detection-engineering
Safeguard articles tagged "detection-engineering" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Ransomware defense strategy for engineering teams
Ransomware hit 44% of breaches in Verizon's 2025 DBIR, up from 32% a year prior. Here's the backup, access, and detection playbook that actually stops it.
Red team vs. blue team fundamentals: how to structure the exercise
MITRE ATT&CK went public in May 2015 to give red and blue teams a shared language — most organizations still run the two in total isolation.
What is MITRE ATT&CK
MITRE ATT&CK catalogs real attacker behavior into 14 tactics and 200+ techniques. Here's how it works, how it differs from CVE/CWE, and how to use it.
How to configure SIEM alerting rules
A step-by-step guide to configure SIEM alerting rules: from use case development through Splunk alert configuration to detection rule tuning.
MITRE ATT&CK v18: Detection Strategies Replace Data Sources
ATT&CK v18 released October 28, 2025, replacing traditional Detections (Data Sources) with Detection Strategies and Analytics. Here is how the model changes for defenders.
True Positives vs False Positives in Cyber Security
A true positive is a real finding your tools caught correctly; a false positive is noise that looks like a finding but isn't — and the ratio between them decides whether your security program gets trusted or ignored.
Panther SIEM Supply Chain Rules: A Detection Engineering Playbook
Write Panther Python detections that catch package poisoning, CI token abuse, and registry compromise. Real rule examples, tuning patterns, and alert routing.
SentinelOne Supply Chain Detection Logic for Build Systems
How to extend SentinelOne's behavioral detection engine to cover build agents, package registries, and developer endpoints without drowning analysts in false positives.
Splunk Supply Chain Detection Content Pack
A practical look at building a Splunk content pack for software supply chain threats, with SPL searches for CI/CD anomalies, package registry abuse, and build provenance violations.
Security Observability and Telemetry: Seeing What Matters
Traditional security monitoring drowns you in alerts. Security observability flips the model — providing context-rich telemetry that makes threats visible without the noise.