A curated, opinionated reference of the frameworks, tools, and resources that matter most in threat detection engineering and incident response — distilled into one page you can actually skim.
Who this is for: detection engineers, SOC analysts, threat hunters, and security leaders who want a fast mental map of the field — the core frameworks (Kill Chain, ATT&CK, Pyramid of Pain), the detection-as-code ecosystem, ready-to-use detection rule sources, and the best external references — without wading through a dozen blog posts.
⭐ Find this useful? Star the repo to bookmark it and help others discover it. Contributions welcome — see Contributing.
- Frameworks
- Incident Response Lifecycle
- Cyber Kill Chain
- Pyramid of Pain
- 1-10-60 Rule
- Cybersecurity Defense Maturity Scorecard
- Detection Engineering Maturity Matrix
- ATT&CK
- DeTT&CT
- Detections-as-Code (DaC)
- Distributed Alerting (DA)
- Risk-Based Alerting (RBA)
- Purple Teaming
- Data Science
- Threat Modeling
- Threat Intelligence
- Detection Rules / Signatures
- Resources
- Notes
- Contributing
SANS outlines the 6 incident phases.
NIST outlines 4 phases.
Lockheed Martin breaks down an intrusion into 7 well-defined phases, and can help identify patterns that link individual intrusions into broader campaigns. The 7 phases cover all of the stages of a single intrusion that — when completed successfully — leads to a compromise.
- Clearly defined linear sequence of phases (as opposed to ATT&CK).
ReconnaissanceandWeaponizationare often ignored but can be valuable.
Part of the Cyber Kill Chain. Defenders can measure the performance as well as the effectiveness of these actions, and plan investment roadmaps to rectify any capability gaps
- Valuable tool in evaluating capabilities and gaps.
David J Bianco shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
- Pain is a two-way street for both the adversary and analyst. For the analyst, hash detections (atomic) are trivial to write, and TTP detections (behavioral) are tough to write.
- Atomic may offer higher confidence than behavioral detections, but behavioral detections offer more longevity.
- Useful to keep in mind when prioritizing detection rules.
CrowdStrike investigated, the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system (“beachhead”) they have compromised and move laterally to other machines within the network.
- 1 minute to detect, 10 minutes to investigate and 60 minutes to remediate.
- Useful to keep in mind when discussing ingest lag, working hours, and on-call.
Not-Sure-Who-Invented-This defines cybersecurity maturity across key domains.
- Decent tool for board maturity assessment
- Github & detectionengineering.io
- Article and SANS Blue Team Summit Talk
- Converted to Google Sheets
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Enough has been written on this.
Rabobank CDC DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors.
The principle of infrastructure-as-code but for detections. This allows you to version control detections and apply the same CI/CD principles to your detections as you do to your infrastructure.
- Splunk has a open-source project called Splunk Security Content
- Elastic has this open-source project called Detection Rules for Elastic Security
- Carta released their own tool called Krang
Popularized by Slack in this blog post. The concept is to shift the burden of alert triage from Analyst to the relevant teams. Additional verification can be accomplished with 2FA.
- Great for misconfiguration-type alerts e.g. internet exposed server, compliance requirements, RBAC.
Risk-based alerting (RBA) provides teams with a unique opportunity to pivot resources from traditionally reactive functions to proactive functions in the SOC. Detections are tagged with observations and metadata to produce a score. Alerts are then correlated by some grouping e.g. user, IP, source, then fired if the correlated risk is above a certain score.
Purple teaming to create/inspire detections.
- Tool atomic-red-team
- Tool stratus-red-team
- Conference talk by Strip
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
- Article owasp
- Threat Modeling Manifesto - Values and principles for effective threat modeling.
Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.
- Article by crowdstrike
- Detection Engineering Weekly - Zack Allen's newsletter (16k+ subscribers) curating the week's top detection engineering content, tools, and research. The best single way to stay current.
- Detection Engineering Maturity Matrix - Kyle Bailey's matrix for measuring and benchmarking your detection function across people, process, and technology.
- Awesome Detection Engineering - Community-curated master list of DE tools, blogs, and references.
- Awesome Detection Rules - Aggregated collection of open-source detection rule repos across SIEM/EDR platforms.
- Florian Roth's Blog - Deep, practical writing on detection rule quality, Sigma, and YARA from the creator of Sigma.
- Security Engineering Study Notes - Excellent prep notes covering detection/security engineering fundamentals.
- scrty.io - Curated security engineering reference and reading.
- The DFIR Report - Real-world intrusion reports with the TTPs, artifacts, and detections you can turn into rules.
- Cisco Talos Reputation Center - IP/domain reputation and email/web traffic insights.
- VirusTotal - Multi-engine file, URL, domain, and IP analysis.
- urlscan.io - Sandbox that records everything a URL does (requests, screenshots, DOM).
- Cloudflare Radar URL Scanner - Free URL scanner with screenshots and tech detection.
- DomainTools Whois - Whois and domain registration lookups for enrichment/pivoting.
- MaxMind GeoIP - IP geolocation and ASN databases for enrichment.
- AbuseIPDB - Crowd-sourced IP abuse reporting and reputation checks.
- GreyNoise - Tells you which IPs are mass-scanning the internet vs. targeting you, great for alert noise reduction.
- Shodan - Search engine for internet-exposed hosts and services.
- MITRE ATT&CK Navigator - Visualize and annotate ATT&CK coverage layers.
- LOLBAS - Living-off-the-land binaries, scripts, and libraries abused on Windows.
- GTFOBins - Unix binaries that can be abused to bypass local security restrictions.
- LOOBins - Living-off-the-land binaries for macOS.
- OSINT4all (start.me) - Large curated OSINT tooling dashboard.
- OSINT Framework - Tree of OSINT resources organized by data type.
- Indicator types
- Atomic - Atomic indicators are those which cannot be broken down into smaller parts and retain their meaning in the context of an intrusion. Typical examples here are IP addresses, email addresses, and vulnerability identifiers.
- Computed - Computed indicators are those which are derived from data involved in an incident. Common computed indicators include hash values and regular expressions.
- Behavioral - Behavioral indicators are collections of computed and atomic indicators, often subject to qualification by quantity and possibly combinatorial logic. An example would be a statement such as ”the intruder would initially use a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replace it with one matching the MD5 hash [value] once access was established.”
Contributions are welcome and encouraged — this list gets better with more eyes on it.
- Found a broken link, typo, or outdated resource? Open an issue or a pull request.
- Want to add a framework, tool, or resource? Open a PR. Please keep entries concise, include a link, and add a one-line note on why it's useful (not just what it is).
- Keep formatting consistent with the existing sections and place new entries under the most relevant heading.
See CONTRIBUTING.md for details. If this reference saved you time, please ⭐ the repo so others can find it.








