The KPIs of
Detection Engineering

Effective detection engineering relies on how teams process and utilize their engineered data feeds to create high-quality detections and keep their organizations out of the headlines.

Your feed score is determined by the effectiveness of your data logging practices, compared against the necessary feeds for detecting all TTPs.

It is also what we at Anvilogic rely on, to assess the quality, maturity, and what can show true improvement of a program over time to a leader or CISO.

This process helps identify potential cost-saving opportunities by eliminating redundant data feeds, ensures that all necessary feeds are being logged, evaluates the adequacy of current feeds for supporting existing detections, and identifies any additional required feeds.

While MITRE ATT&CK is a valuable framework for categorizing adversary tactics and an essential component of detection engineering, it's often misapplied as a superficial solution for mapping detections and creating coverage maps.

This misuse can lead to oversimplification, where organizations claim broad coverage without delving into the necessary details to ensure comprehensive and effective security measures. It's not about whether you do MITRE but how you do it.

We understand that true value is realized by how organizations align MITRE with their detections. That's why all detections are mapped against MITRE to determine technique coverage so you can accurately represent SOC detection performance while also measuring how well all the detections are correlated to detect threat patterns.

You can also measure your team's productivity by looking at Triage Dwell Time, Alert to Analyst Ratios, Triage Percentage, Hunt Percentage, and more, allowing you to see your detection engineering progress and make data-driven decisions for future budgeting and resource planning.