Workshop Information:

Title: Finding the Needle: An Introduction to Detection Engineering

Time (Pacific): 1300-1700

Location: Acacia B

Cost per person: $0 (FREE)

To attend you must purchase a [TDI Ticket] AND [A Workshop “General Admission” ticket AND the add-on for this workshop]


Attendees should bring their own laptop, with 16GB+ RAM, and 50GB of available hard drive space.

Attendees should be comfortable with either Python 3 or Golang, including core language syntax and the execution environment of their preferred language.

Presenter(s): Kathy Zhu, and Troy Defty,

Kathy Zhu

Having worked in the security industry for 8+ years, Kathy is currently a Security Engineering Tech Lead in the detection space at Google. Her interest and experience is in detection engineering and software development. Outside of work, she also enjoys running, the outdoors, and reading.

Troy Defty

Following over a decade in the UK and Australian InfoSec industries, including an 8 and a half year stint in red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at Google. His interest and experience is in detection engineering, red teaming, threat modeling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and making piano-related noise.


As defenders, we are always outnumbered, but we are by no means outmaneuvered. Attackers may hide in the haystack of haystacks, but with scalable detection logic, efficient coding practices, a thorough investigation methodology, and a reasonable corpus of computing, we can still determine which haystack to look within, and subsequently find the needle.

This is often made possible by a detection pipeline. And knowing how detection pipelines work, and the role each component plays, can help us write more efficient, more accurate detections to make life hard for the attacker. By reducing the attacker’s window of opportunity, whilst making the subsequent investigation easier for the would-be analyst, we can maintain a strong defensive position, forcing the attacker to burn significantly more resources in an attempt to make progress.

This workshop will run attendees through implementing a simple detection pipeline in code, and some basic detection rules, to understand how to:

  • Ingest and normalize arbitrary log data, and make such data available for downstream detection rules
  • Implement detection logic, to isolate potentially malicious behaviour
  • Enrich log data with more context, aiding investigation
  • Draw relationships from individual log entries, to reduce investigative noise.