2025 State of Detection Engineering

76% said Understanding/mapping attack frameworks is the most valuable skill for their detection engineering workforce.

88% believe AI will impact detection engineering in the next 3 years. 45% are using AI in their detection engineering efforts today.

45% said Reducing false positives is a detection engineering program area that needs the most improvement.

45% said Alert enrichment is a skill that needs development for their detection engineering workforce.

34% said Anomaly-based detection type is the most effective.

71% said Resource and time constraints is a challenge of building/maintaining custom detections.

52% said Data engineering is a skill that needs development for their detection engineering workforce.

42% of detections are custom-built, 37% are vendor-provided, and a smaller percentage are from open-source. Only 2% rely solely on vendor-provided detections.

38% said Accuracy of detection rules is a detection engineering program area that needs the most improvement.

45% of organisations have already integrated AI into their detection workflows, and 88% of participants believe AI will play a major role in detection engineering in the next three years.

Most detection engineers fall into the mid-career range.

67% said Behaviour-based detection type is the most effective.

41% said Signature-based detection type is the most effective.

43% of detection engineers are using AI primarily for anomaly detection.

43% said Correlation-based detection type is the most effective.

41% said Lack of skilled personnel is a challenge of building/maintaining custom detections.

36% said Streamlining workflows is a detection engineering program area that needs the most improvement.

54% said Lack of flexibility in customisation is a challenge of vendor-provided detections.

93% of organisations are using or planning to implement automation in their workflows.

74% said Triage & incident response is the most valuable skill for their detection engineering workforce.

46% said Detection-as-code, CI/CD is a skill that needs development for their detection engineering workforce.

56% of detection engineers update their detection rules and processes daily or weekly. 30% of organisations update rules only when needed, quarterly, or even annually.

43% said Improving turnaround time for developing and deploying a detection is a detection engineering program area that needs the most improvement.

39% said Automation of detection tasks is a detection engineering program area that needs the most improvement.

34% said Collaboration between teams is a detection engineering program area that needs the most improvement.

43% said Threat intelligence-driven detection type is the most effective.

Top activities detection engineers enjoyed the most: Developing detection rules: 33%.

Top activities detection engineers enjoyed the least: Metrics and reporting: 41%.

67% of detection engineers reported strong leadership buy-in.

44% said Scripting/programming languages is a skill that needs development for their detection engineering workforce.

60% of detection engineers work on a dedicated team. This is more pronounced in enterprises with over 5,000 employees, where 70% have dedicated detection engineering teams, compared to 49% in small and medium-sized organisations.

54% of organisations position their detection engineering function as a dedicated team within security operations.

58% of detection engineers report full integration and collaboration with incident response teams.

67% said Processing/querying languages is the most valuable skill for their detection engineering workforce.

53% said Threat modelling is a skill that needs development for their detection engineering workforce.

47% said Reporting/visualisation is a skill that needs development for their detection engineering workforce.

47% said Software engineering is a skill that needs development for their detection engineering workforce.

45% said Log pipeline monitoring and health is a skill that needs development for their detection engineering workforce.

93% of detection engineers are using or planning to use automation in their detection engineering workflow. 63% have automation already in place.

64% said High false positive rate is a challenge of vendor-provided detections.

61% said Issues with accuracy in the environment is a challenge of vendor-provided detections.

53% said Complexity of threat landscape is a challenge of building/maintaining custom detections.

49% said Difficulty in validating effectiveness is a challenge of building/maintaining custom detections.

Investment in Detection Engineering: 80% of surveyed detection engineers stated their organisations are putting real money behind detection engineering. Among large enterprises (5,000+ employees), this investment rises to 85%.

45% report having adequate access to all the data feeds/logging required to meet their threat detection objectives. For enterprise organisations, 58% lack access or aren’t sure if they have the right logging.