Custom Detections
Detection engineering tailored to your environment, threat model, and business logic.
Your security environment is unique, and your detections should be too. Zaun's Forward Deployed Security Engineers (FDSEs) build custom detections that map directly to your infrastructure, workflows, and threat model.
How It Works
- Discovery: Your FDSE reviews your environment, tooling, and existing coverage gaps
- Design: Detections are designed around your specific threat scenarios and business logic
- Build: Custom detection rules are written, tested, and deployed to your Zaun instance
- Tune: Detections are refined over time to reduce noise and improve signal
- Document: Every detection ships with a runbook covering investigation and response steps
What Makes Custom Detections Different
Unlike off-the-shelf rules, custom detections are:
- Environment-aware: built with knowledge of your infrastructure, naming conventions, and expected behavior
- Business-logic driven: encode your organization's policies, not generic best practices
- Continuously updated: your FDSE ships new and improved detections weekly
- Fully documented: every detection has a runbook explaining what fired, why it matters, and what to do
Example Use Cases
Insider Threat Detection
- Mass download detection: An employee downloads 500+ files from Google Drive or SharePoint in a single session, especially during their notice period. Your FDSE builds detections against Google Workspace Admin Logs and Microsoft 365 Unified Audit Log with thresholds tuned to your organization's normal download volume.
- Off-hours access to sensitive systems: An engineer accesses AWS production databases via DataGrip or pgAdmin at 2 AM on a Saturday. Zaun flags this based on your team's on-call schedule and normal access patterns, pulling from AWS CloudTrail and Okta login events.
- Privilege escalation in Okta: A user assigns themselves the Admin role in Okta or adds themselves to a privileged Google Workspace group. Your FDSE maps out your RBAC model and builds detections for any role change that crosses a privilege boundary.
Compliance Monitoring
- SOC 2 access review anomalies: Detections that flag when a user retains access to AWS, GCP, or GitHub after changing roles, based on your HR system (Workday, BambooHR, Rippling) reporting a title or department change.
- PCI-DSS cardholder data exposure: Custom detections for when files containing cardholder data patterns are shared externally via Google Drive, Slack, or OneDrive, using DLP signals from Microsoft Purview or Google Workspace DLP.
- HIPAA audit log gaps: Detections that flag when AWS CloudTrail or GCP Audit Logs are disabled or have gaps in coverage for accounts hosting PHI workloads.
Application-Specific Threats
- API abuse detection: Your product's REST API sees a single user making 10,000+ requests to the
/exportendpoint. Your FDSE builds detections against your Datadog or CloudWatch API metrics, tuned to tell the difference between legitimate power users and data scraping. - Custom SSO bypass: An attacker accesses your application directly, bypassing your Okta or Entra ID SSO flow. Your FDSE detects direct authentication that skips the expected SAML/OIDC redirect.
- Webhook tampering: Someone modifies outgoing webhook configurations in Slack, GitHub, or PagerDuty to exfiltrate data to an external endpoint. Custom detections flag webhook URL changes to domains not on your approved list.
Cloud Infrastructure Threats
- Crypto-mining detection: An attacker spins up GPU instances in AWS or GCP using compromised credentials. Your FDSE builds detections for unusual instance types (
p3.xlarge,a2-highgpu) in regions your organization doesn't normally use. - Backdoor IAM user creation: A compromised admin creates a new IAM user in AWS with
AdministratorAccessand static access keys. Custom detections flag new IAM users created outside your standard provisioning process (Terraform, CloudFormation, or Pulumi). - DNS exfiltration: An attacker uses DNS tunneling to exfiltrate data through long, encoded subdomains. Zaun detects high-entropy DNS queries in CrowdStrike or Cloudflare Gateway telemetry that exceed normal query length.
Integrations That Power Custom Detections
Custom detections can be built on any data source Zaun ingests. Common sources include:
| Integration | Use Case Examples |
|---|---|
| AWS CloudTrail | IAM changes, resource deployment, API abuse |
| GCP Audit Logs | Service account activity, resource changes |
| Azure Activity Log | Resource operations, RBAC changes |
| Okta System Log | Auth anomalies, privilege changes, MFA bypass |
| Entra ID Audit Logs | Conditional access changes, app registrations |
| Google Workspace Admin | Drive sharing, user provisioning, OAuth grants |
| CrowdStrike Falcon | Process execution, DNS, file writes |
| SentinelOne | Endpoint telemetry, storyline analysis |
| Slack Audit Logs | App installs, channel changes, file sharing |
| GitHub Audit Log | Repository access, secret scanning, webhook changes |
| Datadog | Application metrics, APM traces, log patterns |
| Workday / BambooHR | HR events for access lifecycle correlation |
Delivery Cadence
Your FDSE delivers new detections on a weekly cadence:
- Week 1: Initial detection set based on discovery findings
- Ongoing: New detections shipped weekly based on emerging threats, environment changes, and coverage gaps
- On-demand: Rapid detection development in response to incidents or new threat intelligence
Working With Your FDSE
Custom detection development is collaborative:
- Slack channel: Direct access to your FDSE for questions and requests
- Weekly syncs: Review new detections, tune existing ones, discuss coverage priorities
- Detection requests: Submit specific detection ideas and your FDSE will scope and build them
- Incident response: Your FDSE can rapidly build detections in response to active incidents
Next Steps
- Getting Started - Begin your onboarding
- Platform Overview - Understand the Zaun architecture
- Integrations - Connect the data sources that power your detections