Loading…
← Back to schedule
400 Detections, Zero Alerts: Why your Detection Program is flying blind
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
You have 400 detection rules in production. Your ATT&CK coverage heatmap looks great in a board deck. But how many of those rules actually fire when the technique executes today, not when they were written 18 months ago?
If you can't answer that, you don't have coverage. You have promises.
This talk tackles the gap between deploying detections and proving they work. Detection rules silently break all the time. Schema changes, parser updates, log source drift, over-tuning. Nobody notices because false negatives are completely invisible. No one complains when an alert doesn't fire. You only find out during an incident review or a red team engagement, and by then it's too late. Most detection engineering content focuses on writing better rules or building more coverage, but almost nobody is asking the harder question: how do you know the rules you already wrote still work?
The answer is detection regression testing: running known-good attack simulations against deployed rules on a continuous, automated basis and alerting when they stop firing. This session walks through an open-source pipeline (sigma-regression-testing on GitHub) that automates the full lifecycle. Write vendor-agnostic Sigma detections. Convert and deploy to Splunk via REST API. Map each rule to a specific Atomic Red Team test. Run automated suites that produce pass/fail reports. Every step runs in GitHub Actions CI/CD with zero manual intervention after a detection merges.
Beyond the tooling, this talk introduces detection SLAs: measurable commitments like "this rule fires within 5 minutes of execution" and "100% of Priority 1 ATT&CK techniques have a passing regression test at all times." They transform detection programs from vague coverage claims into defensible, auditable engineering practices.
Attendees will leave with a working framework they can clone and deploy immediately, along with a concrete methodology for measuring detection health and identifying blind spots. Everything shown is running in production. The code is public. The pipeline is real.


Speakers
avatar for Tyler Casey

Tyler Casey

Detection Engineer, SCYTHE
Tyler Casey is a seasoned Cyber Professional with over a decade of experience in Defensive Cyber Operations (DCO). Currently serving as Lead Detection Engineer and Deputy of SCYTHE Labs at SCYTHE, Tyler specializes in developing and implementing robust defensive cybersecurity measures... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link