The world's first training platform for detection engineers, supporting multiple SIEM languages and using real logs to hone threat detection skills!
Joined April 2024
- Tweets 104
- Following 394
- Followers 100
- Likes 133
13 Photos and videos
Pinned Tweet
31 Dec 2025
In terms of detection rule engineering: have you accounted for evasion techniques?
I wrote something about this 👇
soc-labs.top/blog/en/how-to-…
4
211
SOCLabs retweeted
Attackers are compressing timelines from hours to minutes. Most SOCs are still stitching context together across three tabs and a ticket.
On June 17, we're showing the full lifecycle, from first alert to staged response, with AI agents handling triage, enrichment, and investigation live. Prizes too.
Save your seat: go.es.io/4ahK4D9
1
3
9
2,287
Apr 13
🚨 New Challenge Live! #140 Threat Detection Engineer
Attackers are using the most stealthy techniques to bypass your SIEM… Can you catch it using real logs and multi-language rules (Sigma / SPL / KQL / EQL)?
SOCLabs’ latest detection challenge is now live!
Real environment complete attack chain, built for those who want to become top-tier Threat Detection Engineers.
🔥 Test your detection logic right now
👉 soc-labs.top/en/detections/1…
Master this challenge and truly earn your Detection Engineer title! 🔥
#Cybersecurity #DetectionEngineering #BlueTeam #InfoSec
3
133
Apr 8
Just open-sourced: Detection Rule Bypass Analyzer (SKILL) 🔥
A specialized AI-powered tool for Detection Engineers and SOC Analysts.
It helps you:
• Identify blind spots in detection rules for system command execution
• Assess bypass risks
• Generate realistic bypass test cases
• Suggest stronger rule logic to reduce false negatives
Stop guessing if your rules can be evaded.
Repo: github.com/DetectEng-SOCLabs…
Stars, feedback, and contributions welcome!
#DetectionEngineering #SIEM #Splunk #CyberSecurity #BlueTeam
2
91
Apr 1
We've just launched the new macOS Challenges section on SOCLabs!
A lot of macOS credential theft attacks rely on simple social engineering. Attackers use osascript to display fake authentication dialogs that look identical to real system prompts. Once the user enters their password, the attacker unlocks the Keychain and dumps saved browser passwords, cookies, and more.
If you're practicing detection rules, this Medium difficulty challenge gives you real logs to work with. Give it a try!
Link in comments 👇
#DetectionEngineering #macOS #BlueTeam #Infostealer
1
1
50
Mar 25
This read highlights a practical shift in SecOps: combining LLM-driven natural language queries with deterministic MCP toolchains to automate MITRE coverage checks across fragmented rule formats. detecteng.com/detection-work…
1
44
Mar 24
The Self-Improving Agent and TIP: How ThreatClawer Builds Detections and Ships Features While I… by Hatim (threadlinqs-cmd) detecteng.com/the-self-impro…
1
27
SOCLabs retweeted
Nearly 65% of orgs are experimenting with AI agents, but fewer than 25% have deployed them in production.
2026 is the year that changes, especially in security operations.
Here's what an Agentic AI SOC actually does differently 🧵
↳ It doesn't just alert you — it correlates signals into full attack chains
↳ It doesn't just detect — it contains, with closed-loop automated response
↳ It doesn't just act — it explains every decision with a traceable reasoning trail
The shift: from managing alerts → neutralizing attacks.
Copilot = passenger. Agent = driver.
Read the full breakdown below.
4
3
27
1,978
Security Detections MCP 3.0 is LIVE
What started as a detection search MCP is now an autonomous detection engineering pipeline.
Agents now run a full workflow:
CTI → coverage analysis → detection generation → SIEM validation → PR staging
Pipeline example:
• CTI Analyst → extracts MITRE techniques from threat intel
• Coverage Analyzer → checks 7k detections across Sigma / Splunk / KQL / Elastic
• Detection Engineer → generates missing detections
• Atomic Executor SIEM Validator → tests detections
• PR Stager → prepares them for review
Multi-SIEM support:
Splunk • Sentinel • Elastic • Sigma
Open source 👇
Repo
github.com/MHaggis/Security-…
npm
npmjs.com/package/security-d…
Pulse MCP listing
pulsemcp.com/servers/mhaggis…
Watch the full demo:
youtu.be/03ZmD5cdfHI
5
84
440
27,380
Feb 7
Headline: Can you detect silent execution via cmd.exe?
🕵️♂️Attackers love using /b and /min flags to hide their tracks. But as a Detection Engineer, you should know exactly where these traces live in the logs.
🚀 New Challenge: CMD Hidden Window Execution
🛠️ Tech: Sysmon | T1564
🔗 Take the challenge: soc-labs.top/en/detections/1…
#DetectionEngineering #BlueTeam #CyberSecurity #SOCLabs #SigmaRules
3
52
Feb 3
NEW CHALLENGE: Chrysalis Backdoor Detection! 🚨
Rapid7 just unveiled a sophisticated Chrysalis Backdoor, leveraging Notepad supply chain, custom obfuscation (Warbird!), and advanced DLL sideloading.
Reading about it is one thing. Detecting it is another.
We've recreated the attack in a real-world environment and built a hands-on lab to test your SIEM rules against this APT. Can you craft the logic to unmask this stealthy threat?
👉 Challenge #136 is LIVE. Prove your skills:
soc-labs.top/en/detections/1…
#DetectionEngineering #ThreatHunting #MalwareAnalysis #APT #ChrysalisBackdoor #BlueTeam #SIEM
2
90
Feb 3
Huge thanks to @Rapid7 for this critical deep dive into the #ChrysalisBackdoor 👏Their research is invaluable. For those ready to move from reading to real-world detection practice, we've built a hands-on challenge based on these exact techniques.👉 Test your SIEM rules against this APT: soc-labs.top/en/detections/1…
#DetectionEngineering #ThreatIntelligence #BlueTeam #CyberSecurity"
🔎 Rapid7 Labs, alongside our MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group #LotusBlossom.
Find a deep technical analysis of the custom backdoor 'Chrysalis', Notepad , Warbird, and more in our latest blog: r-7.co/4kaerPA
62
Jan 29
Detection Engineering Is Production Engineering — Why CI/CD Is No Longer Optional by Surya Teja detecteng.com/detection-engi…
#DetectionEngineering
1
48
Jan 28
The ‘Why’ Behind the ‘What’: Stepping into Detection Engineering by Abhishek Kumar Sah detecteng.com/the-why-behind…
48
Jan 21
Provides deeper behavioral enrichment for PowerShell commands
47
Spent weeks staring at LDAP filters and attributes. Completely missed SDFlags sitting right there in my logs.
When I finally noticed it, everything clicked😈
Part 3 is up!
huntress.com/blog/ldap-activ…
1
9
29
12,914
Jan 13
We tested publicly available detection rules for Windows process masquerading in a real-world challenge environment.
The result? Most failed to achieve acceptable detection rates.
Can your detection logic stand up to real attacks?
🚀 Take the challenge: soc-labs.top/en/detections/1…
#DetectionEngineering
1
72
Jan 6
Centralized Suppression Management for Detections Using Macros & Lookups by Harrison Pomeroy detecteng.com/centralized-su…
1
56
SOCLabs retweeted
An interesting project on finding rootkits with timing methods. Attentive admins can actually see system impacts with stealth rootkits on Linux. I covered this idea in a much cruder way in a recent presentation. Top is no rootkit vs. rootkit on bottom with a find command.
This is nice - Detection of #Linux rootkit file hiding activities through analysis of shifts in kernel function execution times github.com/ait-aecid/rootkit…
1
4
20
3,684