Architecture.

The Detection System of Record operates as a governance layer within the enterprise security architecture — instrumenting detection health across execution systems, validation platforms, and infrastructure domains.

It does not execute detections. It defines how detection health is measured, traced, and improved across the continuous threat-to-detection operating loop.

The Modern Security Stack

Modern security operations rely on specialised domains:

  • Threat Intelligence — Context and adversary insight.
  • Detection Engineering — Authoring detection logic.
  • SIEM / EDR / NDR — Signal collection and alerting.
  • Validation — BAS and purple team verification.
  • Incident Management — Operational response and remediation.
  • Infrastructure & Telemetry — Data pipelines, agents, ingestion layers, and execution engines that enable detection signal generation.

Each domain optimises within its own scope. Infrastructure health underpins them all. None govern detection health across the system as a whole.

The Missing Governance Layer

Detection health is often inferred from isolated metrics — alert volumes, validation results, or rule coverage — within individual tools.

Infrastructure reliability, execution stability, and validation outcomes are typically monitored separately, by different teams, using different measurements.

Without a governance layer operating across these domains, detection health cannot be persistently measured as a system capability.

Where the Detection System of Record Sits

The Detection System of Record operates at the architectural layer above security tooling domains.

It unifies threat intelligence, detection logic, incident outcomes, and validation results within a single operational model — governing detection health across tools rather than executing detections within them.

Security systems continue to execute their specialised functions. The DSoR provides persistent, system-level visibility and lifecycle traceability across them.

Detection System of Record architecture: Governance Layer above Architectural Governance Layer, Execution Domains (Threat Intelligence, Detection Engineering, SIEM/EDR/NDR, Validation, Incident Management), and Infrastructure & Telemetry Health foundation.

Execution systems generate signals. Infrastructure enables reliable signal integrity.

The Detection System of Record governs detection health across both layers — instrumenting performance without replacing execution systems or underlying technology.

Governance Without Replacement

SIEM and EDR platforms continue to ingest data and execute detection logic. Validation platforms continue to simulate adversary behaviour. Infrastructure continues to transport and process telemetry.

The Detection System of Record does not replace these systems. It instruments and governs their combined impact on detection health — maintaining traceability, measurable health indicators, and cross-domain feedback loops.

Designed for Structured Security Operations

The DSoR is vendor-neutral and compatible with existing security investments. It operates as a persistent governance layer within the enterprise architecture — ensuring that detection effectiveness is measurable, traceable, and continuously improved.