Thoughts, stories and ideas.

Detection-as-code proves a rule deployed, not that it works. Dead log sources, schema drift, and fixture-vs-live gaps cause silent failures pipelines never catch.

Broken, outdated detection rules pile up unseen as your SIEM grows.Broken, outdated detection rules pile up unseen as your SIEM grows. Rilevera surfaces them in one view.

MITRE ATT&CK should be treated as a foundation rather than a checklist to fully cover, because effective detection engineering requires layering each organization's unique environment, data sources, and infrastructure on top of the framework so that coverage reflects how that specific environment can actually be attacked.

Modern security programs do not fail because teams lack skill or tooling. They fail because the work is fragmented.

There’s an old lesson in engineering that shows up everywhere…from aviation, to distributed systems, to software infrastructure: when systems fail, they rarely fail because they were too simple.

There are a number of metrics currently being used in detection and response. Many of them provide some measure of value, but they don’t show the entire picture. Others are truly vanity metrics.

I'm going to say something that might ruffle some feathers in the detection engineering community. I wasted years optimizing for the wrong problem.