Cool Story, Bro: Making Detection Engineering Matter Up the Chain

Alex (00:07.618)
It has recently come to my attention that we’re living in a world where there’s literally a feta cheese shortage.

Dun dun dun.

Amidst that chaos—because yes, that is very chaotic—there’s one constant joy connecting us in security: redefining what it means to be a detection engineering leader. Today, we have Chloe Burton all to ourselves on Dispatch. Hi Chloe—thank you for joining us.

Chloe
Hello! Thank you for having me.

Alex (00:47.630)
For those who’ve been living under a rock and don’t know Chloe: she’s a detection engineering leader in the space—super admired and respected for uplifting the community. And we get to have her all to ourselves. Chloe, I’m beyond excited to share this space with you—build community with you—and have you on the pod.

Chloe
It’s an honor. Seriously, you’re doing great things out there. It’s been a while—I’ve been watching you. And I have to shout out my colleague who was like, “You need Chloe on the show.” So shout out to Cain. I was like, “Cain, what are you doing?” And he was like, “I got you.” So… here we are.

Alex (01:33.454)
Always count on you, Cain—big shout out.

Chloe
Big shout out to Cain. He’s great—doing really well.

Alex
We want to hear about you. Cain can have his spotlight later. You’re building roles, you’re building community—but before you tune a rule or triage a blip in the SOC world, we’ve gotta know: how did you even get into this field? Walk us through your origin story. Was it a straight line, or full chaotic coincidence? And how has that shaped how you approach detection engineering today?

Chloe’s Origin Story

Chloe (02:36.366)
Definitely not a straight line—there was some chaos. Tech was never a thing. Security was never a thing. I was supposed to be a doctor—my family was very into that path. I majored in neuroscience and I failed intro to neuro twice. If you fail twice, you can’t move forward.

So I switched to psychology. It still had the balance of science I liked, without needing to be deep into biology or neuroscience specifics. I loved it—still do. After school, I worked with adolescents with intellectual disabilities. Autism was a focus for me. I worked in group homes—first in Pittsburgh, then back home.

Over time it became high stress and low pay, and I was like… this can’t be it. I didn’t want to go back to school or get an advanced degree, so I asked: what’s next? I sat down with my dad—he was working in government on the tech side—and he helped me figure it out. He had a friend at a small tech company in Northern Virginia, and that’s how I got my first help desk role.

That job was chaotic too—the company went bankrupt not long after. But we had a great contract, so we got picked up by Booz Allen. That was my first real exposure to that world. Then I went to Deloitte for a short period—and that’s where my origin really began, because I learned Splunk.

And if you know anything about me… Splunk is basically all I know. Initially it wasn’t about security. Splunk had the market in 2016—it was popping off. That was coincidental timing. Then in 2018 I joined a Center and they were like, “We know security, you know Splunk—let’s join forces.” And I said, “Okay.”

Alex (04:37.112)
You and everybody else in the world.

Chloe (04:59.758)
I’d say 2018 was my starting point in security. While I was there, I did pretty much every Splunk-related project: architecting, onboarding data, use case development—whatever it was, I probably did it.

I took a quick stint at KPMG, then came right back to Accenture. That second round at Accenture is where I feel like I started to spread my wings—and became more of a leader. I became a manager, and suddenly managing and leading teams became real. That plus use case development, plus getting deeper into MITRE—that’s what led me into detection engineering.

Then I joined Deepwatch in 2024, and now I’m managing a DE team. It’s been all over the place, but there was a path—you just don’t see the path until you’re at the end of it. I love this space. I love the community.

Splunk Then vs. Splunk Now

Alex (06:23.744)
Remarkable journey. And it’s wild to think about Splunk now versus Splunk then. Back then it wasn’t really built as a SIEM—it was more like Google search. Later we added Enterprise Security as a layer. The tool evolved—and DE had a huge impact on that evolution.

And also—your neuroscience background didn’t go to waste. You’re probably pulling from that, plus psychology, now that you manage teams.

Chloe
I hope so. Definitely psychology—people management is a big part of what I do.

Alex
Facts. Wrangling personalities is harder than wrangling detection logic sometimes.

Chloe
Very big facts. I do wish with neural networks and AI I could pull back some of those neuroscience memories—it would make learning easier. But I don’t remember much. It would be fitting though.

Failing Classes + Calculator “Jailbreaking” Era

Alex (07:47.778)
Don’t worry—I failed chemistry. My brain just doesn’t do ions and compounds. Math is binary: it’s right or wrong. Chemistry is… vibes. I also failed quantum physics.

Chloe
Yeah… Jesus. Quantum physics?

Alex
Engineering route. I was trying to minor in math and eventually I was like, “I’m not doing this.”

Chloe
Does quantum physics help now with quantum computing?

Alex (08:50.350)
You’d think, but no. It was like five-dimensional space concepts. Just… no.

And honestly, those big calculators were our GPTs. We’d load formulas into them.

Chloe (09:30.720)
Yes! It felt like magic—just like today.

Alex
Teachers had no idea. Calculator jailbreaking was a whole culture.

Alex (10:00.270)
Some people went full chaos and printed formulas on Coke labels and brought the bottle to class.

Chloe
That’s next-level innovation. Those people are probably serial startup founders now.

Detection Fundamentals: Context > Checklists

Alex (11:06.766)
Switching gears: detection fundamentals. They’re not talked about enough, and re-anchoring matters. What does that look like day-to-day for you—training yourself and your team to go beyond checkbox routine and actually look beyond the alert?

Chloe
If I had one word: context. We swim in data all day. Why did it fire? What’s happening? Do we know the full story? Without context… what are we even saying?

For me it starts with: we’re protecting customers that you and I use every day. That makes it personal. That’s what keeps me from the mundane checklist.

You can know what’s going on, but when an alert fires—what does the analyst do? What does the customer do? What story are we telling them?

Example: “impossible travel.” It seems suspicious. But we might know the customer has people traveling to places that look risky. We know that context—others don’t. So we have to package the story with context.

And it’s visual for me—I can kind of “see” what’s around the alert. That’s what keeps you from ABC-123 thinking.

Alex (14:55.822)
Totally. I hate to admit it’s almost a checklist for me too—but the answers change every time. I ask: what’s the asset? what’s the boundary? what’s the impacted control? exploit vs. privilege escalation? And then likelihood.

I’m usually the opposite of my peers—I assume high likelihood every time. I’m like, “This is real.”

Chloe (16:39.374)
That’s a good mindset. Even if it’s a false positive, it’s true to something depending on identity and asset context. As security people, we all live in “the sky is falling” mode. But it keeps you sharp—because the one time you miss it, someone gets popped.

Scott Rogers Plug + “Girl Who Cried Wolf” Balance

Alex (17:53.326)
I’ve been trying to convince Scott Rogers—data scientist on our Forge team—to be my cohost. If y’all want that, send fan mail his way. But he would not agree with us—he’d say I’m the girl who cried wolf in DE.

We saw an alert where someone was sending a file in parts to multiple endpoints. I thought it looked like low-and-slow exfil. Then we opened it—Python install script. Then we opened it further: Chocolatey installation. I’d never heard of Chocolatey, apparently it’s common. Scott is like, “Everything is fine.” He balances me.

Chloe
That’s a great balance. And yes—Scott should be a cohost. Consider this my verbal fan mail. But yeah, I’m thinking the same thing you are internally: red flag. Even if you’re not sounding the external alarm, you get that little heart palpitation.

Alex
My heartbeat does run wild sometimes. Not sure what that’s doing for my blood pressure.

Refreshing the Basics + MITRE as a “Living Study Guide”

Alex (20:33.038)
Back to fundamentals: do you find yourself refreshing basics? I’ll even throw on LinkedIn courses—Nmap scans, enumeration—super foundational stuff.

Chloe
Yes. I didn’t start in security, so I’m constantly going back to basics. Oddly enough, I spend a lot of time on the MITRE ATT&CK framework. It’s fascinating—understanding adversary tactics, techniques, procedures. I’ll go technique by technique and ask: what does this really mean? As a defender I can think one way, but I have to think like an adversary.

And honestly—I’m Googling constantly. Sometimes I’m like, “Internal IP… what are those numbers again?” It’s because you’re moving fast. I like to reassure myself. Maybe it’s because I don’t have that foundation, and I doubt myself, so I check.

Alex
Not basic at all. This industry can be brutal—so many know-it-alls. I want to normalize that it’s okay to refresh OSI, break things down, relearn. That’s how you build muscle memory.

And I love that you brought up MITRE—but I’m also scared of what’s not on MITRE. Polymorphic malware, things we don’t have telemetry for…

Chloe
Yes—the in-betweens, the gaps.

MITRE “Middle Cluster” + Telemetry Reality

Alex
I did an analysis of our detections—Ulogic rule library + Detections AI—and there’s a concentration in the middle of the framework. A clusterf*ck in the middle. Not the intro, not the end. We need to get serious about it. Detections gravitate to what’s queryable and structured, but that doesn’t mean it’s where we should stop.

Chloe
I saw that post and I was like, “I knew I wasn’t going crazy.” We talk so much about initial access. Recon is hard so it gets its own bucket. But why are we okay letting the bad guy in and catching them in the kitchen? We should be protecting the front door.

Alex
Weak RDP is still happening. Port 3389 gets more unsolicited attention than a popular hot girl in school. People are leaving the door unlocked.

Chloe
And you explained the why: Windows data is everywhere. But richer telemetry—EDR, network—is expensive, so orgs skip it and you lose visibility.

Alex (28:40.184)
Exactly. Not everybody has the money for Sysmon or full endpoint telemetry. And we need more than just process name and command line—we need arguments, richer context.

And then there’s the Mac gap. People always say, “There’s more Windows.” Sure, by statistics. But developers prefer macOS and often have higher privileges.

Chloe
I’m on a Mac right now—I love a good Mac.

Alex
We need more macOS threat intel specialists. Olivia Galucci is one of the only people consistently leading there. I’m also following Sydney Maroney—she moved to Nebulog doing macOS-focused work. It’s a real gap.

Chloe
Love that—I followed Olivia immediately.

Framework as Guide, Not Checklist

Chloe (32:59.660)
Leadership cares about coverage in totality. They don’t care about technique IDs—they care about what it does. The art is: what are we protecting, why, and how does the framework guide us? Build fences, locks, cameras—defense in depth. But don’t let MITRE become a checklist.

Alex
Totally. MITRE v18 just came out—tracking every delta is endless. Better to start with what you need to protect, then use MITRE to validate and guide. Not the other way around.

Staying Grounded + Unlearning Perfectionism

Alex (34:28.974)
Therapy + psych moment: how do you stay grounded when emotions hit?

Chloe
I let it come to the front—feel it. Then switch into focus and execution. In security, emotions can cloud judgment—imposter syndrome spirals, and you can’t function. You have to compartmentalize.

Alex (36:19.662)
Have you had unlearning moments? Perfectionism is my trap—chasing the perfect rule can make detections too narrow.

Chloe
Perfectionism, yes. Also: learning to say no, and not being afraid to raise a flag. “No” evolves—junior no is tactical (“we don’t have data”). Leadership no is strategic, because it impacts executives and your team. Your yes/no carries weight both ways.

And raising flags: early in my career I got in trouble for not raising them. Now I tell my team: tell me if you even feel something. We fail safe together.

Alex
You’re healing my early-career trauma. You’re the manager I needed.

Chloe
Me too. You become the manager you wish you had.

New DE Traps + Rotations

Alex (41:14.222)
What traps do new DEs fall into in their first 90 days?

Chloe
Trying to learn everything at once—boiling the ocean. It leads to analysis paralysis. Take it step by step. You don’t have to know every SIEM or query language.

Another trap is staying in your comfort zone. You’re good at one thing, you default to it, and you stop branching out.

Alex (43:52.354)
That’s also a manager problem sometimes—we keep people doing what they’re good at. I’m pushing rotations: have DEs cycle through domains—endpoint, app, network/web—so by end of year they’ve built across domains.

Chloe
I love that. I’ve been that “Splunk only” person. Rotations help you grow. You can explore and come back to your home base.

Tuning Fatigue + “Fun Stuff”

Alex
Tuning can become everything. It’s the work people hate, but spend the most time on. Let AI take tuning so we can do the fun stuff—threat hunting, coverage analysis.

Chloe
Same. Coverage analysis is my sweet spot too.

Communicating Up: The Art of Making Leadership Care

Alex (47:32.408)
Let’s get candid. Sometimes it’s hard to get leadership to actually care. DEs need to be storytellers and communicate impact up the chain. How do we translate telemetry gaps, coverage gaps, control limits—so it doesn’t get tuned out?

Chloe (49:09.270)
It’s difficult because DEs are deeply technical, so they default to technical explanations. But executives care about risk and impact.

If you say “we have a firewall gap,” they’ll say “cool story, go fix it.” But if you say: “This gap could allow an insider to exfil trade secrets,” or “This could let an adversary compromise confidentiality, integrity, availability and damage trust,” then it becomes real.

There isn’t a shortcut—repetition helps. Take opportunities to speak to executives. Learn how they speak, how you speak, and meet in the middle.

Alex
Ross Young mentioned recently: orgs get breached and nothing happens. T-Mobile gets breached constantly—people don’t cancel. It becomes “cost of doing business.”

Chloe
True. Also: if you cry wolf all the time, people stop listening. Be strategic about what you escalate and how far it goes. False positives are okay—we learn from them—but communicate thoughtfully.

Alex (55:36.234)
Have you ever seen comms fail upward?

Chloe
Yes. I’ve done it. I went too technical with a CISO. The response was basically: “Cool story—what’s the risk and impact?”

Alex
Cybersecurity has a communication problem. CVE exploitation details mean nothing to a CISO unless it’s translated into outcomes: ransomware disruption, locked systems, customer data impact—plus a plan and timeline.

Chloe
Yes—solutions matter.

Alex
And maybe start meetings with wins too: “We patched 93% of CVEs last month” or “We blocked X phishing attempts.” Build trust before the ask.

Chloe
Absolutely. It only takes one click—so highlight what you prevented.

Closeout

Alex
Chloe, where can folks follow you?

Chloe
LinkedIn is my playground. No X, Instagram, TikTok—just LinkedIn.

Alex
I also saw you considering writing—Medium/Substack?

Chloe
I’m thinking about it. It’s anxiety—you’re putting yourself out there. But if I do it, I’ll share it on LinkedIn.

Alex
I hope you do. You have a story to tell. Thanks for giving us your brainwaves today.

Chloe
Thank you—this was fun. I feel seen and validated.

Alex
Anything you want to see more of in the community?

Chloe
Say the things we don’t say out loud—perfectionism, imposter syndrome. We’re a community, and we need to act like one. Speak up, talk more, connect. I’m always down to chat.

Alex
You’re speaking my language. Chloe Burton reminded us what it means to build community and build detections with intent—with passion, clarity, and care. Thanks for being here, and thanks to listeners for joining.

Stay online… just not as chronically as me.

Chloe
Or me. Go to sleep sometimes.

Alex (01:04:31.086)
Yeah—take a break. Go take a nap. Until next time.

‍