Detection engineering · for enterprise security teams

Know what
you're not detecting.

Detection coverage your CISO can put on a board slide.

Dectyl ingests the SIEM rules you already own, maps them against MITRE ATT&CK, and surfaces the coverage gaps that actually move risk. Read-only. No rip-and-replace.

Request a coverage assessment See what it does
100+ PiB
per day operated at scale
3,460
community rules pre-seeded
SIEM-agnostic
Splunk · Sentinel · Chronicle
Read-only
never writes to your stack
01 — What it does

The detection engineering team you can't hire.

Coverage intelligence

Every SIEM rule you own, normalized to Sigma and mapped against MITRE ATT&CK. Coverage by technique, by tactic, by KEV-active exploit — quantified, not guessed.

AI rule proposals

Where your coverage falls short, Dectyl proposes new rules with reasoning, false-positive risk, and ATT&CK mapping. Every proposal routes through human review — nothing auto-deploys.

CISO-ready reporting

Monthly coverage report built for the audit committee, not the SOC. Posture, deltas, KEV exposure, recommended actions — language a non-technical board can read.

Compliance attestation

Audit-grade evidence of detection coverage mapped to SOX, PCI-DSS, and NIST CSF controls. Every review decision logged. Every change versioned. Exportable to your GRC platform.

02 — How it works

Sits on top of the SIEM you already own.

No migration. No log data leaves your environment. Dectyl reads your rules — never logs, never alerts.

  1. 01
    Connect read-only
    Splunk REST token, Sentinel app registration, or Chronicle API key. Five minutes. Credentials encrypted at rest, never written back.
  2. 02
    Normalize & map
    Your rules converted to Sigma 2.0, mapped against ATT&CK techniques and tactics. Coverage scored per technique, weighted by KEV activity and detection confidence.
  3. 03
    Surface what matters
    Gaps prioritized by business impact, threat likelihood, telemetry readiness, and implementation effort. Not technical severity alone.
  4. 04
    Close the loop
    AI proposes rules. Your team reviews, edits, approves. Coverage updates. Monthly report ships to your CISO. Every decision audited.
Design partner program

Free 30-day coverage assessment.

We connect to your SIEM read-only, deliver a coverage report mapped against ATT&CK and CISA KEV, and walk your team through the gaps that matter. No commitment. No log data leaves your environment.

Open to FinServ and Tech security teams. Currently working with select design partners.

Request your assessment or email support@dectyl.io