Skip to main content
Back to Case Studies
SMB ClientsDetection Engineering 2025

Building a Shield: How SOClogix Operationalizes Detection-as-Code for SMB Clients

Most MSSPs run static signatures that haven't changed since last quarter. SOClogix runs a version-controlled, peer-reviewed detection pipeline that ships new rules every week - and can prove it.

Weekly
New detection rules ship to production
100%
Detection changes reviewed before merge
Auditable
Full change history for every detection rule

The Problem With Static Detections

Threat actors update their tools, techniques, and evasion methods constantly. The average MSSP updates their detection signatures quarterly - at best. In practice, many MSSPs are running detection logic that was written years ago and hasn't been reviewed since. When a new threat emerges, days or weeks pass before protection reaches client environments.

The deeper problem is opacity. When a client asks "why didn't you detect that?" most MSSPs cannot give a precise answer. They can't show you the detection rule that should have fired, explain why it didn't, or demonstrate that it's been fixed. The detection layer is a black box.

For clients pursuing CMMC Level 2 certification - or any compliance framework that requires documented, auditable security controls - this is a serious gap. "We have an EDR" is not an auditable detection program.

The SOClogix Detection-as-Code Approach

SOClogix built an internal detection engineering program around a single principle: every detection rule is code, and all code is version-controlled, reviewed, and tested before it runs in production.

The platform is built on LimaCharlie, a cloud-native security infrastructure platform that allows detection rules to be written as code, deployed through an API, and managed programmatically. Client endpoints run the SOClogix Shield Agent - a LimaCharlie-backed sensor that provides telemetry across process execution, file operations, network connections, and authentication events.

Detection Rules as Code (YAML/D&R Rules)

Every detection rule is written in LimaCharlie's D&R (Detect and Respond) rule format and stored in the internal shield-detections repository. Rules have a clear structure: what telemetry they match, what conditions trigger an alert, and what automated response actions (if any) follow. New rules are written in branches, not directly in production.

Peer Review Required - No Exceptions

No detection rule reaches a client environment without a second analyst review. Pull requests require at least one approved review before merge. Reviewers check: Is the logic correct? Will it produce false positives? Is the alert actionable? Is the respond block safe? This process catches logic errors before they create noise - or worse, miss real threats.

Automated Validation Pipeline

The CI/CD pipeline runs automated rule validation on every commit. Tests check that rule syntax is valid, that response blocks reference real actions, and that rules don't duplicate existing coverage. Test cases simulate known-bad telemetry to verify that new rules would have fired on past incidents. A rule doesn't pass CI without passing these checks.

Weekly Threat Intelligence Feed

The SOClogix threat intelligence team holds a weekly review of emerging TTPs from sources including CISA KEV updates, vendor threat reports, and intelligence from active IR engagements. New detection gaps identified in this review become tickets, are assigned to analysts, and tracked through the same review pipeline as any other rule. The result: the detection library improves every week, not every quarter.

What This Means for Clients

Transparency: When a client asks what detections are running in their environment, we can show them - by name, by rule logic, by version, and by the analyst who wrote and reviewed each one.
Faster coverage of new threats: When CISA issues a KEV alert or a new TTP surfaces, SOClogix can have a detection rule in review within hours and deployed to all client environments within 24–48 hours - not next quarter.
Compliance documentation: The git history of the shield-detections repository is a complete audit trail. For CMMC Level 2 or SOC 2 auditors asking to see documented, maintained detection controls, we produce the commit log.
No vendor lock-in on logic: Because detection rules are written as code and stored separately from the platform, the detection library is portable. If the underlying sensor platform changes, the rules migrate with it.
Continuous improvement, not periodic review: Detection coverage is not a project with a start and end date. It's an ongoing engineering practice. Each week, the library gets better - and clients benefit from all improvements automatically.

CMMC 2.0 Relevance

CMMC Level 2 (based on NIST SP 800-171) requires organizations to monitor system security on an ongoing basis and review audit logs for signs of unusual activity. For most small defense contractors, "we have an EDR" is their answer. For auditors, that's not sufficient - they want to see documented, maintained controls with evidence of ongoing review.

The Detection-as-Code pipeline provides that evidence natively: a git repository with dated commits, named authors, reviewed pull requests, and automated test results - for every detection rule in production. It's the difference between "we monitor for threats" and "here is the documented, reviewed, and tested mechanism by which we monitor for threats."

Read the SOClogix CMMC 2.0 guide →
Detection EngineeringLimaCharlieDetection-as-CodeCMMCCI/CDThreat IntelligenceSOC Operations

Want to see the detection library?

During a consultation, we walk technical buyers through the actual rule structure, CI pipeline, and coverage areas - no slides, no buzzwords.

Request a Technical Briefing