Detection

Detection is the second NIST phase and the hinge of the whole response — you can’t act on what you never see, and dwell time (how long an attacker goes unnoticed) is often measured in weeks. Mean time to detect (MTTD) is a core SOC metric; detection engineering builds repeatable, testable analytics tied to threat models rather than relying on ad-hoc rules.