What is Detection Engineering?

What is Detection Engineering?


I feel that at times in our industry, we hyperfocus on the technical competencies as differentiators to our tradecraft or the methods we employ which create and define our roles. While often this is fine and expected, the issue is we fail to identify and communicate the nuance or challenge of a role because we distilled it into our own set of tactics, techniques, and procedures (TTPs). We’ve lost some of the human elements that make our roles unique and worth pursuing.

I hope this post can fill in some of this nuance and how we as practitioners, as humans, are attempting to understand, respond, and most importantly, maintain the efficacy of our work product; rules, detectors, signals etc.

Like Shooting Fish In A Barrel

Sometimes I wish I had a barrel with fish, but the ease of catching those fish would frankly be too boring. I like to think of Detection Engineering or whatever you want to call it, a lot like being a netmaker, or someone who makes nets for the purpose of…catching fish.

Poster of Fishing Nets

It is our job to find and catch fish, but not just any fish. We must catch invasive species of fish. Fish that upset normal order and flow and even in extreme cases, alter the ecosystem permanently. The challenge we face is that invasive species of fish can quickly propagate and adapt to new environments. They can be similar in appearance and even behavior to that of benign fish with only small and nearly indistinguishable differences to tell them apart.

Just Make Nets, It’s Easy

True, the act of crafting and testing a net isn’t the hardest part of the job. Real net making is becoming a lost craft due to outsourced large-scale manufacturing. Just the same, our detection nets can be automated in part or whole depending on the type of detection, I mean, the net you wish to deploy in your ecosystem.

But therein lies the real challenge. These nets are used by people to catch fish. Sometimes we catch the invasive fish we intend to and sometimes we don’t. Perhaps it adapted and learned how to get out of the net? Maybe the net was the wrong type to use? What if the fish aren’t even in the environment?

At all times, netmakers must reliably respond to deviations of invasive fish behavior and change in the environment in which we expect to go fishing. At times I’m bewildered that some fish don’t even know what the Windows API is apparently and choose to do everything in janky command execution! Stares at annoying RMM fish bycatch with intensity.

The reality is that making nets IS easy, catching the right fish consistently IS hard.

Swim With The Fishes

Net Making is not always about responding to feedback about our nets, sometimes we may not have any feedback and need to be proactive about what nets are even worth making.

Depending on where the netmaker works, they may need to participate in active field research. This means diving in and observing the behaviors and the environment first hand to include learning from others in the field and consuming the latest information on fish observables. From this knowledge, we can begin to assess and understand changes in fish behaviors, new fish sightings, and begin to hypothesize what we can do about it.

Marine Biologist diver

Differing Appetites

Not everyone eats fish, some fish only live and invade certain types of ecosystems, some invasive fish are impossible to distinguish with a net. With these realities, it is almost unsurprising that what is considered invasive or malicious to one ecosystem, is hardly a reason for concern in another. Understanding your ecosystem is critical for determining which nets to deploy and which invasive fish you should or can attempt to catch.

Ultimately, we have to realize that we won’t always have the right net, but we can get damn good with the ones we do have.

And…sometimes you just have a shitty boat.