Detection Visibility Metrics
The post proposes a measurement framework for detection engineering programs based on visibility and telemetry coverage rather than raw alert counts. It recommends tracking concrete baselines such as user populations, workstation/server/mobile asset counts by OS and environment, identity surface area including accounts, groups, service accounts, and privileged principals, and SIEM footprint metrics like daily ingestion volume and searchable retention. The author also breaks out high-volume security data sources such as Active Directory events, WAF logs, Windows and Linux server logs, AWS CloudTrail, Azure Event Hub, DNS, EDR, email, and network throughput so teams can quantify what their detections can actually observe. The practical value is operational: these metrics let defenders explain alert growth, identify monitoring gaps, and justify staffing or platform spend as enterprise size, log volume, and attack surface expand over time.