DetectionHunter scores every detection from 0–100 across seven categories. Confidence scoring turns 'we have a rule' into 'we know the rule works, why it works, and how an analyst will respond'.
Is the required telemetry enabled, collected, and reaching the SIEM? Missing logs = blind detection.
Does the rule correctly identify the suspicious behavior across realistic variations?
Did a safe validation command produce logs that match the expected signature?
Does the alert include parent process, user, host, command line, hashes, and related activity?
How likely is the detection to trigger on normal admin or business behavior? Lower = better.
Is the detection mapped to the correct technique, sub-technique, and tactic?
Can an analyst triage this alert end-to-end with the fields and notes provided?