Welcome to Detection at Scale—a weekly newsletter diving into SIEM, generative AI, cloud-centric security monitoring, and more. Enjoy! If you enjoy reading Detection at Scale, please share!

Data volumes have far outpaced our ability to manually create, tune, and maintain detection rules. As organizations grow, security teams face continued exponential growth in logs and supporting business compliance needs.

Detection as Code (DaC) is a natural solution to this scaling problem—bringing software engineering principles like version control, automated testing, and CI/CD to security monitoring. By treating detection rules as code artifacts rather than configuration items, security teams gained the ability to systematically develop, test, and deploy rules to monitor various environments.

In 2025, AI will become a powerful force multiplier for detection engineers operating at scale. AI promises to reduce operational overhead by automating routine rule creation while amplifying human nuance.

In this post, we'll explore how AI can reshape detection engineering—from translating business requirements into working code to optimizing existing rules and creating novel detections. We'll examine where these capabilities fit into end-to-end pipelines that modern security teams need and how the role of detection engineers will evolve in this AI-augmented future.

The Detection Engineer Copilot

Traditional detection engineering involves writing complex queries against diverse data sources, a process that demands deep knowledge of your security log data, attack patterns, and the specifics of your SIEM platform. As explored in The Anatomy of a High-Quality SIEM Rule, detection rules should be intentional and realistically balance confidence and impact while targeting specific attacker techniques. They also need clear triage steps, proper error handling, and thorough testing across various scenarios. This complexity makes detection engineering a perfect candidate for AI augmentation.

Code Generation and Rule Optimization

Code generation has evolved beyond simple syntax completion to become sophisticated software and detection engineering collaborators. Consider these emerging approaches:

General-purpose AI coding assistants like GitHub Copilot, Cursor, and Claude offer powerful starting points for detection code. They excel at translating natural language descriptions into functional detection logic and can help implement common patterns across different rule languages. For example, a detection engineer might prompt: "Write a detection rule that identifies when a user accesses a production database during non-business hours from an unmanaged device" and receive a complete rule implementation.

However, these general-purpose tools have limitations when working with specific SIEM platforms. They may not understand proprietary data models, the nuances of your environment's log schema, or the performance implications of particular query patterns. Their suggestions often require significant refinement to work effectively in production, such as hefty prompts that include detailed specifications of SIEM rule languages, data models, and more.

Vendor-specific AI tools address these limitations by deeply integrating with their respective platforms. Major SIEM providers have recognized this opportunity and are rapidly deploying specialized assistants:

Splunk's AI Assistant, shown above, breaks down complex SPL queries and explains each component in plain English. This approach helps detection engineers understand the underlying logic while crafting more effective rules.

Meanwhile, Elastic's AI Assistant offers comprehensive ES|QL capabilities, from examples to performance optimization and troubleshooting.

Even cloud-native solutions like Panther are integrating AI capabilities. Consider this example where a simple natural language prompt generates a precise PantherFlow query.

Prompt:

Give me a list of users that've logged into Okta in the last 8h:

Response:

panther_logs.public.okta_systemlog 
| where p_event_time > time.ago(8h) 
| where eventType == "user.session.start" 
| summarize login_count=agg.count() by actor.alternateId
| sort login_count desc

These platform-specific assistants understand their native query languages at a deeper level than general-purpose AI. The most powerful approach combines SIEM platform data, best practices, and log-specific context through retrieval-augmented generation (RAG) systems that understand your unique data sets, existing rules, and past behaviors.

From Business Requirements to Detections

Once you have effective code generation, AI models can bridge the gap between business context and technical implementation.

By combining the details of the business with the people, process, and technology, AI can help brainstorm ways to build new detections that you may not have already directly in your SIEM’s language:

Prompt:

Our developers only deploy code to production through our Jenkins CI/CD pipeline. Create a rule that detects when code changes are made directly to production environments bypassing our deployment workflow.

This process previously required extensive back-and-forth between security teams and business units. This capability also democratizes detection engineering, allowing a broader range of security professionals to create effective rules without deep programming expertise.

Bug Detection, Performance, and Best Practices

Beyond initial code generation, AI that’s nuanced in your system and syntax of choice excels at identifying potential issues in existing detection rules:

• Performance optimization: AI can analyze rules to identify inefficient query patterns, unnecessary field extractions, or costly joins that could be restructured for better performance.

• Logic validation: By simulating different event patterns, AI can identify edge cases where rules might fail to trigger or generate false positives.

• Schema drift: As log formats evolve, AI agents accessing schema data can automatically identify when rules reference deprecated fields.

This capability changes rule maintenance from reactive to proactive. Rather than waiting for performance problems or missed detections, AI can continuously analyze and improve your detection code base.

Every SIEM platform has its own set of best practices and optimization techniques that often exist only in scattered documentation, blog posts, or the minds of experienced practitioners. AI can be used to codify these best practices and apply them automatically during rule creation.

For example, when generating a new rule for AWS CloudTrail logs, an AI assistant might automatically:

1. Include proper error handling for missing fields

2. Implement recommended filtering to improve performance

3. Add context-enrichment logic based on related entities

4. Structure the rule to accommodate future schema changes

5. Generate comprehensive test cases covering various scenarios

This embedded expertise ensures teams with limited platform-specific knowledge can create high-quality detection rules that follow established best practices.

Adapting Rules Across SIEM Platforms

Security teams often operate in multi-SIEM environments or undergo platform migrations—scenarios that require translating detection logic between different query languages. While frameworks like Sigma were designed to provide a common detection language that can be converted to various target platforms, they still require manual mapping and often don't capture the full expressiveness of platform-specific features.

AI offers a more flexible and powerful approach to cross-platform translation. Consider this example of converting a proven Splunk detection rule into Panther's Python-based detection framework.

Prompt:

Convert this Splunk SPL query that detects lateral movement via WMI to a Panther Python detection rule:

index=windows EventCode=4688
CommandLine="*WmiPrvSE.exe*"
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, CommandLine
| where count > 10

Response:

```python

def rule(event):
    # Check if this is the right event type for Windows process creation
    if event.get('EventCode') != 4688:
        return False

    # Check for WmiPrvSE.exe in the command line
    return 'WmiPrvSE.exe' in event.get('CommandLine', '')

def title(event):
    return f"Potential lateral movement via WMI detected by user {event.get('User')}"

# Panther detection configuration:
# - Set threshold to 10 events
# - Group by User across the Enterprise
# - Set time window to 120 minutes

The AI not only translates the core detection logic but also guides how to implement threshold-based alerting in Panther's configuration system. It understands the conceptual differences between SPL's filtering and aggregation pipeline versus Panther's Python-based rule functions.

This translation capability extends to any combination of SIEM platforms—from Elastic's EQL to Microsoft Sentinel's KQL, from Chronicle's YARA-L to AWS Security Lake's SQL. Even more impressive is AI's ability to enhance rules during translation.

Prompt:

This Splunk rule has been effective for us, but generates some false positives. Can you translate it to Panther while adding additional context to reduce false alerts?

Response:

I've converted your Splunk rule to Panther and added several improvements:

1. Enhanced filtering using Panther's deep_get helper for nested fields
2. Added user context lookup to exclude expected admin activities
3. Implemented more precise command line parsing to reduce false positives
4. Added contextual information in the alert title and description to aid triage

Here's the improved Panther implementation:
...

This capability is particularly valuable during security platform migrations. Instead of manually rewriting hundreds or thousands of detection rules—a process that can take months and introduce errors—security teams can use AI to accelerate the translation process while preserving or enhancing the security value of their existing detections.

AI-assisted translation goes beyond simple syntax conversion. The AI understands the intent behind the detection rule and can adapt it to leverage platform-specific strengths, whether that's Splunk's search-time extractions, Elastic's ECS data model, or Panther's Python libraries. This ensures that detections remain effective while taking full advantage of your chosen platform's capabilities.

The Future Detection Engineering Workflow

As AI becomes more integrated into security operations, the role of detection engineers won't disappear—it will evolve. The most effective security teams will successfully blend human expertise with AI capabilities, creating workflows that leverage both strengths.

Traditional detection engineering involves a cycle of research, development, testing, and tuning—with each step requiring significant manual effort. In the AI-augmented future, this workflow will transform dramatically:

Research becomes a collaborative exploration. Instead of detection engineers spending hours reading documentation or threat reports, they'll collaborate with AI to rapidly explore detection possibilities. The conversation might look like this:

Engineer: "Show me potential detections for supply chain compromises in our CI/CD pipeline."

AI: "Based on your environment, I've identified three approaches:
1. Monitoring for unusual commit patterns in your GitHub repositories
2. Detecting modifications to build scripts outside of approved processes
3. Identifying suspicious package dependencies introduced during builds

Which would you like to explore first?"

This collaborative approach allows engineers to explore more detection possibilities in less time, leveraging AI to rapidly prototype different approaches before investing in full implementation.

Development becomes guided refinement. Instead of writing detection code from scratch, engineers will increasingly focus on refining AI-generated implementations. They'll provide business context, adjust detection logic to reduce false positives, and ensure proper integration with response workflows:

Engineer: "This detection for suspicious Office macro execution looks good, but we need to exclude our finance team's approved spreadsheets."

AI: "I'll update the detection to exclude processes matching approved patterns. Here's the revised implementation with a whitelist mechanism that checks against your approved applications list."

This shift lets detection engineers focus on high-value customization rather than basic implementation details. The AI handles routine coding tasks while engineers apply their unique environmental knowledge and business context.

Testing becomes comprehensive and automatic. AI can generate diverse test scenarios that might not occur to human engineers, ensuring more robust detection coverage:

Engineer: "Generate test cases for our new detection rule for AWS privilege escalation."

AI: "I've created 12 test scenarios that cover various privilege escalation techniques:
- Direct policy modification by unauthorized users
- Exploitation of misconfigured service roles
- Temporary credential misuse
- IAM permission boundary bypasses
- ...

Each test includes the expected alerts and potential false positive scenarios."

This comprehensive testing approach identifies edge cases and potential issues before deployment, dramatically improving detection quality and reducing tuning cycles.

Tuning becomes continuous optimization. Rather than waiting for false positives to accumulate or alerts to be missed, AI will continuously analyze detection performance and suggest improvements:

AI: "I've noticed that our detection for unusual login patterns has triggered 27 false positives in the past week. Analysis shows these are primarily related to your sales team accessing the CRM during quarterly closing. Would you like me to update the detection to incorporate this business rhythm?"

This proactive approach to tuning ensures that detection quality improves over time without requiring constant manual intervention.

The AI-Enhanced Detection Engineer

In this evolving landscape, successful detection engineers will shift from being primarily programmers to becoming security architects who guide AI systems. Their value will come from:

1. Business and threat translation: Helping AI understand the specific threats and risks relevant to their organization

2. Environmental context: Providing insights about normal operations, approved workflows, and business processes that AI should account for in detections

3. Quality control and validation: Ensuring AI-generated detections align with security objectives and policy requirements

4. Cross-platform integration: Orchestrating how detections work across multiple security tools and data sources

5. Continuous feedback: Helping AI learn from both successful detections and false positives to improve future performance

This evolution mirrors what we've seen in our "Agents of Change: Building Collective SIEM Intelligence" post, where AI agents and human analysts develop a symbiotic relationship that enhances their capabilities.

Practical Considerations and Challenges

While the future of AI-powered detection engineering is promising, implementing these capabilities today requires careful consideration of several challenges:

Data Quality and Model Limitations

AI-generated detections are only as good as the data and models built upon. Current challenges include:

• Limited understanding of custom environments: AI may not fully grasp unique architectural elements or custom applications without specific training.

• Evolving query languages: As SIEM platforms update their query capabilities, AI must continuously learn new syntax and best practices.

• Incomplete information: Detection generation requires a comprehensive understanding of log formats and data structures, which may not always be available.

• Model bias: AI systems may inherit biases from training data, potentially overemphasizing certain types of threats while missing others or making incorrect assumptions about "normal" behavior patterns.

Teams can mitigate these challenges by starting with well-documented data sources and providing clear examples to AI systems, gradually expanding to more complex scenarios as capabilities mature.

The Role of Human Review

Even the most advanced AI requires human oversight to ensure detection quality. Effective workflows should include:

• Critical review of AI-generated logic: Engineers should understand and validate the reasoning behind detection rules.

• Performance verification: New detections should be tested against historical data and monitored during an initial observation period.

• Security and compliance validation: Human reviewers should ensure AI-generated code follows organizational standards and regulatory requirements.

This oversight ensures that AI remains a powerful tool rather than an unpredictable black box.

Balancing Automation with Expertise

The most successful implementations of AI in detection engineering will find the right balance between automation and human expertise. This typically means:

• Starting with simple, well-defined detection use cases

• Gradually expanding to more complex scenarios as trust builds

• Maintaining human review processes, especially for high-criticality detections

• Creating feedback mechanisms that help AI systems learn from human decisions

This balanced approach ensures that security teams realize the efficiency benefits of AI while maintaining the quality and reliability of their detection capabilities.

The Compounding Value of AI-Powered Detection as Code

The convergence of Detection as Code and artificial intelligence represents a fundamental shift in how security teams approach threat detection. By combining the discipline and rigor of software engineering with the creative capabilities of AI, security teams can build detection systems that scale with the growing complexity of modern environments while maintaining high-quality outputs.

This evolution comes at a crucial time. As organizations accelerate AI adoption, the traditional approach of manually crafting detection rules cannot keep pace. Detection engineers have been among the scarcest resources in security teams—now AI offers a way to multiply their impact across the organization.

The value of AI-powered detection engineering lies in its compounding effects:

1. Knowledge accumulation: AI systems continuously learn from documentation, threat intelligence, and human feedback, becoming more effective with each interaction

2. Cross-pollination of techniques: Detection patterns that work in one context can be automatically applied to other areas of your environment

3. Democratized expertise: Security analysts without deep programming experience can contribute directly to detection engineering through natural language interaction

4. Accelerated adaptation: When new threats emerge or environments change, AI can rapidly generate updated detection logic across multiple platforms

These compounding benefits create a virtuous cycle where detection capabilities improve exponentially rather than linearly, allowing security teams to achieve comprehensive coverage despite resource constraints.

For organizations looking to implement AI-powered detection engineering, the path forward is clear:

• Invest in strong Detection as Code foundations with version control, testing frameworks, and CI/CD pipelines

• Start with targeted use cases where AI can demonstrate immediate value

• Build feedback loops that help AI systems learn from both successes and failures

• Evolve team roles to focus on strategic detection oversight rather than tactical implementation

The future of security operations belongs to teams that successfully blend human expertise with AI capabilities. By embracing this approach, organizations can build detection systems that are more comprehensive, adaptive, and resilient than ever before.

As the security landscape continues to evolve, one thing becomes certain: the combination of Detection as Code with AI assistance will be the foundation upon which the next generation of security monitoring is built. The question is no longer whether AI will transform detection engineering but how quickly security teams will adapt to harness its full potential.