█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/NIST Cybersecurity Framework/Detect
35 minIntermediate

Detect

After this lesson, you will be able to: Apply Detect: monitoring, anomalies, continuous monitoring.

Detect is about visibility and time-to-aware. The faster you know something's wrong, the smaller the blast radius.

Prerequisites:Protect

Detect categories

Anomalies & Events (DE.AE), baseline behavior, detect deviations. Security Continuous Monitoring (DE.CM), endpoint, network, personnel monitoring. Detection Processes (DE.DP), defined, tested, communicated.

💡 MTTD

Mean Time To Detect. Industry average: 200+ days (per Mandiant M-Trends). Mature orgs: <24 hours. The gap is where damage compounds.

Building detection capability

  1. 1

    1. Centralize logs (SIEM).

  2. 2

    2. Define detection use cases (mapped to MITRE).

  3. 3

    3. Tune false positives ruthlessly.

  4. 4

    4. Test detections (purple team / Atomic Red Team).

  5. 5

    5. Measure MTTD per use case.

  6. 6

    6. Hunt for what alerts miss.

Detect ≠ alerts

Alerts are reactive. Hunts and threat models are proactive. Mature Detect includes both.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Protect
Back to NIST Cybersecurity Framework
Respond→