Detection Engineering Skills & Domains

Senior security leadership means translating threat intelligence and risk data into program investment decisions that boards and C-suites can act on. At National Audubon Society, this included building the case for replacing a $32,000 MDR contract with an AI-native SOC — a conversation that required framing detection fidelity metrics as organizational risk reduction. Budget ownership in security means making the reinvestment case, not just the cost-cutting one.

NIST CSF 2.0 and MITRE ATT&CK serve different functions in a mature program: CSF provides the governance structure and maturity model; ATT&CK provides the threat model for detection coverage prioritization. At Sunbelt Rentals, NIST CSF alignment gave the security program a compliance posture for external stakeholders while keeping operations threat-focused. At National Audubon Society, MITRE ATT&CK was used to systematically map existing detection coverage against enterprise TTPs and identify gaps — not as a reporting checkbox, but as the actual method for deciding what to build next. NERC-CIP exposure from OT environments and PCI DSS 4.0 from financial services clients completes the regulatory surface.

Detection engineering is the primary technical discipline — building, testing, and deploying detection logic against specific threat actor TTPs rather than relying on vendor-default rules. At CrowdStrike's TIDE team, this meant Detection-as-Code: detection logic in version-controlled files, peer-reviewed, deployed through CI/CD pipelines. Falcon LogScale processed high-volume endpoint telemetry at lower latency than the Splunk deployment it partially replaced. Tines and ServiceNow Flow Designer automated CSIRT workflows, reducing analyst response time 80%. Sysmon telemetry across 10,000+ endpoints at Sunbelt Rentals provided the process-level visibility — command-line execution, network connections, registry modifications — that Windows Event Logs alone don't deliver. Tenable One unified vulnerability management across endpoint, cloud, web application, and ASM domains at Audubon.

AI-native security tooling is a genuine capability shift for lean security teams. The AI SOC platform deployed at National Audubon Society achieved 99.2% detection fidelity and reduced false positives 95% — outcomes that traditional MDR with human triage rarely approaches at comparable cost. Multi-cloud security monitoring across AWS, Azure, and GCP requires understanding each provider's distinct attack surface: Azure service principal abuse, AWS IAM privilege escalation, and GCP service account key exposure each have specific detection patterns and log sources. Detection-as-Code brings software engineering discipline — version control, peer review, automated testing — to detection logic that previously lived in a UI and drifted without accountability. The AI governance work at Audubon addressed unsanctioned GenAI adoption before it became a data classification or compliance incident.