# Detection and Response ![Detection and Response](/files/tU3ovIizHdbMXiYzPfPo) ## Detection and Response > **Section focus:** Detection and Response.\ > **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\ > **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing. ### Start with these pages | Page | Why open it first | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | [📜 Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md) | High-value page inside **Detection and Response**. | | [🎯 High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md) | High-value page inside **Detection and Response**. | | [🛠️ Product Security Incident Response Playbooks](/attack-paths-testing-detection-and-hardening/index/product-security-incident-response-playbooks.md) | High-value page inside **Detection and Response**. | | [🐦 Falco Runtime Detection Practical Guide](/attack-paths-testing-detection-and-hardening/index/falco-runtime-detection-practical-guide.md) | High-value page inside **Detection and Response**. | | [🛎️ Runtime Detection Stack — Falco, Tetragon, and Cloud Signals](/attack-paths-testing-detection-and-hardening/index/runtime-detection-stack-falco-tetragon-and-cloud-signals.md) | High-value page inside **Detection and Response**. | | [🛡️ Sysdig Secure — Platform Guide](/attack-paths-testing-detection-and-hardening/index/sysdig-secure-platform-guide.md) | High-value page inside **Detection and Response**. | | [⚖️ Runtime Platforms Comparison — Falco vs Sysdig vs Prisma vs Tetragon](/attack-paths-testing-detection-and-hardening/index/runtime-platforms-comparison-falco-vs-sysdig-vs-prisma-vs-tetragon.md) | High-value page inside **Detection and Response**. | | [🛡️ Runtime Security / Detection / Incident Response / Resilience — Operating Model and Product Map](/attack-paths-testing-detection-and-hardening/index/runtime-security-detection-incident-response-resilience-and-platform-map.md) | High-value page inside **Detection and Response**. | | [🧭 Cloud and Kubernetes Runtime Investigation Playbooks and Containment Templates](/attack-paths-testing-detection-and-hardening/index/cloud-and-kubernetes-runtime-investigation-playbooks-and-containment-templates.md) | High-value page for repeatable triage, scope, and containment structure. | ### Related sections * [Container and Kubernetes Security](/cloud-kubernetes-and-infrastructure-security/index-1.md) * [Compliance and Assurance](/metrics-audit-risk-evidence-and-compliance/index-1/vendor-guides-and-standards-map.md) *** > **Intro:** A modern Product Security program is incomplete if it can only say how to harden. It also needs to say what to log, what to detect, how to triage, and how to preserve evidence when a product team is suddenly in the middle of an incident. > > **What this page includes** > > * logging and telemetry strategy for app, API, cloud, CI/CD, and Kubernetes > * high-signal detections instead of noisy wish lists > * triage and evidence-preservation guidance > * product-focused incident response playbooks > > **Working assumptions** > > * the goal is to help product and platform teams act before a full SOC handoff exists > * detections should be explainable to engineering and tuned against known workflows ![Detection Engineering Flow](/files/v6kivKgtM1lGLnKUuowa) *Figure: threat modeling to telemetry to detections to playbooks.* ### Section map | Page | Why it belongs here | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md) | Defines the event classes worth paying to retain. | | [High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md) | Focuses on detections that repeatedly catch meaningful product abuse and identity misuse. | | [Product Security Incident Response Playbooks](/attack-paths-testing-detection-and-hardening/index/product-security-incident-response-playbooks.md) | Provides scenario-driven guidance for product and platform incidents. | | [🐦 Falco Runtime Detection Practical Guide](/attack-paths-testing-detection-and-hardening/index/falco-runtime-detection-practical-guide.md) | Adds practical runtime rules, deployment examples, and legacy-vs-current guidance for Falco-based runtime detection. | | [🛎️ Runtime Detection Stack — Falco, Tetragon, and Cloud Signals](/attack-paths-testing-detection-and-hardening/index/runtime-detection-stack-falco-tetragon-and-cloud-signals.md) | Places Falco next to Tetragon, cloud audit logs, and investigation workflows. | | [🛡️ Sysdig Secure — Platform Guide](/attack-paths-testing-detection-and-hardening/index/sysdig-secure-platform-guide.md) | Explains the commercial platform around Falco-aligned runtime, vulnerability, posture, and response workflows. | | [🛡️ Runtime Security / Detection / Incident Response / Resilience — Operating Model and Product Map](/attack-paths-testing-detection-and-hardening/index/runtime-security-detection-incident-response-resilience-and-platform-map.md) | Gives a compact operating model plus a pragmatic top-10 solution map across open-source and commercial options. | | [Cloud and Kubernetes Runtime Investigation Playbooks and Containment Templates](/attack-paths-testing-detection-and-hardening/index/cloud-and-kubernetes-runtime-investigation-playbooks-and-containment-templates.md) | Adds case structure and containment templates for the first hour of a runtime incident. | ### Operating principle Detection engineering is not a separate kingdom. It should be the downstream output of threat modeling, architecture review, and platform control decisions. ### Related pages * [Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md) * [Cloud Attack Chains Overview](/attack-paths-testing-detection-and-hardening/index-1/cloud-attack-chains.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* ### Related hands-on lab * [Containment and Eradication Automation Lab](/learning-labs-interview-and-templates/index-2/containment-and-eradication-automation-lab.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/attack-paths-testing-detection-and-hardening/index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.