Generate, test, and deploy detections as code
Write in Sigma, your SIEM's native language, or let AI generate rules for you. Import existing rules — auto-converted to Sigma for portability. Test live, deploy with approval, and roll back in one click.
Rule sources
Four ways to get detection rules
Threat intelligence feed
Ready-to-use detections for trending and novel threats. Applicability filtering shows what's relevant to your environment.
AI-generated rules
Describe what you want to detect. AI generates the rule and tests. Review, edit, and approve before anything ships.
Your own repository
Bring your existing rules, use our standard rules repository, or start from scratch. Everything is detections as code.
Import & convert
Import existing rules from your SIEM. They're auto-converted to Sigma so they become portable across platforms — or keep them in their native language with a per-rule toggle.
Live testing
Test detections on your actual SIEM
Define or generate tests, then run them live against your SIEM — in code with the CLI or in the web UI. See results before any rule reaches production.
- Positive and negative test cases generated with every rule
- Run tests from the CLI or web UI — your workflow, your choice
- Quality, performance, and validity analysis with improvement suggestions
# Validate rules locally$csctl validate✓ 12 rules valid# Preview what will change$csctl push -dry-run+ webshell-upload-detection (new)~ lateral-movement-smb (modified)# Push and deploy — tests run automatically$csctl push -deploy -m "Add webshell detection"✓ 4/4 tests passed✓ Deployed to splunk · rollback available
Deployment pipeline
From commit to production with guardrails at every step
Validate
Syntax, schema, and query correctness checked locally and server-side
Test
Positive and negative tests run live against your SIEM before anything ships
Approve
Peer review with impact preview — projected alerts, noise, and cost delta
Deploy
Push to your SIEM in monitoring mode first, then promote to active
Monitor
Track noise ratio, alert volume, and health — rollback in one click if needed
# .github/workflows/detections.yml$csctl validate✓ 14 rules valid, 0 warnings$csctl push -deploy -m "Sprint 42: webshell + kerberoasting"Running tests...✓ webshell-upload: 3/3 passed (2 positive, 1 negative)✓ kerberoasting: 4/4 passed (2 positive, 2 negative)Submitting for approval...⏳ Waiting for approval (1 required)✓ Approved by alice@corp.com✓ Deployed to splunk (monitoring mode)✓ Deployed to sentinel (monitoring mode)
Sigma compilation
Write Sigma, compile to any SIEM
Author detections in Sigma and auto-compile to Splunk SPL, Sentinel KQL, CrowdStrike IOA, and Rapid7 LEQL. Or write directly in your SIEM's native language — per-rule language choice means you're never locked in.
- Sigma-to-SIEM compilation with translation diffs — review exactly what ships per platform
- Portability scores flag rules that don't translate cleanly
- Drift detection catches rules modified directly in the SIEM
$csctl diffwebshell-upload-detectionsource: sigmasplunk (SPL):+ | where uri_path LIKE "%/uploads/%.php"+ | stats count by src_ip, uri_pathsentinel (KQL):+ | where csUriStem contains "/uploads/"+ | summarize count() by cIP, csUriStemcrowdstrike:~ Custom IOA rule group updatedPortability:92%(all platforms supported)
Rules workspace
Edit, test, and save detection rules
Work directly in the code editor with syntax highlighting, guardrails, and browser-side saves before you deploy.
Rule library
Live + shadowShadow eval · Splunk + Sentinel + CrowdStrike
Production · WAF + Apache/IIS
Testing · Sigma → Splunk
Active rule
Encoded PowerShell
Shadow evalNot your role?
MITRE coverage, noise dashboards, ROI calculator
CISOs & ComplianceAudit trails, AI governance, SOC2/NIS2 alignment
In-House SOCGoverned deploys, noise budgets, multi-SIEM parity
MSSPs & MDRsMulti-tenant waves, delegated RBAC, fleet health
Regulated EUGDPR/NIS2 mapping, EU-first deployment, compliance packs