Pathfindx Logo
Sign in Get Started Free

Detection Engineer Career Roadmap

Detection engineers build the rules and logic that identify malicious activity in an organization's environment. This role combines deep knowledge of attacker techniques with engineering discipline to create reliable, measurable detection coverage.

Detection Engineer Detection Analyst

What Makes a Great Detection Engineer

Great detection engineers treat detections like software - version-controlled, tested, and measured. They understand attacker tradecraft deeply enough to write rules that catch technique variations, not just specific tools, and they ruthlessly tune out false positives.

Related Articles

ELK Stack Security Monitoring Tutorial What Is ELK in Cybersecurity? ELK Log Collection Methods Splunk Enterprise Docker Setup

Entry Level

$70,000–$90,000

You're learning Sigma rule syntax, understanding log sources, and writing your first detections. Every false positive you investigate teaches you what normal looks like - which is essential for spotting abnormal.

Skills

Sigma rule syntax Log source understanding SIEM query basics (KQL/SPL) ATT&CK technique mapping Alert triage feedback loops Windows event ID analysis Log normalization basics

ATT&CK Focus Areas

Execution

Writing your first Sigma rules for script execution and process creation builds detection engineering fundamentals

Command and Scripting Interpreter (T1059), Windows Management Instrumentation (T1047)

Credential Access

Credential theft detections are high-value and teach you to work with authentication log sources

OS Credential Dumping (T1003), Brute Force (T1110)

Certifications

CompTIA CySA+

Threat detection and analysis

250h study · 3yr validity · 50 CPE · $75/yr CE fee

Splunk Core Certified User

SIEM fundamentals

100h study · 3yr validity · Free (retake exam)

Tools

Sigma Splunk Elastic SIEM Sysmon

Learning Platforms

  • Sigma HQ documentation
  • TryHackMe (SOC Level 1)
  • Elastic free training

Key Questions to Explore

  • How do I write my first Sigma detection rule?
  • What is the detection engineering lifecycle?

Sign up free to explore these topics with AI-powered guidance.

Mid Level

$100,000–$140,000

You're measuring detection coverage against ATT&CK, testing detections in lab environments, and building CI/CD pipelines for detection-as-code. Your work directly reduces the mean time to detect threats.

Skills

Detection coverage analysis False positive tuning Lab-based detection testing Telemetry gap analysis Detection-as-Code (CI/CD) Log source onboarding Threat intel-informed detection

ATT&CK Focus Areas

Defense Evasion

Building detections for evasion techniques - process injection, log tampering - catches sophisticated attackers that evade basic rules

Process Injection (T1055), Indicator Removal (T1070)

Persistence

Measuring detection coverage against ATT&CK persistence techniques reveals your most critical visibility gaps

Scheduled Task/Job (T1053), Registry Run Keys (T1547.001)

Certifications

GCIA

Network traffic analysis and intrusion detection

350h study · 4yr validity · 36 CPE · $479/yr

Tools

Sigma CLI YARA Atomic Red Team ATT&CK Navigator Uncoder.io

Learning Platforms

  • SANS SEC555
  • Detection engineering blogs (Florian Roth, Jared Atkinson)
  • Atomic Red Team labs

Key Questions to Explore

  • How do I measure detection coverage against ATT&CK?
  • What's the process for testing detections in a lab?

Sign up free to explore these topics with AI-powered guidance.

Senior Level

$145,000–$185,000

You're designing the detection engineering program - setting prioritization frameworks, defining metrics, and collaborating with CTI and IR teams to ensure detections stay aligned with the real threat landscape.

Skills

Detection program strategy Threat-informed detection prioritization Detection metrics and reporting Cross-team collaboration (CTI/IR) Detection maturity model development

ATT&CK Focus Areas

Lateral Movement

Designing detection strategies for post-compromise movement requires correlating events across multiple log sources

Remote Services (T1021), Use Alternate Authentication Material (T1550)

Command and Control

C2 detection engineering - DNS tunneling, protocol abuse, beaconing patterns - is among the most impactful and technically demanding work

Application Layer Protocol (T1071), DNS (T1071.004)

Certifications

GSOM

Security operations management

300h study · 4yr validity · 36 CPE · $479/yr

CISSP

Security leadership and governance

400h study · 3yr validity · 40 CPE · $125/yr AMF

Tools

Detection-as-Code pipelines Custom detection frameworks Purple team platforms

Learning Platforms

  • Detection engineering conferences (BSides, Blue Team Summit)
  • Purple team exercises
  • Open-source detection repos

Key Questions to Explore

  • How do I build a detection engineering program from scratch?
  • How do I prioritize detections using threat intelligence?

Sign up free to explore these topics with AI-powered guidance.

Resources

Books

  • Crafting the InfoSec Playbook by Jeff Bollinger, Brandon Enright & Matthew Valites
  • Applied Network Security Monitoring by Chris Sanders & Jason Smith

Communities

  • Sigma HQ GitHub
  • Detection Engineering Weekly (newsletter)
  • r/blueteamsec

Podcasts

  • Detection at Scale
  • Darknet Diaries
  • SANS Internet Stormcast

Related Career Paths

SOC Analyst Threat Intelligence Analyst Threat Hunter

Start Your Detection Engineer Career

Free to use. No credit card required.

Get Started Free

Ask your first question in seconds.