2026-05-08 –, IFEN room 1, Workshops and Detection Engineering village (Building D)
We will discuss practical use of open source tools for detection engineering built by SOC Prime team, including DetectFlow, Uncoder and how it combines with open source data pipeline stack like Kafka, Flink and Flink agent. The goal of DetectFlow is to elevate role of Detection Engineers above SIEM stack, and gives us all signals, context, threat intelligence and building blocks to fully design and operate Detection and Response workflows. The architecture of Detection Pipelines furthermore makes work of Security Analysts curious and enjoyable again, as it eliminates large part of the routine work they did, and focuses on the main thing human does better than AI = understanding connections, specific to the cyber domain and specific to your organization. Our approach equips people to address tremendous complexity of the cyber domain, which now simply exceeds possible knowledge that any human can physically fit.
Open source DetectFlow turns Apache Kafka+Flink into a Detection Pipeline, adding 2-tier correlation, one for automated streaming of AI generated and human-made behavior Sigma rules mapped to ATT&CK. This gives initial data labels and does not generate alerts. 2nd tier is a Flink agent which enables Agentic AI correlation across entire ATT&CK, Attack Flows and Attack Chains. This can be further refined and expanded by integrating with OpenTIDE. Attack Chains are made by human experts as a "higher order Sigma rules" correlating on ATT&CK itself and lower level Sigma rule sequences. This together acts as a turbo-charger in front of SIEM engine, just like same thing in a car. With DetectFlow, which is essentially a low footprint, run anywhere provisioning tool with Agentic AI and MCP, we can run over 20,000 detection rules and nearly 500,000 behavior correlation patterns in front of ANY SIEM at millisecond speed. This exceeds capacity of any SIEM by 5 orders of magnitude. This shrinks mean time to detect and initial investigation stage from tens of minutes or even hours to a a few seconds. The conversion from raw log event to a tagged event is 7%, from a tagged event to an Attack Chain is 0.0007% or 0.00007 - and only that is alert material. This reduces the need to fine tune rules at DetectFlow level, as fine tuning becomes a context, which can be solved by any on premise AI Agent working with outputs of DetectFlow or SIEM. SIEM remains very useful for workflow, reporting, graph analysis and, for now, machine learning based anomaly detection, even though latter will move to pipelines too. It also takes care of data parsing via crowdsourcing and mapping via AI (can be ran locally).
I am a successful entrepreneur with cyber security, hardware and AI as my hobbies and work specialties. Did my first blue team cyber gig in 2001, founded SOC Prime in 2014 together with Alex and Ruslan, which we've built from a small rented apartment in Kyiv to venture backed profitable company which operates across 4 continents, who's products and content are used by over 11,000 organisations. In cyber domain I am specializing in threat detection, sigma rules, MITRE ATT&CK, detection engineering and cyber threat intelligence, with a goal to build better tools for people who work in same niche. I consider two most successful contributions to such community projects Uncoder and DetectFlow which both can be found on GitHub.