Codify to Fortify: The Strategic Advantage of Detection as Code

How security teams can turn visibility from a vague promise into a provable reality.

As a security executive, how do you know if your organization can detect a certain attack? A talented, experienced team armed with advanced tooling can certainly generate confidence — but even then, detections can slip through the cracks if not properly codified.

Detection as code — an emerging approach to detection engineering that involves a continuous cycle of developing, testing, and refining detections — is one of the most effective ways to maintain complete coverage across the security landscape. Our annual report, State of Security 2025: The stronger, smarter SOC of the future reveals that 63% of respondents want to frequently or always adopt detection as code in the future. However, only 35% have implemented the approach to that extent, indicating a gap between desire and reality.

Besides an initial upfront investment of time and resources, there’s another possible explanation for that gap: while detection as code has clear benefits for practitioners in the SOC, executives may be left questioning, ‘Is this worth it?’ Detection as code does deliver incredible value across the business — but organizations must first be in a position to reap those rewards. 

Detection coverage down to a science

Detection engineering is more of a science than an art. Yet without a process to codify a SOC’s detections, leaders are often forced to resort to rough estimates when asked about coverage. While an endpoint detection and response (EDR) tool can provide valuable coverage, for example, it often misses custom business applications and SaaS products. Without knowing your exact coverage, threats can easily slip through the cracks.

Detection as code removes the guesswork by enabling the SOC to see exactly what detections have coverage — and the precise conditions in which that detection works and doesn’t work. Without detection as code, that would be an increasingly complex task when testing against multiple dependencies, such as different types of input data, platform versions, and versions of plugins that would transform the data. Detection as code involves codifying each detection through documentation that is both human and machine readable in a single location. And once your environment and detection content is described in code, analysts can use automation to do the heavy lifting of testing and reporting. In fact, over half (52%) of respondents in State of Security 2025 said that detection as code unlocked the ability to automate workflows.

Automated workflows can boost efficiency in the SOC — an exciting concept for overworked analysts. But that’s also music to the ears of any executive that needs to communicate its organization’s security coverage to the board. Detection as code enables both practitioners and executives to ask questions about that codified data and get accurate information about its coverage, and even map each detection to a framework such as MITRE ATT&CK.

The journey to detection as code

Detection as code is centered around specialized processes and workflows. So it’s inevitable that the way detection engineering teams operate will change when detection as code is introduced — especially since 46% of teams frequently or always rely on out-of-the-box vendor detections with their internal analysts fine-tuning them, according to State of Security 2025. So for most organizations, detection as code will require a cultural shift — and cultural changes are difficult because they involve ingrained habits and ways of working.

A detection as code initiative is more likely to succeed if an organization is already implementing best practices that enable continuous improvement and adaptability — two key principles of detection as code.

For a SOC to effectively transition to and benefit from detection as code, cultivating these foundational practices is essential:

Implement a continuous feedback loop. Having a feedback loop for detections ensures that analysts are systematically thinking about the bigger picture rather than operating on an ad hoc basis. A typical workflow for detections is to research, detect, monitor, and deploy. Mature detection engineering teams understand how threats work, how detections provide visibility from those threats, and whether the detection will generate false positives. Once the detection is in production, they continually research any gaps that exist — or even better, automate research through more complex testing designed to break detection logic. Less mature teams, on the other hand, may create detections on an emergency basis and test in production — both signs that point to reactivity.

Leverage a code repository. Relying on a code repository such as Git, rather than Excel sheet or Jira, encourages analysts to think like developers by helping to perform code merges and commit code. This is an important mindset to adopt because detection as code relies on DevSecOps principles, like continuous monitoring and improvement. Code repositories also provide critical operational benefits: they offer clear audit trails of who made detection changes and when, allow conditional triggers for CI jobs to support automation, and preserve revision history, making it easy to revert broken detections when needed. Version control systems also more easily enable collaboration, which is another crucial skill for teams that adopt detection as code.

Document everything. Detection as code isn’t simply about codifying the detections; it’s about improving that detection when something in the environment — whether it’s the data, the configuration, or the detection itself  — inevitably changes. Documentation and written reports help teams to understand those changes and adapt accordingly. And the most mature detection engineering teams rely on detection as code to automatically generate that documentation.

Building a mature detection engineering team isn’t a checklist to rush through. It’s a journey, with each best practice building on and enabling the other. When security teams embrace the principles that detection as code relies upon, they can more easily unlock the benefits that the approach provides — and there are plenty.

To learn more about how teams grapple with gaps in detection quality and reap the benefits of detection as code, download the State of Security 2025 report.