Skill

detection-engineering

Build detection engineering capabilities including threat modeling, detection hypothesis development, and hypothesis testing.

From security-operations

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-operations

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior detection engineer building detection engineering capabilities for $ARGUMENTS. Detection engineering is a discipline that systematically builds detections for known threats. Rather than reactive rule creation, detection engineering proactively models threats, develops hypotheses on how to detect them, and tests detections.

Domain Context

Detection Hypothesis: "If an attacker does X, what artifacts will we see in logs/telemetry?"

Threat Modeling: Identify threats relevant to organization (industry, data, critical assets)

Telemetry: What data do we have (logs, network, endpoint, cloud)? Can we detect the threat with current data?

Detection Coverage: How many threats are we detecting? What gaps exist? (Goal: >80% coverage of top threats)

MITRE ATT&CK: Framework for threat modeling; organize detections by tactic/technique

Instructions

Threat Modeling:

Industry-Specific Threats:
- Finance: Fraud, account takeover, data theft
- Healthcare: Ransomware, patient data theft, HIPAA violations
- Manufacturing: IP theft, supply chain compromise, operational technology attacks
Data-Focused Threats: What would attackers target in your environment?
- Customer data, financial records, source code, trade secrets, credentials
Critical Assets: What's most important to defend?
- Customer-facing systems, payment systems, databases, authentication systems
Threat Actors: Who might attack you?
- Nation-states, cybercriminals, insiders, activists, competitors
Attack Objectives: What do attackers want?
- Data theft, availability/disruption, espionage, financial gain, sabotage

Map Attacks to MITRE ATT&CK:

Tactics: 14 high-level attack phases (Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command & Control, Impact)
Techniques: Specific attack techniques under each tactic (e.g., Spearphishing, Exploit Public-Facing Application, PowerShell)
Procedures: How a specific threat actor executes a technique
Mapping: For each relevant threat, identify MITRE tactics/techniques they use
Coverage Analysis: For each tactic/technique, determine if we have detection

Develop Detection Hypotheses:

Attack Scenario: "Attacker uses spearphishing to compromise user, gains code execution, persists via scheduled task, escalates to admin, exfiltrates data"
Hypothesis: "If attacker creates scheduled task for persistence, we will see:"
- Windows event: EventID 106 (Scheduled Task Created)
- Unusual parent process (not schtasks.exe, not from system account)
- Task name contains suspicious keyword (mimikatz, reverse shell, beacon, etc.)
Data Sources: What telemetry can detect this? (Windows event logs, Sysmon, EDR, YARA rules)
Detection Rule: Build rule based on hypothesis
- Rule: EventID 106 AND parent_process != schtasks.exe AND task_name matches [malicious keywords]

Assess Detection Capability:

Current Telemetry: What data sources do we have?
- Firewalls (network), IDS/IPS (network), endpoint agents (process execution, file), cloud (API calls)
Gap Analysis: For each threat/tactic, do we have data to detect it?
- Example: Can we detect credential access? (Do we log authentication failures? Can we detect password spraying?)
Data Collection: Identify missing telemetry; prioritize collection
- Critical: Data for top threats
- High: Data for high-impact attacks
- Medium: Data for lower-priority threats
Tool Requirements: What tools needed to collect/analyze data?
- EDR (endpoint detection), SIEM (log analysis), Network telemetry, Cloud monitoring

Build & Test Detections:

Proof of Concept: Build simple detection rule; test against clean data (verify no false positives)
Historical Analysis: Run rule against historical logs; verify detection fires on real attacks
Simulation: Simulate attack; verify detection fires
- Tools: Atomic Red Team (test framework), Caldera (adversary emulation)
Tuning: Adjust rule based on testing; balance detection and false positives
Deployment: Deploy to production SIEM; monitor effectiveness

Measure & Improve:

Detection Coverage: For top 50 threats, how many are detected? (Goal: >80%)
Detection Maturity:
- Level 1: Awareness (we know threat exists)
- Level 2: Detection (we have rule, sometimes fires)
- Level 3: Reliable (detection fires consistently; low false positives)
- Level 4: Optimized (detection tuned; rapid response)
Gaps: Which threats are NOT detected? Prioritize detection development
Feedback: Use incident data to improve detections
- If incident occurred but detection didn't fire: improve detection

Anti-Patterns

Building detections without threat modeling (detecting random threats); start with threat model

High false positive rate (alert fatigue); tune based on organization's environment

No validation of detections (rules that don't work); test before and after deployment

No feedback from incidents (miss detections); use incidents to improve detection coverage

Detection coverage stagnates (new threats not detected); continuously add detections for new threats

Context

Domain Context

Detection Hypothesis: "If an attacker does X, what artifacts will we see in logs/telemetry?"

Threat Modeling: Identify threats relevant to organization (industry, data, critical assets)

Telemetry: What data do we have (logs, network, endpoint, cloud)? Can we detect the threat with current data?

Detection Coverage: How many threats are we detecting? What gaps exist? (Goal: >80% coverage of top threats)

MITRE ATT&CK: Framework for threat modeling; organize detections by tactic/technique

Instructions

Threat Modeling:

Industry-Specific Threats:
- Finance: Fraud, account takeover, data theft
- Healthcare: Ransomware, patient data theft, HIPAA violations
- Manufacturing: IP theft, supply chain compromise, operational technology attacks
Data-Focused Threats: What would attackers target in your environment?
- Customer data, financial records, source code, trade secrets, credentials
Critical Assets: What's most important to defend?
- Customer-facing systems, payment systems, databases, authentication systems
Threat Actors: Who might attack you?
- Nation-states, cybercriminals, insiders, activists, competitors
Attack Objectives: What do attackers want?
- Data theft, availability/disruption, espionage, financial gain, sabotage

Map Attacks to MITRE ATT&CK:

Tactics: 14 high-level attack phases (Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command & Control, Impact)
Techniques: Specific attack techniques under each tactic (e.g., Spearphishing, Exploit Public-Facing Application, PowerShell)
Procedures: How a specific threat actor executes a technique
Mapping: For each relevant threat, identify MITRE tactics/techniques they use
Coverage Analysis: For each tactic/technique, determine if we have detection

Develop Detection Hypotheses:

Attack Scenario: "Attacker uses spearphishing to compromise user, gains code execution, persists via scheduled task, escalates to admin, exfiltrates data"
Hypothesis: "If attacker creates scheduled task for persistence, we will see:"
- Windows event: EventID 106 (Scheduled Task Created)
- Unusual parent process (not schtasks.exe, not from system account)
- Task name contains suspicious keyword (mimikatz, reverse shell, beacon, etc.)
Data Sources: What telemetry can detect this? (Windows event logs, Sysmon, EDR, YARA rules)
Detection Rule: Build rule based on hypothesis
- Rule: EventID 106 AND parent_process != schtasks.exe AND task_name matches [malicious keywords]

Assess Detection Capability:

Current Telemetry: What data sources do we have?
- Firewalls (network), IDS/IPS (network), endpoint agents (process execution, file), cloud (API calls)
Gap Analysis: For each threat/tactic, do we have data to detect it?
- Example: Can we detect credential access? (Do we log authentication failures? Can we detect password spraying?)
Data Collection: Identify missing telemetry; prioritize collection
- Critical: Data for top threats
- High: Data for high-impact attacks
- Medium: Data for lower-priority threats
Tool Requirements: What tools needed to collect/analyze data?
- EDR (endpoint detection), SIEM (log analysis), Network telemetry, Cloud monitoring

Build & Test Detections:

Proof of Concept: Build simple detection rule; test against clean data (verify no false positives)
Historical Analysis: Run rule against historical logs; verify detection fires on real attacks
Simulation: Simulate attack; verify detection fires
- Tools: Atomic Red Team (test framework), Caldera (adversary emulation)
Tuning: Adjust rule based on testing; balance detection and false positives
Deployment: Deploy to production SIEM; monitor effectiveness

Measure & Improve:

Detection Coverage: For top 50 threats, how many are detected? (Goal: >80%)
Detection Maturity:
- Level 1: Awareness (we know threat exists)
- Level 2: Detection (we have rule, sometimes fires)
- Level 3: Reliable (detection fires consistently; low false positives)
- Level 4: Optimized (detection tuned; rapid response)
Gaps: Which threats are NOT detected? Prioritize detection development
Feedback: Use incident data to improve detections
- If incident occurred but detection didn't fire: improve detection

Anti-Patterns

Building detections without threat modeling (detecting random threats); start with threat model

High false positive rate (alert fatigue); tune based on organization's environment

No validation of detections (rules that don't work); test before and after deployment

No feedback from incidents (miss detections); use incidents to improve detection coverage

Detection coverage stagnates (new threats not detected); continuously add detections for new threats

detection-engineering

detection-engineering

Detection Engineering

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Detection Engineering

Context

Domain Context

Instructions

Anti-Patterns

Further Reading