Detection as Code

Security detections were authored and maintained directly within the SIEM, resulting in tightly coupled, stateful configuration that was difficult to review, test, or scale. Detection logic lacked version control, clear ownership, and consistent deployment workflows, increasing the risk of regressions and limiting collaborative development. With duplication and overlapping alerts a particular issue.

Architected and implemented a Detection-as-Code framework for the security team, treating detections as structured software artifacts rather than SIEM-native configuration. Designed a standardised YAML schema for detections and built automation to extract requirements from Jira issues, package them into version-controlled repositories, and deploy them through CI pipelines. The platform enforced consistency, enabled peer review, and decoupled detection authoring from the SIEM UI, allowing detection engineering to scale using established software development practices.

Introduced version control, code review, and repeatable deployment to detection engineering workflows. Reduced operational risk by making detection changes auditable, reproducible, and easier to reason about. Established a foundation for scaling detection development across teams while maintaining consistency and governance.