Detection Engineering Dispatch

KC Yerrid joins Detection Dispatch to break down SCOUT — a local-first, open-source analyst cockpit built around atomic notes, entity relationships, and structured investigation memory.The SCOUT Project Github: https://github.com/kcyerrid/SCOUTIn this episode, we explore:Why static investigation notes rarely get referenced again and why tribal knowledge evaporates after every incidentWhy “everything is an entity” is a massive shift for analystsHow graph-based sensemaking helps visualize relationships, dashboards can’tWhy brittle SOAR playbooks fail (investigations aren’t linear — you can’t pre-plan every branch)Why investigations don’t fit neatly into tickets and timelinesAnd how better documentation makes AI actually useful laterPlus: junior analysts can level up faster with entity-based thinking.If you have to keep re-learning the same lessons every quarter… this one’s for you.Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

Detection engineering has the same problem as UFO sightings....sometimes we think we’re seeing something, but we’re not sure what.In this UFO-themed special, Alex Hurtado and David Burkett break down the new definition of visibility, the evolving role of IOCs, and the rise of EDR evasion exploiting blind spots in our tools, data, and assumptions. 🛸Shownote references:https://www.liesabove.com/https://www.magonia.io/Signal Detection Theory: https://www.magonia.io/blog/vintage-detection-radar-research-cyber-threats/The Evolving Role of IOCs: https://www.magonia.io/blog/maximizing-the-value-of-threat-indicators-and-reimagining-their-role-in-modern-detection/The New Definition of Visibility: https://www.magonia.io/blog/what-is-cybersecurity-visibility/Decoding Fuzzy Hashes:  https://www.magonia.io/blog/what-is-cybersecurity-visibility/Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

In this episode, we hop in the time machine with my old friends Matt Konwiser and Chris Liccardi to break down the evolution of the SOC and explore what actually got better, what got worse, and why alert fatigue may be the normalized thing no one wants to do anything about.What’s inside:The ghost of SOCs past: linear, manageable, maybe even… boring?IAM, UBA, VPCs, and other buzzwords that broke the workflow also UBA is the bridesmaid of security and why it should include an A for AI behavior.UBA’s glow-up potential (or lack thereof)Real-life horror stories from the modern alert trenchesDetection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

A Chloe Burton special on the very human side of detection engineering. From a nonlinear path into security (neuroscience, psychology, Splunk era chaos) to leading a DE team today, Chloe and Alex break down why context beats checklists, why so many detections cluster in the middle of the MITRE ATT&CK framework, and how telemetry availability quietly shapes what we defend.We dig into detection fundamentals that don’t get talked about enough: avoiding the myth of the perfect rule, resisting over-tuning, rotating across domains to prevent stagnation, and staying grounded while the sky always feels like it’s falling. Chloe also shares leadership unlearns—raising flags early, saying “no” with strategy, and creating teams that feel safe to fail forward.We also discuss how to get leadership to give a f**ck and overall how to best escalate problems and gaps up the chain.Finally, if macOS threat coverage is on your radar, we also call out Olivia Galucci’s newsletter as a must-follow for macOS threat intelligence and research in a space that desperately needs more visibility.📊 Shownotes call-outs: MITRE ATT&CK sunburst analysis MacOS Research & Newsletter: https://oliviagallucci.com/blog/#subscribeDetection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

What if the real question isn’t “Do you need an AI SOC?” but “Are your alerts actually any good?” In this episode, Alex and Dennis Chow (Director of SecOps Engineering at UKG) and co-author of Automating Security Detection Engineering break down the uncomfortable truth: if your alerts are fundamentally weak, no AI system will save you.Dennis walks through how he evaluates when alerts move from unmanageable to stable, the metrics that determine whether automation is genuinely safe, and how his team built a multi-agent pipeline on GCP capable of consuming alert volume at a rate no human team could match. He shows what automation can realistically achieve from scaling L1/L2 investigations to reclaiming analyst hours and where it still depends on skilled detection engineering.They also tackle the real decision point for leaders: when does it make sense to buy an AI SOC vendor that handles both detection development and triage, and when is it just a GPT wrapper dressed as a solution?40% discount on eBook: Use code PACKTEBOOKPackt Book URL: https://www.packtpub.com/en-us/product/automating-security-detection-engineering-9781837631421Code validity: November 30, 2025Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

Before he ever cried on the red line, Spencer Pratt broke his own RAG index.In this episode of Detection Dispatch, Spencer Pratt (not The Hills one...this one writes detections, not drama) joins Dispatch to talk through what it really takes to operationalize agentic AI in the wild. From L1/2 triage to risk scoring, Spencer walks us through building a homegrown RAG system on top of Azure, complete with semantic search, vector embeddings, and even one risk score that always returns “zero” (because he told it to).We get into:– OpenAI in production for alert history correlation & analysis assist– How to hallucination-proof your enrichment– Why DNS exfil is still too weird for your LLM– And why automation shouldn't make the decisions, but can help you decide fasterAlso in this episode, you get a bonus:🥲 Chicago starter pack of reccs for newly promoted SOC analysts🍕 Bottomless brunch + skyline bike rides with the fam🎮 Retro arcades and ramen bars that go harder than your SIEMDetection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

Alex and Scott Rodgers unpack the F5 breach, Mandiant M-Trends highlights like the fall of BEACON, and the leapfrogging of Stolen Creds over Phishing.Expect:The infostealer industrial complexOperation MORPHEUS x BEACON’s quiet exitThe real meaning of “supply chain blast radius” & tight turnaround time reqsWhy screaming might actually save your sanityHit play. Stay unhinged. Detect responsibly.Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

We unpack what modern EDRs actually deliver, where they fall short, and where to validate telemetry before you buy. EDR Telemetry Project co-founder, Kostas walks through the open-source EDR Project, the pros/cons of Sysmon, and how to evolve from alert consumers to detection engineers. And also....EDR Vendors dropping out of the MITRE ATT&CK Evaluations??Show Note References: https://github.com/tsale/EDR-Telemetry?tab=readme-ov-file#edr-scoreshttps://www.edr-telemetry.com/Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

On this Detection Dispatch, host Alex Hurtado sits down with Jake Berkowsky CTO at Snowflake to crack open one of the hottest and often misunderstood topics in modern SecOps: the rise of the security data lake x security data lakes as your SIEM.Modern detection architecture isn’t about choosing SIEM or lake, it's about interoperability, orchestration, and strategic flow. We cover federation hype and data silo upkeep fatigue and take a brutally honest look at why standalone SIEMs aren’t cutting it, what’s actually driving data lake adoption, and how teams can shift from buying more platforms to building better data flows. Along the way, they unpack the new Snowflake x Splunk integration, AI governance headaches, and the myth of the “one platform to rule them all.If you're wrestling with detection silos, debating SIEM retirement, considering data lake modernization or just trying to make sense of the evolving detection-to-response pipeline, this episode is your signal.Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.

In a world where SOCs are dissolving, job roles are glitching, and where the attack surface blurs between our work <> personal life between Slack & Discord, one thing remains constant: detection never sleeps.On this episode of Dispatch, we’re joined by Day Johnson — detection engineer at Amazon, architect of Cyberwox labs, and voice of clarity for 100K+ across LinkedIn, YouTube, and Twitter. From Datadog to the bleeding edge of cloud defense, Day’s been charting what it means to stay sharp when the landscape won’t sit still. We go all in on this chaos.Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.