Detection at Scale: Abstracting Detection Intent
Gaurav Singh, Dario Amiri
BSidesSF 2026 · Day 1 · AMC Theatre 13
In their BSides SF 2026 presentation, "Detection at Scale: Abstracting Detection Intent," Gaurav Singh and Dario Amiri from Google addressed the formidable challenge of building and maintaining effective threat detection systems within large, dynamic organizations. The core of their talk centered on the strategic utility of **abstracting detection intent** as a critical tool for scaling threat detection coverage. This approach aims to decouple the "what" of detection (the desired security logic) from the "how" (its underlying implementation), thereby enhancing maintainability, adaptability, and overall effectiveness.
AI review
Competent engineering talk from people who clearly built the thing they're describing — Google's detection abstraction layer is real infrastructure and the pattern taxonomy (predicates, enrichments, correlations, baselines, clustering) is sensible. Nothing here will surprise anyone who's read the SIEM/detection-engineering literature or spent time with frameworks like Panther, Chronicle's YARA-L, or Elastic's rule DSLs, but it's delivered with authority and the execution-layer nuances (event time vs. processing time, monotonic vs. non-monotonic aggregation, late-arriving data) show genuine…