Johnathan Dempsey DETECTION ENGINEERING

04 — Selected writing & talks

Publications

Writing and podcast appearances on detection engineering, AI-native security operations, and the practical realities of building modern SOCs.

  1. Case study Building an AI-Native SOC From Scratch johnathandempsey.com · June 2026

    How a security team of one built an AI-native SOC at the National Audubon Society: the MDR vs. AI SOC decision, MITRE ATT&CK-first detection coverage, identity-first architecture with Okta, and reinvesting MDR savings into net-new vulnerability management. Results: 99.2% detection fidelity, 95% fewer false positives, MTTD down 65%.

  2. Article How to Decide: AI SOC vs MDR Daylight AI · April 2026

    A decision framework for security leaders evaluating AI-native SOC platforms against traditional managed detection and response providers. Covers pricing model differences (per-alert vs. subscription), analyst headcount requirements, realistic detection fidelity expectations, and the environment characteristics that favor each approach. Based on firsthand experience evaluating and deploying both model types across enterprise and nonprofit environments.

  3. Article When Marketing Fails: AI SOC and the curious gap between vendor claims and user experience Cyber Futurists · March 2026

    An honest practitioner assessment of AI SOC platforms as they operate in production versus how they are marketed. Examines the gap between vendor claims around autonomous detection and response and what security operations teams actually observe — including edge cases where AI models generate false positives, miss novel TTPs, or require ongoing tuning. Argues for a rigorous evaluation framework grounded in detection fidelity metrics rather than marketing benchmarks.

  4. Podcast Detection Dispatch Ep. 50: 5 Signs You're Overengineering your Detection Logic w/ John Dempsey Detection Dispatch · Spotify · May 2025

    A practitioner conversation about where detection engineering programs lose their way — tuning rules past the point of operational utility, building coverage for theoretical threats that don't match the actual environment, and optimizing for detection count rather than detection quality. The core argument: five precise, well-tested detections that fire accurately outperform fifty complex rules that generate noise. Guest appearance on Detection Dispatch, a security operations podcast with a practitioner audience.

  5. Podcast The Importance of Accountability in Cybersecurity, Mentorship, and the Impact of AI Talent Gap Fireside Chat · August 2024

    A podcast conversation covering accountability culture in security operations, the structural gap in cybersecurity mentorship, and how AI is changing what technical skills matter in the profession. Discusses the difference between security teams that depend on heroics and those with documented, repeatable detection and response processes — and why the latter are more resilient to attrition and scale.