If you're working in a SOC, and you need to be able to detect the threat actors, their tools and techniques (TTPs), all that make up the #threatlandscape relevant to your company, its vertical, region etc., then how do you know that you are in fact able to detect everything you should be able to? This is called detection coverage and it used to be impossible to measure. No more.

How do you build detection coverage?

How do you gain visibility on your detection coverage?

How do you maintain firm control over your detection estate over time, even when your unicorns leave the team?

Can you actually build detection capability without a SIEM?

How do you make your #redteam and your #CTIteam force multipliers for your #detectionengineering team?

Can multiple #SOC teams collaborate and become force multipliers for each other?

How do you collect the right CTI data and then make it actionable for the real customers of it?

Find out answers to all of these questions and so much more at the #BSidesLuxembourg2026 #DetectionEngineeringVillage!

Early bird tickets still available, a few more days on pretix https://pretix.eu/BSidesLux/2026/

Know any good #detectionengineering who aren't white males? Please propose, wanna follow them! :)

ShadowHS highlights a shift in Linux malware toward fileless, operator-driven tradecraft.

Key observations include in-memory loaders, encrypted payloads, argv masquerading, SSH-based lateral movement, and exfiltration over non-standard user-space channels. Detection depends more on behavioral signals than traditional signatures.

How are teams adapting Linux monitoring for memory-resident threats?

Source: https://cyberpress.org/shadowhs-spreads-across-linux/

Follow @technadu for measured, research-driven security insights.

#InfoSec #LinuxThreats #MalwareResearch #DetectionEngineering #CyberDefense #TechNadu

I've released my new course:
Practical Threat Hunting for Beginners

Larn the core knowledge and practical skills required to perform effective threat hunting in real-world environments.

https://academy.bluraven.io/course/practical-threat-hunting-for-beginners

#ThreatHunting #detectionengineering

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

As AI adoption in SOCs accelerates, benchmarks are becoming de facto decision tools — yet many still evaluate models in controlled, exam-like settings.
Recent research highlights consistent issues:
• Security workflows reduced to MCQs
• Little measurement of detection or containment outcomes
• Heavy reliance on LLMs judging other LLMs

These findings reinforce the need for workflow-level, outcome-driven evaluation before operational deployment.

Source: https://www.sentinelone.com/labs/llms-in-the-soc-part-1-why-benchmarks-fail-security-operations-teams/

Thoughtful discussion encouraged. Follow @technadu for practitioner-focused AI and security analysis.

#SOC #ThreatHunting #AIinInfosec #LLMs #SecurityResearch #DetectionEngineering

It looks like #BSidesLuxembourg will have a #detectionengineering village. If that’s something you want to contribute to, please be in touch asap as we start defining what that will be implemented as asap

#bsides

Hunting MongoBleed (CVE-2025-14847): https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847

#mongobleed #threathunting #detectionengineering

‼️We are introducing a tool for the first time…

🔨Hefaistos - AI assisted Detection-as-Code platform

📅 We are starting on January 31, 2025

Details and waiting list here - https://blog.dcg420.org/from-static-template-to-dynamic-forge-bringing-the-dcg420-standard-to-life-for-the-detectioniers-db4298e6bf22

#Detection #Detectionengineering #Detectionascode #DaC #Hefaistos

I'm @ #39c3. If you like to talk about #blueteam topics you can reach me via DECT 7544 or DM. I would love to brainstorm about a #sovereign SOC stack. #detectionengineering #difr

How data science can boost your detection engineering maintenance and keep you from herding sheep: https://medium.com/falconforce/how-data-science-can-boost-your-detection-engineering-maintenance-and-keep-you-from-herding-sheep-8713b7220776

#datascience #securityoperationsCenter #detectionengineering

It's been a bit light on news over the last 24 hours, but we've got some significant updates on law enforcement actions against cybercriminals and an interesting development in ransomware capabilities. Let's dive in:

Law Enforcement Cracks Down on Ransomware and ATM Jackpotting ⚖️
- Two former cybersecurity professionals, a manager of incident response and a ransomware negotiator, pleaded guilty to participating in ALPHV/BlackCat ransomware attacks, causing over $9.5 million in losses and highlighting the insider threat risk.
- A Ukrainian national pleaded guilty to involvement in Nefilim ransomware attacks, which targeted high-revenue companies in the US and Europe, with authorities still actively pursuing a co-conspirator and offering an $11 million reward.
- The US Department of Justice has indicted 54 individuals linked to the Venezuelan Tren de Aragua (TdA) terrorist organisation for a multi-million dollar ATM jackpotting scheme using Ploutus malware, with $40.73 million lost since 2021.

🤫 CyberScoop | https://cyberscoop.com/incident-responders-plead-guilty-ransomware-digitalmint/
🤫 CyberScoop | https://cyberscoop.com/nefilim-ransomware-artem-stryzhak-guilty-plea/
📰 The Hacker News | https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

RansomHouse Levels Up Its Encryption Game 🛡️
- The RansomHouse ransomware-as-a-service (RaaS) operation has upgraded its encryptor to a new variant, dubbed 'Mario', moving from a simple linear technique to a more complex, multi-layered, two-stage encryption process.
- 'Mario' introduces dynamic chunk sizing at an 8GB threshold, intermittent encryption, and uses complex mathematics to determine processing order, making static analysis and reverse engineering significantly more difficult.
- These enhancements provide stronger encryption results, faster speeds, and better reliability, increasing the leverage for threat actors during post-encryption negotiations.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ransomhouse-upgrades-encryption-with-multi-layered-data-processing/

#CyberSecurity #ThreatIntelligence #Ransomware #LawEnforcement #Cybercrime #ATMJackpotting #Malware #InfoSec #IncidentResponse #DetectionEngineering

I strongly recommend anyone looking to learn hands-on detection engineering or threat hunting (or even seasoned vets looking to sharpen their skills) to attend DEATHcon. I’ve been running through the workshops during my holiday breaks and it’s one of the most hands-on conferences I have attended. Build a VM and connect to the deathcon network via tailscale to play with all sorts of log types to cut your teeth on. The course is well run, speakers are super responsive to requests via their discord channel, and the hosts gratefully keep the infra up through the end of the year so you can practice at your own pace. They also ran a RMM rodeo competition which resulted in a whole bunch of new RMM tools getting pulled into to the main LOLRMM project. My only regret is I haven’t worked through all the workshops because there are so many. Tickets went super fast for 2025, so be sure to grab one as soon as they go up for sale in 2026! You cannot beat the price for both the quantity and quality of material you receive.

https://deathcon.io/

#threatintelligence #cti #threathunting #detectionengineering #soc

Rethinking Benign Alerts: A New Perspective for Detection Engineering: https://detect.fyi/rethinking-benign-alerts-a-new-perspective-for-detection-engineering-525f701d66b7

#detectionengineering

Measuring Malice: When Being ‘Almost Right’ Is Exactly Wrong: https://detect.fyi/measuring-malice-when-being-almost-right-is-exactly-wrong-abbdbe2ca7c7

#detectionengineering

Introducing the DRAPE Index: How to measure (in)success in a Threat Detection practice?: https://detect.fyi/introducing-the-drape-index-how-to-measure-in-success-in-a-threat-detection-practice-154fd977f731

#detectionengineering #threatdetection

If you're doing #ActionableCTI or #detectionengineering -> submit to the @BSidesLuxembourg CFP, we are brewing something really interesting for you!

Help us build an awesome event this upcoming May!

Submit to our CFP, help us get our villages, workshop day and talk tracks over 2 days to be awesome!

Maybe a cloudsec village or cloud track?

We're seriously trying to build a #detectionengineering village or track.

How about AI security?

An offensive village?

We already got some promising submissions - 2 villages proposed and under evaluation (Car hacking, CTI).

Despite the promising title of this blog post by John Vester 'Why the MITRE ATT&CK Framework Actually Works', its a load of crock.

You can't and shouldn't use MITRE #ATT&CK to prove any sort of detection coverage or 'strong points'. At best, you can prove total absence in certain subtechniques.

If you want to do any sort of data driven #detectioncoverage you need #OpenTide -> there's no way around it.

https://levelup.gitconnected.com/why-the-mitre-att-ck-framework-actually-works-29ac26d2d20c

ATT&CK is still ♥️ 😍 tho.

#SOC #blueteam #detectionEngineering

November’s @THOR_Collective Dispatch Debrief is live with SCADA weirdness, Taylor’s Version SOC vibes, and purple team chaos.

Come thrunt with us.

https://dispatch.thorcollective.com/p/dispatch-debrief-november-2025

#threathunting #cybersecurity #thrunting #soc #blueteam #detectionengineering #incidentresponse #cyberdefense #aiinsecurity #agenticai #scada #otsecurity #purpleteam #grc #peakframework #THORcollective #dispatchdebrief