 90-day plan in the article is a practical deployment sequence: inventory detections, identify owners and required sources, build validation fixtures, validate against behavior, add stateful identity and cloud detections, introduce risk scoring, and then monitor telemetry drift.

Days 1-30

Inventory detections, owners, fields, data sources, and build basic validation.

Days 31-60

Validate behavior, replay fixtures, add identity, session, cloud, and SaaS data-plane detections.

Days 61-90

Add risk scoring, false-positive review, telemetry drift dashboards, and quality metrics.

AI-assisted detection engineering workflow
Technique 13: AI can draft, translate, and summarize, but schema validation and human approval stay mandatory.
Practical 90-day implementation plan
The 90-day plan turns detection-engineering theory into sequenced, measurable implementation work.
Validation metrics that matter
Validation metrics: proven detections, tested fields, false-positive rate, drift, owner freshness, and analyst value.
Common detection engineering failure modes
Common failure modes include heatmap theater, syntax-only CI, missing data-plane logs, and premature autonomous response.

Complete Local Figure Archive

These are the locally mirrored visuals from the published Medium article. The images are stored under /assets/cti/newest-detection-engineering-techniques/ so the 1200km archive is not dependent on Medium image delivery.

Figure 01 cover
Figure 01: article cover.
Figure 02 defensive loop
Figure 02: detection engineering defensive loop.
Figure 03 practical conclusion
Figure 03: practical conclusion.
Figure 04 modern loop
Figure 04: modern detection engineering loop.
Figure 05 stage outputs
Figure 05: concrete stage outputs.
Figure 06 S3 detection plan
Figure 06: S3 detection plan.
Figure 07 S3 detection logic
Figure 07: S3 detection logic.
Figure 08 detection metadata
Figure 08: detection-as-code metadata.
Figure 09 password spray sequence
Figure 09: stateful password spray sequence.
Figure 10 risk scoring
Figure 10: risk scoring pattern.
Figure 11 risk scoring SQL
Figure 11: risk scoring skeleton.
Figure 12 session context shift
Figure 12: session context shift.
Figure 13 cloud logging strategy
Figure 13: cloud logging strategy.
Figure 14 Snowflake-style data theft
Figure 14: Snowflake-style data-theft pattern.
Figure 15 CI/CD detection
Figure 15: privileged workflow and untrusted input.
Figure 16 runtime detection
Figure 16: shell in production container.
Figure 17 peer group analytics
Figure 17: peer-group analytics.
Figure 18 statistical change detection
Figure 18: SaaS bulk download anomaly.
Figure 19 data lake architecture
Figure 19: data lake and OCSF architecture.
Figure 20 agent telemetry
Figure 20: required agent telemetry.
Figure 21 prompt injection detection
Figure 21: prompt injection to tool misuse.
Figure 22 AI-assisted workflow
Figure 22: AI-assisted detection engineering.
Figure 23 90-day plan
Figure 23: 90-day implementation plan.
Figure 24 validation metrics
Figure 24: validation metrics.
Figure 25 failure modes
Figure 25: common failure modes.

Source Base and Practical References

The original article uses real-world references across identity, cloud, SaaS, supply chain, runtime detection, data lakes, and AI-agent security. Start with these ecosystem pivots: