Understanding Detection as Code: Integrating with Breach and Attack Simulation

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


Detections are essentially the logic frameworks employed to analyze security data, aiming to identify whether the analyzed logs indicate potential threats. The creation of a detection rule triggers an alert to the Security Teams, prompting them to either investigate or mitigate the identified threats. The concept of Detection as Code represents a strategic shift towards adopting the Software Development Lifecycle (SDLC) in crafting these rules. This approach not only introduces a more systematic, flexible, and structured methodology but also marks a significant evolution from traditional security detection practices to solutions that are inherently code-based.

In this article, we will explore the Detection as Code paradigm in depth, highlighting how Picus leverages this innovative strategy to bolster your cybersecurity posture.

What Is Detection as Code?

Detection as Code is a strategic approach that seamlessly integrates security detection mechanisms into the software development life cycle. By treating security controls as code, organizations can automate the deployment, configuration, and maintenance of security measures throughout the entire development process. This approach aligns with the DevSecOps philosophy, embedding security into the heart of the development process rather than treating it as an isolated phase. This enables users to write higher-quality detections by building a pipeline and avoiding manual testing of each detection.

To enhance this approach, Detection as Code focuses on several key principles, including 

  • Code reusability
  • Test-driven deployment
  • Detection certainty
  • Version control 

each playing a crucial role in streamlining and securing the development process.

Code Reusability

Detection as Code encourages the user to reuse their content constantly to keep it up to date with today’s standards. Reusing code not only reduces development time but also opens an opportunity to share knowledge among the community, fostering a collaborative environment for security development.

Test-Driven Deployment (TDD)

With Detection as Code, users can ensure that detection content is produced with necessary testing in their own environment during the development process. This approach enables flexible changes at any time without disrupting the process, ensuring superior quality detection content and modularity for new products with little effort.

Detection Certainty

Automated workflows and test-driven deployment guarantee that when detection is developed using Detection as Code, users can be confident an alert will be fired accurately. This process eliminates the need for manual testing of each detection content, allowing developers to focus their time on developing new pipelines or upgrading existing ones to ensure no false alerts are fired.

Version Control

Detection as Code ensures that no content changes are lost in development with a robust version control mechanism. This procedure not only enables developers to revert to previous versions in case of faulty development but also fosters a culture of accountability and continuous improvement within the development team.

Detection as Code in the Real World

To effectively implement the Detection as Code paradigm in real-life scenarios, certain tools can significantly streamline the process. While these tools are not strictly necessary for adopting Detection as Code, they greatly facilitate the management and ease of the process.

Sigma, sigma-cli and pySigma

Companies use many different SIEM (Security Information and Event Management) tools, and the writing styles of rules within these tools vary. Translating detection contents from one SIEM tool to another can be challenging, and in such cases, Sigma comes to our aid.

Sigma is an open-source, generic signature format used in cybersecurity, specifically for the creation and sharing of detection methods across SIEM systems. Sigma rules translate and standardize threat-detection practices, making them accessible and reusable regardless of the SIEM platform in use.

Sigma rules are written in YAML syntax, which is human-readable and easy to implement. Once you have written a Sigma rule, you can convert it to a format that fits your target SIEM or platform using an online converter, sigma-cli, or pySigma. You can also find more information on our blog about Sigma Rules.

Manually converting Sigma rules to a SIEM-specific context is a troublesome and tiring process. As mentioned earlier, pySigma can be used to automate this task. pySigma is a pipeline framework that provides an API for each Sigma backend to transform, convert, and format a Sigma rule.

Pipeline Framework

A pipeline framework, in the realm of software engineering, is conceptualized as a series of sequential processing elements—such as processes, threads, coroutines, or functions. These elements are meticulously organized so that the output of one element seamlessly becomes the input for the next. This concept draws its analogy from physical pipelines in infrastructure, where the flow is directed from one point to another without interruption.

At its core, a pipeline framework embodies a comprehensive suite of tools, strategies, and methodologies. Its primary aim is to automate, streamline, and effectively manage complex workflows or processes. This is particularly advantageous in fields like software development and data processing, where tasks need to be executed in a specific sequence or depend on particular prerequisites to proceed.

Furthermore, pipeline frameworks are often synonymous with CI/CD pipelines, standing for Continuous Integration/Continuous Deployment. These specialized pipelines are integral to automating successive stages of software delivery, including but not limited to code compilation, testing, packaging, and deployment. By doing so, they ensure a consistent, efficient, and error-minimized flow throughout the software development lifecycle.

Detection as Code with BAS

Validating security rules can be a bit tricky because it's hard to find real-world examples, automating threat simulations in a safe environment is challenging, and integrating everything into existing pipelines takes up a lot of time.

However, there's a solution to these problems – using a Breach and Attack Simulation Tool. As shown in the top diagram, Breach and attack simulation can be used in the Simulate Attacks step to Automate. Picus Security Control Validation (SCV) is one such tool that makes it easier to include simulation in your Detection as Code pipeline. This means you integrate the simulation tool into your existing infrastructure, automate the simulation process, and use the results to improve your detection capabilities. When you're checking the results, Detection Analytics come in handy, helping you validate Detection Content with real-world examples. With only Picus SCV, you can automate attacks and check whether the attack is blocked or not, but checking your content is a custom automation process you need to delve into. The below diagram shows the general flow when using only Picus SCV.

Still, as shown on the upper diagram, the Run Detections step needs to be developed manually and checked regularly. But when you bring in Picus Detection Analytics into this picture, real magic happens. You can automate a big part of the validation process with minimal or no coding. Detection Analytics doesn't just look at your threat-related logs; it also checks if your in-house detection content is ready to alert. In this workflow, you only need to keep track of your repository, as the DA takes care of testing your environment against real-life threats. It even gives you insights into professional analyses of potential attacks and detection contents that can catch them.

Picus's detection content development process also adopts a Detection as Code paradigm to thoroughly analyze and provide the best possible detection contents for its users. Taking it a step further, Picus doesn't just evaluate threats against its own detection contents but also utilizes global detection contents for automatic analysis and suggestions. This ensures the best possible detection content for every action in the Picus Threat Library.


In conclusion, Detection as Code stands at the forefront of modern cybersecurity, reshaping the way organizations approach security measures. By transforming security controls into code-based solutions, Detection as Code seamlessly integrates into the software development life cycle, embodying the principles of DevSecOps.

Picus Security Control Validation (SCV) emerges as a valuable tool in the Detection as Code pipeline, enabling the safe and automated simulation of threat scenarios. The integration of Detection Analytics takes this paradigm to new heights by automating a significant portion of the validation process with no or minimal coding. Detection Analytics not only assesses threat-related logs but also evaluates the readiness of in-house detection content to alert against real-world threats.

Picus Blue Team goes beyond by adopting a Detection as Code paradigm in its detection content development process. This involves deep dive analysis and leveraging global detection contents and its own contents for automatic analysis and suggestions. Picus's commitment to continuous evaluation ensures users can trust the detection contents they integrate into their products.

In essence, Detection as Code, coupled with innovative tools and frameworks, exemplifies a proactive and automated approach to cybersecurity. Picus's commitment to this paradigm shows its dedication to providing robust and effective solutions for enhancing cybersecurity infrastructures. As the threat landscape evolves, Detection as Code will become not just a paradigm but a necessity for organizations striving to stay ahead and updated in the ever-changing world of cybersecurity.