Smarter Security Operations: Embracing Detection-as-Code

As web attacks grow more sophisticated, security teams find themselves in a situation where they have to react with a moment’s notice. Said differently, the traditional, reactive approaches are no longer sufficient and does not provide adequate protection. What’s needed is agility, precision, and scale - exactly what detection-as-code is built to deliver.

In a recent webinar hosted by CyberRisk Alliance, a panel of security experts examined how modern detection strategies, particularly those that treat security rules as code, can enhance threat detection and response. At the heart of the discussion was Fastly’s WAF Simulator, a powerful example of how detection-as-code can be applied to real-world security workflows.

What is Detection-as-Code?

Detection-as-code is a modern approach to security that treats detection logic, like WAF rules or SIEM alerts, as code. Instead of managing rules manually in a UI, detection engineers utilize tools such as Git, CI/CD pipelines, and automated testing to write, validate, and deploy rules. This brings software development best practices, such as version control, peer review, and test automation, into the realm of security operations.

The result is a more scalable, reliable, and collaborative approach to managing detections, enabling teams to respond faster to threats and maintain consistency across complex environments.

From Static Rules to Iterative Defense

One of the key themes throughout the one-hour webinar was the difference between off-the-shelf detection rules and customized, context-aware detection engineering. As Fastly’s Senior Security Engineer Mark Young noted, “You can’t really protect what you don’t understand.” Starting with vendor-provided rules may seem like a quick win, but they often generate a fair amount of noise, or worse, miss critical threats. Tailoring detection logic to your environment, use cases, and applications is not just a best practice - it’s essential.

Fastly’s Staff Cyber Security Engineer, Gary Harrison, expanded on that point by emphasizing the value of strong internal relationships: “We work closely with security architects and product teams to identify where risks lie, and we apply detective controls accordingly. It’s about translating external threat intelligence into internal relevance.”

A DevSecOps Mindset for Detection

The three Fastly panelists drew a clear parallel between detection-as-code and modern software development. Good detection engineering starts with a hypothesis: a clear understanding of what you want to detect and why. From there, it follows a lifecycle of data validation, rule creation, evasion testing, simulation, refinement, and deployment.

Fastly’s WAF Simulator plays a key role in this cycle. It enables teams to test both true and false positive cases against their own rules, thereby reducing alert fatigue and increasing confidence in automated responses. Said Fastly’s Security Researcher Simran Khalsa: “Running simulations isn’t just about seeing what gets through - it’s also about proving what shouldn’t trigger an alert".

Automation and Feedback Loops

Adopting a detection-as-code workflow unlocks powerful opportunities for automation. From auto-disabling noisy rules to triggering alerts when data sources run dry, to integrating feedback loops from incident post-mortems, teams can drive continuous improvement and responsiveness.

“Every incident is a learning opportunity,” Gary Harrison shared. “If something gets missed, we go back and ask: Why didn’t our detection catch it? How can we close that gap?” This mindset of constant refinement aligns with DevOps principles, fostering operational maturity in security engineering.

When to Start Using Detection-as-Code

Not every organization needs a full detection-as-code pipeline on day one. But the moment you find yourself losing context, struggling to manage rule changes, or drowning in false positives, that’s your signal.

“Start small,” advised Simran Khalsa. “Begin with a single team or use case. Measure impact. Build momentum. And above all, store your detections in a versioned location. Even a basic Git repo gives you traceability and collaboration that spreadsheets never will.”

The Future of Security Operations

Detection-as-code isn’t just a buzzword. It’s a necessary evolution in how we secure modern systems at a time when attacks are more sophisticated than ever. By adopting development best practices and treating detections like software, security teams can keep pace with changing threats, reduce risk, and respond faster – without sacrificing accuracy or control.

Want to dive into the details of this conversation? Watch the full webinar below.