learntodriveai.dev/Cybersecurity/Multi-Paradigm Detection and Detection-as-Code
Cybersecurity·Project 11·8 units

Multi-Paradigm Detection and Detection-as-Code

**Track:** Cybersecurity

§ Brief

You're building a multi-paradigm detection system for a geothermal energy company in southwest Iceland — three power plants, a district heating network, and an IT/OT boundary that a phishing attack nearly crossed.

The discipline skills: multi-paradigm detection across Sigma, Suricata, osquery, and YARA; detection-as-code with version control, test suites, and pre-commit hooks; ATT&CK coverage mapping to identify where detection exists, where gaps remain, and where multiple paradigms corroborate; and unified observability across network, host, and application layers.

The AI-direction lesson: four detection paradigms means four sets of conventions, four failure modes, and four independent streams of AI output. AI generates rules for each paradigm without considering how they relate to each other — which techniques each paradigm is responsible for, where coverage overlaps for corroboration, and where gaps are deliberate decisions. The strategic coordination is yours. At this point, context architecture is a design problem: what belongs in persistent engagement memory versus session-only context, what each delegated agent receives, and what gets curated versus accumulated. An offensive agent that receives defensive context conflates perspectives. Uncurated auto-memory accumulates debt. The information environment you design determines the quality of everything AI produces across the engagement.

Your Role

You are designing a detection architecture where four technologies each cover what the others miss. The IT/OT boundary is the primary terrain. No templates for the overall approach — you decide which paradigm covers which attack technique and where gaps remain as deliberate decisions.

You manage AI across four detection paradigms, each with different conventions. You design the information environment AI works in.

What's New

Last time you ran a full security assessment for a regional public transit authority in Canada -- advanced reconnaissance, multi-layer exploitation, strategic remediation planning with compliance mapping.

Multi-paradigm detection. You have written Sigma rules since P2. Now you add three more paradigms: Suricata for network traffic, osquery for host-level telemetry, YARA for file pattern matching. Each sees what the others cannot. The same attack produces different evidence at each layer -- and AI generates rules for each paradigm independently without considering how they relate to each other.

Detection-as-code. Managing 20+ detection rules across four paradigms by hand is how you end up with silently failing rules. Version control, test suites, pre-commit hooks -- the engineering discipline that software development learned decades ago, applied to detection rules.

ATT&CK coverage mapping. For the first time, you map your entire detection system to ATT&CK techniques and see the complete picture: where coverage exists, where gaps remain, and where multiple paradigms catch the same attack from different angles.

Advanced context architecture. Multi-paradigm detection across multiple sessions demands deliberate context design. You decide what persists in engagement memory versus what stays session-only. You scope which context each agent receives. This is the first time context architecture is a design problem, not a background practice.

The hard part: four detection paradigms generate alerts simultaneously. Without strategic coordination, they produce four independent streams with gaps nobody notices and overlaps nobody planned.

Tools

  • Suricata -- network IDS. New for this project.
  • osquery -- host-level endpoint telemetry via SQL queries. New.
  • YARA -- file and memory pattern matching. New.
  • ATT&CK Navigator -- coverage mapping and heatmap visualisation. New.
  • Git -- version control for detection-as-code. Familiar tool, new application.
  • Sigma, Wazuh, Grafana, Loki, Alloy -- detection and monitoring. Continuing.
  • Docker -- lab environment with IT/OT segments and monitoring stack. Continuing.
  • Claude Code, Codex CLI -- multi-agent infrastructure with engagement memory, skills, hooks, MCP connections. Continuing.

Materials

  • Docker environment -- corporate IT network with vulnerable services, OT simulation with SCADA Modbus simulator, IT/OT boundary devices (remote desktop, vendor VPN, USB transfer), and the full monitoring stack. Four network segments.
  • Scope document -- authorised targets, network architecture, IT/OT boundary connections, rules of engagement for critical infrastructure.
  • Suricata rules -- reference rules with correct Suricata syntax for lateral movement and Modbus anomaly detection, plus syslog forwarding configuration.
  • osquery packs -- scheduled query templates for host-level detection, including a deliberately over-broad query as a teaching example.
  • YARA rules -- reference rules for webshell and OT file detection, with test samples (benign and malicious).
  • ATT&CK Navigator template -- empty coverage layer and mapping guide.
  • Detection-as-code repository -- directory structure, test runner skeleton, pre-commit hook configuration, CI example.
  • Engagement memory template -- structured template for cross-session context with persistent and session-only sections.
  • CLAUDE.md -- project governance with IT/OT architecture, work breakdown, detection rule naming convention.