This roadmap provides a phased view of how the detection engineering program will mature over time.
The roadmap is intended to guide program growth from foundational structure to a governed, measurable, and scalable detection engineering capability.
The roadmap is designed to:
- establish a strong foundation first
- prioritize structure before scale
- improve quality before volume
- align content growth to measurable outcomes
- support future automation without skipping governance
Establish the initial structure for a formal detection engineering program.
- repository structure
- executive documentation
- strategy and process documentation
- governance baselines
- detection-as-code starter content
- ATT&CK coverage starter artifacts
- tracking matrix and triage guide foundations
- proposal and executive summary
- program charter
- operating model
- lifecycle documentation
- naming, severity, and tagging standards
- starter Sentinel detections
- tracking matrix
- starter triage guides
A structured program repository exists and supports both engineering and leadership use cases.
Improve consistency and quality across all detection content.
- normalize YAML schema across detections
- standardize folder naming
- improve metadata quality
- align rules to ATT&CK and CKC mappings
- strengthen content documentation
- improve ownership visibility
- normalized detection metadata
- consistent rule IDs
- improved severity and lifecycle assignments
- expanded mappings
- updated templates and contribution guidance
Detection content becomes easier to review, manage, and report on.
Create a repeatable process for demonstrating that detections are useful and understandable.
- validation note structure
- sample data organization
- false-positive documentation
- triage guide expansion
- test folder structure
- validation workflow expectations
- validation directories
- validation templates
- documented expected outcomes
- improved triage guides
- rule review checklist enhancements
The program gains stronger confidence in content quality and analyst usability.
Increase meaningful detection coverage based on priority use cases and telemetry availability.
- ATT&CK gap reduction
- data-source-aligned content expansion
- broader use case development
- higher-value tactic coverage
- roadmap prioritization by risk and telemetry
- expanded detections by tactic
- better coverage tracking
- gap closure summary updates
- rule-to-data-source mapping improvements
Coverage becomes more deliberate, visible, and strategically aligned.
Improve the consistency and control of repository operations and review workflows.
- stronger pull request standards
- review discipline
- exception tracking
- change control maturity
- contribution workflow clarity
- lifecycle promotion expectations
- improved review checklists
- refined issue templates
- promotion criteria
- documented change review expectations
The program becomes more governable and easier to maintain over time.
Introduce controlled automation to improve validation and deployment readiness.
- schema checks
- metadata validation
- folder/ID consistency checks
- workflow automation
- future Sentinel deployment support
- reporting automation opportunities
- GitHub Actions validation improvements
- metadata compliance checks
- automated file quality checks
- deployment workflow foundations
The program becomes more scalable and less dependent on manual review alone.
Strengthen leadership visibility and program-level measurement.
- lifecycle reporting
- coverage metrics
- documentation completeness metrics
- roadmap progress tracking
- maturity model alignment
- quarterly reporting cadence
- expanded metrics catalog
- quarterly review artifacts
- maturity updates
- reporting dashboards or summaries
- executive KPI tracking
Leadership gains consistent visibility into program value, progress, and risk.
Expand the program beyond Sentinel into broader detection engineering coverage.
- Splunk content structure
- shared metadata standards
- cross-platform use case alignment
- common reporting framework
- platform-specific implementation guidance
- Splunk detection engineering repository section
- cross-platform taxonomy alignment
- shared governance model
- broader data source catalog
The program evolves from platform-specific content management into a broader detection engineering capability.
Recommended immediate priorities:
- complete foundational documents
- maintain a clean and governed repository structure
- continue standardizing detection content
- improve reporting and governance artifacts
- build a strong framework before scaling content volume further
The long-term goal is to establish a detection engineering capability that is:
- threat-informed
- governed
- measurable
- documented
- scalable
- ready for validation and automation maturity