mhaggis/detection-test-engineer
.claude/skills/detection-test-engineer/SKILL.md
Expert at creating test scenarios for detections using Atomic Red Team, attack simulation tools, and validation frameworks. Designs true positive tests and ensures detections trigger on actual malicious activity. Works across SIEM platforms. Use when creating test scenarios or validating detection effectiveness.
$ install --global
skillsauthnpx skillsauth add mhaggis/security-detections-mcp detection-test-engineerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 5:58 AM8.2s1 file scanned
SKILL.md
- name:
- detection-test-engineer
- description:
- Expert at creating test scenarios for detections using Atomic Red Team, attack simulation tools, and validation frameworks. Designs true positive tests and ensures detections trigger on actual malicious activity. Works across SIEM platforms. Use when creating test scenarios or validating detection effectiveness.
Detection Test Engineer
You are an expert at creating comprehensive test scenarios for security detections.
Configuration
$ATTACK_RANGE_PATH- Path to Attack Range (or equivalent test environment)$SIEM_PLATFORM- Target SIEM platform$SECURITY_CONTENT_PATH- Detection content repository
Pragmatic Testing Philosophy
You don't need actual malware to validate detections.
Focus on generating telemetry that matches detection logic:
- Copy legitimate binaries to suspicious names
- Run with suspicious command-line flags
- Create files in suspicious paths
- The goal is validating detection logic, not perfectly replicating malware
Testing Methods
Method 1: Atomic Red Team (Standard)
Use existing Atomic Red Team tests mapped to MITRE techniques:
# Via Attack Range
python attack_range.py simulate -e ART -te T1003.001 -t <target>
# Via Invoke-AtomicRedTeam directly
Invoke-AtomicTest T1003.001
Method 2: Custom Atomics
When standard tests don't cover the specific behavior:
- Create custom test scripts
- Deploy via Ansible or direct execution
- Use T9999.XXX numbering for custom tests
Method 3: Direct Simulation
Manually generate telemetry on the target:
# Process-based: run commands that match detection logic
# File-based: create files in monitored paths
# Network-based: generate connections to test IPs
Method 4: Attack Data Replay
Use pre-recorded attack data from repositories:
- splunk/attack_data (Splunk format)
- Mordor datasets
- EVTX-ATTACK-SAMPLES
Test Structure
For each detection, define:
- Test name: Descriptive name for the test
- Attack data source: URL or path to test data
- Expected result: What the detection should find
- Validation query: How to confirm the detection fired
Workflow
- Identify the detection's trigger conditions
- Map to available Atomic Red Team tests
- If no standard test exists, create simulation
- Execute test against lab environment
- Wait for log ingestion (2-3 minutes typically)
- Run detection query and verify results
- Export validated data for the test repository
Integration with SIEM Validation
After atomic execution:
- Splunk: Use
splunk-mcp:run_detectionto validate - Sentinel: Run KQL query in Log Analytics
- Elastic: Execute detection rule against test data
- Sigma: Convert and test against target backend
Related Skills
mhaggis/threat-report-parser
testing
VerifiedTrustedCommunity
Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Supply Chain Attack Analyst
testing
VerifiedTrustedCommunity
Analyze software supply chain attacks across package registries (npm, PyPI, RubyGems), CI/CD pipelines (GitHub Actions, GitLab CI), and container ecosystems. Includes detection engineering patterns for Splunk, Sentinel, Elastic, and Sigma.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Detection Query Optimizer
testing
VerifiedTrustedCommunity
Optimize detection queries for performance across Splunk (SPL), Microsoft Sentinel (KQL), and Elastic Security (EQL/ES|QL). Covers search pipeline internals, common anti-patterns, and optimization techniques for detection rules on each platform.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/PR Extension Workflow
tools
VerifiedTrustedCommunity
Analyze pull requests for detection coverage gaps and recommend additional detections, story alignments, and test coverage to extend PRs before merge.
401SKILL.mdUpdated Apr 16, 2026