Future Trends in Detection Engineering

AI writes better detections than me... and I'm okay with that. The future of detection engineering isn't about who can write the most elegant "code" but who can guide AI to craft the most effective security monitoring strategy. Yesterday, I one-shotted a Panther rule using Cursor (to detect Cursor installs via osquery) with light prompting and a custom cursor rule. The result was a functional and well-tested rule, reducing the time from ~30mins to about ~3m. The power of AI for rule writing is exponentially more powerful when combining 1) the rule engine context, 2) the log context, and 3) data and rule samples. This applies to any platform, but as we know, foundation models are exceptional at code generation of popular languages. This isn't just about making detection engineers more efficient. It's about democratizing security monitoring by letting anyone with security domain knowledge create high-quality detections through natural language, regardless of their coding experience. The most exciting developments I'm seeing: 1. Detection as conversation: explaining the behavior you want to catch and watching AI translate it to working code 2. Cross-platform interoperability: instantly converting rules between Splunk, Elastic, Panther, or Chronicle without knowledge of each query language 3. Automated rule optimization: finding edge cases and performance improvements human engineers might miss or not have time for. 4. Business context translation: bridging the gap between "what we need to detect" and "how we implement it technically." Vibe coding? How about vibe detecting?

Detection Engineering 2025 predictions, based on what I've been reading and analyzing for the newsletter and through the tea leaves: * Someone publishes the first AI SOC-related post on their AI Analyst catching and responding to a threat, it'll be "small" like a leaked access key, but it will be done by an agent * MacOS Detection Engineering takes off, esp w/ the prevalence of more and more malware like infostealers targeting the OS, and we see more job posts with MacOS preference at a non-product company * Detection in the cloud moves closer to the application, and a clear need for application, workload and control-plane detection strategies emerge * Detection observability: security steals more and more concepts from devops and SRE, and now has a focus on the resiliency of the full detection system, not just the rules. Example: did this log source change, which fields, how long was it down? Maybe its Detection reliability engineering? Then we can call it DRE, and people actin like they forgot about dre * EDR vendors open up how they do detection inside the kernel, even moreso after Crowdstrike's outage, and we can see how an EDR does detection and response without keeping it opaque * On EDR vendors: a big push to feature parity with SIEMs, or creating a "good enough" product to bundle EDR + SIEM

Detection engineering has always felt like that third-grade science fair project where you bang your head against a foam board until the scientific method emerges. The traditional cycle: spend 60% of your time researching threat reports and man pages, 25% iteratively testing and tuning false positives, and maybe 10% actually writing detection logic. Rinse and repeat for 2-4 weeks per rule. But what if we could compress that entire cycle to just a few minutes? We've been exploring agentic AI systems that automate the scientific method while delivering production-ready detections. The time savings are absurd: → 99.8% time reduction - from weeks to minutes → Role transformation - detection engineers become strategic threat architects → Force multiplication - fewer engineers can maintain coverage that previously required entire teams When you reclaim weeks of research time per detection, you can finally focus on the work that actually requires human creativity: advanced threat modeling, sophisticated correlation rules, and custom analytics for your specific environment. The agentic revolution is less about replacing detection engineers and more about freeing them from mechanical tasks so they can do the strategic thinking that machines can't. Ready to stop banging your head against the research wall? I break down exactly how this works and why it's becoming essential for modern SOCs. 👉Read it here: https://lnkd.in/e6Y7KJ84