Skip to main content
Image coming soon

The Security Engineering Leader's Detection Coverage Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Security Engineering Leader's Detection Coverage Playbook

Move detection coverage from anecdote to a board-defensible model that survives an exec review of a missed-alert incident.

The exec review of the next missed-alert incident is the one that decides whether the detection function keeps its headcount. A coverage model in writing is the only artefact that turns that conversation from opinion against opinion into a structured discussion of residual risk.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security engineering leaders sit in a recurring trap. The function is judged on incidents it prevented, but prevention is invisible. The function is also judged on incidents it missed, but the missed ones are loud. Between those two extremes is the unstated question every exec actually wants answered: which adversary behaviours do we have credible detection coverage for, which do we know we do not, and how is that gap tracked over time. Most teams answer this with a heatmap that was put together for one slide deck and never updated. The board cannot use that. Audit cannot use that. The next missed-alert review tears it apart in fifteen minutes. The artefact that holds up is a written coverage model. ATT&CK techniques scored against the data sources that would let a detection fire. Detection rules versioned, tested, and tied back to the techniques they cover. A backlog of gaps with named owners and residual-risk ratings. A monthly review pack that walks the same shape every cycle so trend lines become visible. Building this is a leadership task, not a tooling task. It changes what the team measures, what gets prioritised in the sprint, and what the function commits to in writing.

What you walk away with

  • A written, versioned detection coverage model tied to ATT&CK techniques and the data sources that support them.
  • A monthly review pack the CISO can present to the audit committee without rework.
  • A detection backlog scored by missed-incident exposure rather than by analyst preference.
  • A defensible answer to the next exec question about why a specific detection did not fire.
  • A handoff document that survives the next leadership change in the SOC consumer team.

The 12 modules

Module 1. The missed-alert review and what it really tests
Reconstruct the shape of an exec review of a real missed-alert incident. The implicit questions, the slides that get torn apart, the artefacts that hold up. Map those artefacts back to what the detection engineering function would have to maintain in advance for the review to go well. Set the target output of the rest of the course against this template.
Module 2. ATT&CK technique scoping for your actual threat model
Cut the full ATT&CK matrix down to the techniques that map to the threat actors your organisation actually faces. Use a structured scoping method that names the criteria for inclusion and exclusion, so the scoped list can be defended in writing. Output is a versioned technique list with rationale per inclusion.
Module 3. Data-source quality scoring
A detection cannot fire if the data source is incomplete, delayed, or untrusted. Build a quality score for each data source feeding your SIEM. Coverage, freshness, integrity, retention. Tie the score to the techniques that depend on that source so coverage claims are conditional on data-source quality, not asserted independently.
Module 4. Detection-as-code pipeline as the source of truth
Move detection definitions out of the SIEM console and into a versioned repository. Every rule is a code artefact with a test, a technique reference, and a change history. Walk through the pipeline shape, the review workflow, and the rollback story. This is the foundation that makes the coverage model auditable rather than a snapshot.
Module 5. Coverage scoring per technique
For each in-scope ATT&CK technique, score the coverage as none, partial, or confident, with the rule references and data-source dependencies that justify the score. Score is conditional on data-source quality from module three. Output is a coverage matrix that is the canonical answer to the question what do we see.
Module 6. Detection efficacy testing
Coverage scores are only credible if they are tested. Walk through purple-team exercise design, atomic test execution, and continuous-validation tooling. The test result feeds back into the coverage matrix so the score reflects what actually fires, not what should fire. Cover the trade-off between continuous testing cost and confidence interval on the score.
Module 7. Backlog scoring by missed-incident exposure
Detection backlogs filled by analyst preference produce sprints that feel productive and coverage that drifts. Replace that with a backlog scored by the expected cost of missing an incident in that technique area, given threat-actor frequency and business impact. Walk through the scoring method and the sprint-planning conversation it changes.
Module 8. Residual risk articulation for executives
Coverage gaps are inevitable. The question is whether the residual risk is named, accepted, and reviewed. Walk through writing a residual risk register for detection coverage. Each gap has an owner, a compensating control, a review date, and a target end state. This is the artefact that ends the opinion-against-opinion missed-alert conversation.
Module 9. The monthly coverage review pack
Design a recurring review pack that walks the same shape every cycle. Coverage matrix delta, backlog burn-down, residual risk changes, new techniques added to scope. Same slides, same numbers, every month. Trend lines become visible. The CISO can hand the pack to audit. The board can read it without translation.
Module 10. Handoff to SOC consumers
Detection engineering hands its output to a SOC that has to triage the alerts. The handoff is where most coverage claims fall apart. Walk through the runbook contract per detection, the false-positive feedback loop, and the joint review cadence with the SOC team lead. Coverage that is not consumable in the SOC is not coverage.
Module 11. Audit and assurance integration
External and internal audit increasingly ask detection teams for written coverage evidence. Walk through what auditors want to see, how the coverage matrix and residual risk register satisfy those asks, and how to avoid creating duplicate artefacts for audit consumption. The same monthly pack should serve both the CISO and the audit conversation.
Module 12. First 90 days of running the model
Standing up the model is one task. Running it through three monthly cycles is another. Walk through the first 90 days of operation, the predictable pushback from analysts who preferred the old backlog, the SIEM vendor conversation about data-source coverage, and the first exec review that uses the new pack. Output is a 90-day operating plan with named risks.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The next missed-alert incident review is on a calendar slot the CISO already knows is coming.
The current coverage heatmap was put together for one slide deck and has not been updated since.
The detection backlog is filled by what analysts feel like building rather than what would close the highest-exposure gaps.
Audit has started asking for written detection coverage evidence and the current answer is a screenshot.

What you get with this course

  • Twelve written modules covering scoping, data-source quality, detection-as-code, coverage scoring, testing, backlog management, residual risk, review packs, SOC handoff, audit integration, and the first 90 days of operation.
  • Downloadable templates for the coverage matrix, data-source quality score, residual risk register, monthly review pack, and detection-as-code pipeline charter.
  • Worked examples drawn from a representative large-tech detection function.
  • A hand-built implementation playbook tailored to the buyer's SIEM, data-source mix, and SOC consumer relationship, delivered alongside course access.
  • Thirty-day refund window.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules one through four are designed to be worked in the first two weeks alongside a current detection sprint.

Modules five through eight produce the coverage matrix and the residual risk register, typically over weeks three through six.

Modules nine through twelve operationalise the monthly review pack and the first 90 days of running the model.

Before and after

Before

Coverage claims are heatmap colours nobody can defend. Missed-alert reviews turn into opinion against opinion. The detection backlog reflects analyst preference. Audit asks for written evidence and the team scrambles to assemble it from the SIEM console.

After

Coverage is a versioned written model tied to ATT&CK and data-source quality. Missed-alert reviews turn into a structured residual risk conversation. The backlog is scored by missed-incident exposure. The monthly pack serves CISO, audit, and board without rework.

What happens if you do not address this

The next exec missed-alert review without a written coverage model is the one where the function loses headcount in the planning cycle that follows. Heatmaps do not survive that conversation. Audit's patience for screenshot evidence is also visibly running out across the sector.

Who it is for

Senior security engineering leader running a detection and response function inside a large technology organisation. Owns SIEM rule quality, data-source onboarding, detection-as-code pipelines, and the relationship with the SOC consumers of those detections. Reports to a CISO or VP Security who is increasingly asked to defend coverage claims in writing.

Who this is NOT for. Individual SOC analysts looking for hands-on detection tuning recipes. Greenfield startups without a SIEM. Security leaders whose primary remit is policy or GRC rather than engineering. Anyone wanting a generic ATT&CK introduction.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly four to six hours per module across the twelve modules. Designed to run in parallel with a current detection sprint so the artefacts are built against real data, not theoretical scenarios.

Why $199 is the right number

Vendor-led detection coverage workshops produce a one-time matrix that is not versioned and does not survive the next data-source change. Internal-only build risks reinventing scoring methods that have been worked through elsewhere. This course gives the written method, the templates, and the per-buyer implementation playbook in one place.

FAQ

Does this assume a specific SIEM?
No. The method is SIEM-independent. The implementation playbook is tailored to your specific SIEM, data-source mix, and detection-as-code pipeline so the templates land on your stack rather than a reference one.
Does the course require a detection-as-code pipeline already in place?
No. Module four walks through standing one up from a SIEM-console-only starting point. If a pipeline is already in place, that module becomes a review of the pipeline shape against the requirements of the coverage model.
How is this different from running an ATT&CK navigator heatmap?
The navigator heatmap is one output of one module. The course adds data-source quality conditioning, testing-based score validation, residual risk articulation, and the monthly review cadence. Those are what make the coverage model defensible in an exec review.
Who builds the implementation playbook?
The playbook is hand-built per buyer against the buyer's environment. It is not a generic template. Delivery is alongside course access.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!