We’ve been working hard at Elastic Security Labs! We've just published a brand new report: the 2025 State of Detection Engineering at Elastic. This report gives readers an exclusive look into the work of developing and maintaining our pre-built SIEM Detection rules and Endpoint Protection Behavior rulesets.
In this report, you'll get an inside look at how we work to keep our users protected and gain valuable insights into the world of detection engineering, like:
- How we analyze real-world threats, like the CUPS vulnerability and Windows Local Privilege Escalation.
- Our robust rule development strategies, including automation and the Detection Engineering Behavioral Maturity Model (DEBMM).
- Enhancements to Elastic Security through integration enrichments with AWS, Okta, and more.
- Our internal metrics and evaluation processes for ensuring rule effectiveness.
- Our partnership with the Elastic Global Threat Report and our future plans, including AI threat detection.
This report represents a full year of our detection engineering efforts, from October 2023 to October 2024. We chose this timeframe to capture our work following the 2023 Elastic Global Threat Report and gather enough data to identify meaningful patterns.
We collected and analyzed all the contextual data of an entire year’s worth of detection engineering efforts to build out the story of what we do and how we do it. Including Security Labs threat research publications, GitHub metadata from activity across our rules repos, alert telemetry, and operational metric data are used to both guide and assess our detection engineering efforts. We also conducted a series of interview-style conversations with the threat researchers, detection engineers, and developers behind the data. We wanted to dive-deep into the specifics and garner the details of the processes behind the outputs (detection rules, threat research articles, etc.) that our customers see. Then we put these details together to create a cohesive story that might benefit the larger community.
We’re pulling back the curtain on our detection engineering practices, going beyond the traditional survey-style State of Detection Engineering report. By revealing this information — information that security tool creators often keep private — we aim to demonstrate our commitment to our users and reinforce the fact that you are not alone in your security journey. We’re right here with you, every step of the way.
The discussion continues
Elastic Security Labs is dedicated to providing in-depth research to the security community — whether you’re an Elastic customer or not. By sharing the details of how we manage and leverage the Elastic Security solution, we hope to spark a broader conversation around detection engineering and encourage the community to hold our work accountable. If you’re interested in a broader look at the report, you can check out the blog on Elastic.