What does it mean to be a threat detection engineer?

Alex Teixeira
3 min readDec 27, 2020

The idea of this post came after a Slack chat with Ryan Long, a Sr. Security Analyst who had asked this very question highlighted in the blog title.

Ryan as many others is realizing there’s sometimes a very thin line between analysis (operations) and engineering when it comes to threat detection.

Update: a fresher view on this topic was highlighted below:

The dotted lines between Threat Hunting and Detection Engineering

Why is Threat Detection so trendy now?

Because the demand is higher? Because Cyber is becoming specialized? I wrote a blog post touching on this topic a few years ago. Let's start with some context first.

Machine Data & Modern Tooling

Logs, logs everywhere! Today we have too much data at our disposal, so much that we need to design data pipelines with routing, filtering and other pre-processing cycles before consuming it in the other end.

I remember working as an architect for a bank in the early 2000s when an item of my product assessments was "Does it provide logs?" Today, we ask "Does it ship JSON logs?", "Does it provide an API to extract logs?"

--

--

Alex Teixeira
Alex Teixeira

Written by Alex Teixeira

I design and build detection and SIEM/EDR/XDR content for Enterprise #SecOps teams #DetectionEngineering http://opstune.com

No responses yet