Detections that survive contact
Behavior over strings, tests over hope.
All the visibility in the world is wasted on brittle detections. A detection "survives contact" with a real adversary when it keys on behaviour the attacker cannot cheaply change, not on the incidental details they change in seconds. Match on a file hash, a specific tool name, or an IP address, and the attacker recompiles, renames, or rotates and sails past. Match on the behaviour — a service process spawning a shell, a write to a persistence path, a mass read of SSH keys — and they cannot evade it without abandoning the technique itself.
Test your detections like code
A detection you have never triggered is a hope, not a control — you do not know if it fires, or fires on the right thing, until you test it. Treat detections as code: for each rule, have a way to safely reproduce the behaviour it should catch (an atomic test, a script that performs the benign version of the technique) and confirm the alert fires, and confirm normal activity does not. This is how you avoid the two failure modes — the rule that never fires (a false sense of coverage) and the rule that fires constantly (alert fatigue) — before an incident reveals them.
# test a detection by safely performing the behaviour it should catch$ nginx -c /dev/null -g 'daemon off;' & # (stand-in) then, from that context:$ /bin/sh -c 'id' # a "service spawned a shell" event# → confirm your Falco/audit rule ALERTED. Atomic Red Team scripts systematize this.# a rule you have not fired on purpose is a rule you cannot trust in an incident.
Coverage: map to ATT&CK, mind the gaps
Individual good detections are not the same as coverage. Map your detections to the MITRE ATT&CK techniques relevant to Linux and look for the blind spots — the persistence method you do not watch, the escalation path with no alert. The goal is not a rule for every possible thing (impossible and noisy) but deliberate coverage of the techniques that matter for your environment, with the gaps known and accepted rather than accidental. Detection engineering is a portfolio you curate, not a pile of rules you accumulate.