Detection Engineering & Threat Hunting SIG

Mission

Security teams are constantly facing evolving threats, complex infrastructures, and an expanding set of detection tools. Many SOCs and CERTs are building Detection Engineering capabilities, but without a strong peer network, they often work in isolation, reinventing solutions to shared challenges. Similarly, Threat Hunting efforts uncover new attack techniques, but without structured collaboration, insights can be siloed rather than feeding back into detection improvements.

This interest group seeks to enhance Incident Response effectiveness by strengthening the upstream disciplines of Threat Hunting and Detection Engineering. Our goal is to create a global knowledge-sharing space that fosters:

• Collaboration on detection R&D, enabling teams to develop and refine detection rules more efficiently.
• Knowledge exchange on tools, infrastructure, and threat specifics, helping teams navigate emerging challenges.
• Structuring of best practices, definitions, architectures, and methodologies to standardize and accelerate progress.
• Creation of a shared repository of detection content, supporting scalable and effective detection coverage.
• Continuous feedback loops between Threat Hunting, Detection Engineering, Threat Intel, and Incident Response, transforming unknown threats into known detections while tuning false positives through automation and investigation insights.

Goals & Deliverables

To drive progress in Threat Hunting and Detection Engineering, this interest group will focus on developing standardized frameworks, shared knowledge, and collaborative best practices. Our key goals and deliverables include:

• Establish an open detection engineering and threat hunting community, fostering collaboration and knowledge exchange across organizations.
• Develop a shared framework for threat hunting and detection, standardizing methodologies, workflows, and best practices to enhance detection and response capabilities.
• Create and support shared repositories for detection content, enabling security teams to access and contribute to a collective knowledge base.
• Define patterns and models for hunting unknown threats, converting discoveries into actionable detection rules, alerts, and automated feedback loops from incident investigations.
• Host monthly workshops where teams showcase their detection engineering approaches, refine best practices, and enhance collective expertise.
• Establish a framework to evaluate log and data source coverage against detection objectives, ensuring comprehensive detection capabilities.
• Define best practices for detection rule testing, including structured definitions for detection unit testing and validation methodologies.
• Develop an Intel-to-Detection Engineering standard, providing teams with a structured approach to building and optimizing their detection pipelines.
• Standardize detection content sharing within communities (e.g., ISACs) using platforms like MISP and other intelligence-sharing tools.
• Define best practices for integrating Detection Engineering and Incident Response, including feedback loops for refining detection rules and implementing advanced Detection-to-Response Engineering approaches.
• Establish a tier-based response model, allowing organizations to apply varying degrees of automation and enrichment to alerts based on confidence levels.
• Curate real-world insights on commercial and open-source detection tools, helping teams understand tool capabilities and make informed decisions.

Meetings

• At the Annual Conference (in person)
• Monthly (virtually)

Chairs

• Amine Besson (EU)
• Remi Seguy (EU)
• George Chen (APAC)
• Harrison Pomeroy (US)

Mailing list

Any FIRST member may join, others are welcome as well, requests must be approved by the SIG chairs.

• de-th-sig@first.org (subscribers only; please complete the Request to Join form below)

Request to Join

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Cybersecurity Communications SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Detection Engineering & Threat Hunting SIG
    • Digital Safety SIG
    • DNS Abuse SIG
      • Stakeholder Advice
        • Detection
          • Cache Poisoning
          • Creation of Malicious Subdomains Under Dynamic DNS Providers
          • DGA Domains
          • DNS As a Vector for DoS
          • DNS Beacons - C2 Communication
          • DNS Rebinding
          • DNS Server Compromise
          • DNS Tunneling
          • DoS Against the DNS
          • Domain Name Compromise
          • Dynamic DNS (as obfuscation technique)
          • Fast Flux (as obfuscation technique)
          • Infiltration and exfiltration via the DNS
          • Lame Delegations
          • Local Resolver Hijacking
          • Malicious registration of (effective) second level domains
          • On-path DNS Attack
          • Stub Resolver Hijacking
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Public Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Security Lounge SIG
    • Security Operations Center SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • CCB Initiatives
  • FIRST CORE
    • Sponsorship Opportunities
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
  • Previous Activities
    • Best Practices Contest