An opinionated list of essential resources for aspiring Detection Engineers.
The goal of this starter pack is to provide a curated selection of resources to help you get started in detection engineering without feeling overwhelmed. This list is based on personal experience with various detection technologies. Hope it helps! 🚀
Connect with others to discuss all things threat detection and security engineering.
- 🔍 Understanding Attacker Techniques
- 📜 Getting to Know Detection Rules
- 🛠️ Trying It Out Yourself
- 📚 Useful Concepts
- 🧪 Labs & Training
- 📖 Further Reading & Interesting Projects
- 🌟 Awesome Lists
See how attackers achieve their goals.
- MITRE ATT&CK - The #1 knowledge base of adversary tactics and techniques.
- Top 10 ATT&CK Techniques - A customisable page to display the most common ATT&CK techniques.
- Hacking the Cloud - A collection of resources for understanding cloud-focused attack techniques.
- The DFIR Report - Real-world incidents analysed and described with a defender's mindset. A personal favourite.
Example repositories showcasing how detections are structured and applied.
- Sigma - The generic detection signature format.
- Splunk Detection Rules - A collection of detection rules for Splunk.
- Elastic Detection Rules - A collection of detection rules for Elastic.
- Detection Studio - Convert Sigma rules to other detection rule syntaxes.
Tools to play with that are either open source or have a free-tier element.
- Aurora - An agent that can run Sigma rules. Load up your Sigma rules, and create alerts from your event logs.
- Velociraptor - A digital forensic and incident response tool that enhances your visibility into your endpoints.
- Falco - A cloud-native runtime security tool to detect threats within containers.
- Sysmon - A simple Windows system monitor.
- Osquery - An operating system instrumentation framework.
- Suricata - Detection rules designed to interrogate network traffic for suspicious activity.
- YARA - Detection rules for identifying and classifying malware samples.
- Elastic Stack (ELK) - A suite of tools for search, logging, and analytics.
- Wazuh - An open-source security monitoring platform.
- Tines - A no-code automation platform for security teams. Great for automating anything, quickly. Has a free tier.
- Adversary Emulation Library - A library of adversary emulation plans.
- MITRE Caldera - An automated adversary emulation platform.
- Stratus Red Team - A tool for adversary emulation in the cloud.
- Atomic Red Team - A library of simple adversary emulation tests.
- TTPForge - A tool for creating and managing TTPs.
- Detection Engineering Behavior Maturity Model - a structured approach for security teams to consistently mature their processes and behaviors from Elastic.
- Alerting Detection Strategy (ADS) Framework - A simple framework for building detection strategies from Palantir.
- Summiting the Pyramid - Building on the 'pyramid of pain', this work defines what it really means to have a robust detection.
- Capability Abstraction - One of my favourite articles - 'Capability Abstraction' from SpecterOps. Explores similar concepts to the above 'summiting the pyramid' project.
- Blue Team Labs Online - A platform for hands-on blue team training.
- ACE Responder - A realistic and immersive platform for existing cyber defenders and newcomers alike.
A handpicked selection of materials that have inspired me.
- Detections.ai - An AI-powered and community-driven platform to share & improve detection rules. Use invite code
StarterPack. - ACEResponder - An X account sharing attacker techniques visually.
- Detect FYI - A Medium publication focused solely on detection engineering.
- Detection Engineering Weekly - A weekly newsletter on Detection Engineering.
- EDR Telemetry - A resource that compares popular EDR tools with one another.
- MITRE ATLAS - ATT&CK, but for AI.
- Prioritizing Detection Engineering - A well-written piece from Ryan McGeehan on how to think about prioritising your detection engineering efforts.
- How Google Does It - How Google does threat detection at massive scale.
- Notable security vendor blogs for defenders:
If you are hungry for more resources, check out these awesome lists.
- Awesome Kubernetes Threat Detection - A list of Kubernetes threat detection resources.
- Awesome Threat Intel Blogs - A curated list of threat intelligence blogs and publications.
- Awesome Detection Engineering - A curated list of detection engineering resources.
- Awesome Threat Detection - A collection of threat detection resources.
- Awesome Detection Engineer - A list of resources for detection engineers.
- Blue Team Tools - A collection of tools for blue teamers.