0Pricing
Cyber Security Academy · Lesson

Testing and Tuning Detections

Reducing false positives.

The False-Positive Problem

An untuned detection that fires on benign activity is worse than no detection. Analysts learn to ignore noisy alerts, and the one real attack drowns in the queue. This is alert fatigue, and it is how breaches slip past well-funded SOCs.

Tuning is the disciplined process of maximizing true positives while driving false positives toward zero, without blinding yourself to real threats.

True and False, Positive and Negative

Frame detection quality with four outcomes:

  • True positive (TP) — fires on real malicious activity
  • False positive (FP) — fires on benign activity
  • True negative (TN) — correctly stays silent on benign
  • False negative (FN) — misses real malicious activity

Tuning trades along this space. Loosening a rule cuts FNs but risks FPs; tightening does the reverse. The art is finding the balance the SOC can sustain.

All lessons in this course

  1. Detection-as-Code Principles
  2. Writing Sigma Rules
  3. Mapping to MITRE ATT&CK
  4. Testing and Tuning Detections
← Back to Cyber Security Academy