THOR Collective Dispatch

THOR Collective Dispatch

THOR Collective Dispatch
THOR Collective Radio
Ask-a-Thrunt3r: December 2025 - DEcember 🐏
0:00
-59:03

Ask-a-Thrunt3r: December 2025 - DEcember 🐏

Mainly ramblings. And maybe some wisdom.
Lauren Proehl's avatar
Lauren Proehl
Dec 30, 2025

Ask-a-Thrunt3r: December 2025 - DEcember 🐏

📝 Episode Summary

Welcome back from the holiday break! The THOR Collective returns with a cozy end-of-year reflection meets practitioner reality check, featuring special guest Alex Hurtado, content creator extraordinaire and voice behind Detection Engineering Dispatch. This December edition tackles the often-overlooked but crucial relationship between threat hunting and detection engineering – what Alex calls “the real people that actually just keep shit working.”

Alex brings unique insights from her journey from SIEM analyst at ABC during the Rachel Bachelorette era (yes, monitoring for commercial interruptions during primetime TV) to becoming one of the voices in detection engineering content. The conversation dives deep into why detection engineering finally emerged as a distinct discipline, how vendor black-boxing forces teams to rebuild EDR rules in their SIEM, and why treating detections like production code with proper CICD pipelines is non-negotiable.

From debating whether to ship detections in “warn mode” to discussing the nuclear option of deleting 50% of your detections tomorrow, this episode delivers unfiltered insights on building sustainable detection programs. Plus, Alex shares her Chicago neighborhood-to-SIEM comparison framework, the team debates worst detections as holiday decorations, and everyone agrees: quarterly detection reviews are a must, but alert volume as a KPI needs to go.

⏱️ Episode Breakdown

  • 01:32 – Introductions

  • 03:00 – Alex’s journey: From ABC SIEM analyst to Detection Engineering thought leader

  • 06:02 – The gatekeeping problem in detection engineering

  • 10:26 – Icebreaker: Worst detection as a holiday decoration

  • 13:36 – Deep dive: What is detection engineering really?

  • 16:15 – Detection engineers beyond the SIEM

  • 18:01 – The problem with black-box EDR vendors

  • 20:35 – Hunting to Detection Engineering handoffs

  • 24:30 – Chaining behaviors vs. static indicators

  • 36:44 – Detection Engineering as Development (CICD, versioning, documentation)

  • 42:40 – Metrics that matter: Confusion matrices vs. alert volume

  • 47:30 – The nuclear option: Cutting 50% of detections

  • 49:30 – AI’s impact on detection engineering

  • 52:15 – Ship it or Scrap it rapid-fire

  • 55:06 – Must-reads and resources

  • 57:21 – 2025 wrap-up and 2026 preview

🎤 Hosts & Guest

Lauren Proehl (Host) – Manager of the group whose worst detection is a creepy 85-year-old nutcracker from grandma that should’ve been recycled (like Log4J scanning alerts still firing).

Sydney Marrone (Host) – Head of thrunting and threat hunting whose worst detection is a snow globe - stable until you make one edit and everything goes crazy with alerts.

John Grageda (Host) – Red teamer who compares his worst detection to a Christmas tree with all lights constantly rotating in chaos, reminiscent of untuned Sourcefire IDS.

Alex Hurtado (Special Guest) – Content creator, host of Detection Engineering Dispatch, and voice behind the State of Detection Engineering report. Former ABC SIEM analyst who monitored primetime TV for commercial interruptions.

THOR Collective Dispatch is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber.

🔗 Resources & Mentions

Key Concepts Discussed

  • Detection Engineering Definition – “The real people that actually just keep shit working”

  • Detection as Code – Treating detections like production code with CICD pipelines

  • Versioning & Documentation – The critical importance of change logs and detection diaries

  • Chaining Behaviors – Moving beyond static indicators to correlated attack chains

  • Black-box Vendor Problem – Why teams rebuild EDR rules in SIEMs with FDR data

  • Critical Asset Prioritization – Starting with crown jewels when cutting detection noise

  • Confusion Matrices – True positive/false positive rates as quality metrics

Resources

📢 Call to Action

  • Follow Alex Hurtado on LinkedIn – For infographics and detection engineering insights

  • Subscribe to Detection Engineering Dispatch – Available on Apple Podcasts and Spotify

  • Participate in the State of DE Survey – Data collection phase is ongoing

  • Implement quarterly detection reviews – If you’re not doing this, start now

  • Document your detections – Leave them better than you found them

  • Write for THOR Collective – Always looking for new voices in thrunting, DE, SOC, and IR

📬 Connect with THOR Collective

🗣️ Social Media:

📧 Contact:

Reach out through any social channel to contribute content, be a guest on the podcast, or share your detection engineering war stories

Leave a comment

Discussion about this episode

User's avatar

Ready for more?

© 2025 THOR Collective · PrivacyTermsCollection notice
Start your SubstackGet the app
Substack is the home for great culture