Skip to content
crafted signal
Login
For In-House SOC Teams

Ship governed detections without breaking prod.

Noise budgets, deployment guardrails, and monitoring deploy + rollback built in. Keep rules healthy across Splunk, Sentinel, CrowdStrike, and Rapid7.

Get started Read the docs

Deploy safely

Safe deploy + rollback SLA

Deployment guardrails, monitoring mode, and one-click rollback keep production calm.

Healthy rules

Noise + dead-rule detection

Track noise budgets, stale rules, and parser drift before incidents spike.

One rule, many SIEMs

Translations with diffs

Author once, see platform-specific diffs for Splunk, Sentinel, CrowdStrike, Rapid7.

Pilot in 2 weeks

A narrow, high-signal pilot to prove value

Import 10–30 rules, add positive/negative tests, shadow-eval with projected alerts/costs, then monitoring deploy with rollback SLA.

  • • Git-native workflows with csctl
  • • Quality gates: lint, tests, AI review, MITRE mapping
  • • Approval + change window built into deploy
Pilot checklist Included
  • • Pick the three noisiest rules to fix first
  • • Add test fixtures + expected noise budgets
  • • Shadow eval and compare against budgets
  • • Phased rollout with safe deployment controls

Rule health

Know which rules are working and which need attention

Continuous monitoring catches noisy rules, stale detections, and coverage gaps before they become incidents.

  • Noise ratio per rule — spot alert fatigue before it hits your analysts
  • Stale rule detection — flag rules that haven't fired or been updated
  • Drift detection — catch rules modified directly in the SIEM, outside your workflow
  • MITRE ATT&CK coverage map with suggestions for closing gaps
Rule Health Live
webshell-upload Healthy · 0.1% noise
brute-force-ssh Noisy · 4.2% noise
lateral-movement-smb Healthy · 0.3% noise
dns-exfiltration Stale · 90 days
Action: Tune brute-force-ssh threshold or add exclusion list

Beyond the pilot

A detection program that scales with your team

CI/CD integration

Plug csctl into GitHub Actions, GitLab CI, or any pipeline. Same validation, testing, and approval gates as manual workflows.

Approval workflows

Separation of duties enforced by the platform. Authors can't approve their own rules. Configure min approvers per workspace.

Audit trail

Every change, test, approval, deploy, and rollback is logged immutably. Export to your SIEM or GRC system.

Team scaling

RBAC lets juniors contribute safely while seniors control what reaches production. Workload dashboards keep the team balanced.

Platforms

Splunk, Sentinel, CrowdStrike, Rapid7 — kept in sync.

Diffs and translations show exactly what changes per platform so approvals are fast.

Guardrails On by default
  • • Deployment guardrails and kill switch per deploy
  • • Noise/cost budgets enforced before promotion
  • • Rollback SLA if budgets breach

Not your role?

Detection Engineers

Detections as code, live SIEM testing, CLI-first workflow

SOC Leaders

MITRE coverage, noise dashboards, ROI calculator

CISOs & Compliance

Audit trails, AI governance, SOC2/NIS2 alignment

MSSPs & MDRs

Multi-tenant waves, delegated RBAC, fleet health

Regulated EU

GDPR/NIS2 mapping, EU-first deployment, compliance packs

Ready to run a detection pilot?

We’ll co-pilot your first two weeks: rule import, tests, monitoring mode, and phased rollout.

Get started See CLI workflow

No customer logs ingested. Outbound-only agents. Auditable CLI.