The Life-Dinner Principle in Detection
The article proposes a detection-engineering model based on attacker/defender economics: some alerts are ‘rabbit-side’ events where a miss has high business impact, while others are ‘fox-side’ events where the attacker can generate noise almost for free but each investigation costs the defender real analyst time. It argues SOCs should treat high-stakes signals such as ransomware in critical environments, anomalous executive mailbox access, cloud or identity privilege abuse, and rare exploit-chain indicators with deeper triage, higher false-positive tolerance, and stronger escalation paths. By contrast, commodity phishing spray, opportunistic scanning, botnet traffic, credential stuffing, and generic exploit attempts should be aggregated, suppressed, enriched automatically, or converted into engineering work so the defender’s marginal response cost approaches zero. The practical takeaway is a prioritization framework for detection programs: stop treating every alert as equally existential, and align investigative effort to the per-encounter consequence rather than raw alert volume.