Detection mechanisms
Modern security platforms layer four families of Detection Logic The rule, model, or heuristic that decides whether a given input fires an alert. The logic that produced the alert matters as much as the alert it produced; two engines can name the same alert for very different reasons. on top of each other. Each family is good at something specific and blind to something else. Used together they cover far more ground than any one of them could on its own. When an alert arrives, the first question an analyst asks is which family fired, because that single fact reshapes the rest of the investigation.
The four families at a glance
๐ Signature-based
Pattern matching against known indicators. Fast, precise, useless against anything novel.
Read โ๐ Anomaly-based
Statistical deviation from a behavioral baseline. Catches the unknown. Noisy during change.
Read โโ๏ธ Rule-based
Expert-defined conditional logic combining multiple indicators. Tunable, auditable, demanding to maintain.
Read โ๐ง Behavioral analytics
Multi-event sequence analysis across users, hosts, and time. Built for stealth attacks.
Read โTrust calibration
Each family produces signals with a different default confidence level. Knowing the family is how the analyst calibrates trust before the investigation begins.
Next up
Signature-based (reference)
The oldest and most precise of the four families: deterministic pattern matching against curated indicators of compromise. Read on-demand when a signature alert fires, or skim now if signatures dominate your alert volume.
Browse signature-based