Fred Wilmot and Sebastien Tricaud challenge traditional detection models by introducing a faster, behavior-based approach that continuously generates and validates detections tailored to real-world threats. If you’re tired of optimizing broken processes and want to hear how teams can actually stay ahead of adversaries, this conversation is for you.
Fred Wilmot, CEO and co-founder of Detecteam, and Sebastien Tricaud, CTO and co-founder, bring a candid and critical take on cybersecurity’s detection and response problem. Drawing on their collective experience—from roles at Splunk, Devo, and time spent in defense and offensive operations—they raise a core question: does any of the content, detections, or tooling security teams deploy actually work?
The Detecteam founders challenge the industry’s obsession with metrics like mean time to detect or respond, pointing out that these often measure operational efficiency—not true risk readiness. Instead, they propose a shift in thinking: stop optimizing broken processes and start creating better ones.
At the heart of their work is a new approach to detection engineering—one that continuously generates and validates detections based on actual behavior, environmental context, and adversary tactics. It’s about moving away from one-size-fits-all IOCs toward purpose-built, context-aware detections that evolve as threats do.
Sebastien highlights the absurdity of relying on static, signature-based detection in a world of dynamic threats. Adversaries constantly change tactics, yet detection rules often sit unchanged for months. The platform they’ve built breaks detection down into a testable, iterative process—closing the gap between intel, engineering, and operations. Teams no longer need to rely on hope or external content packs—they can build, test, and validate detections in minutes.
Fred explains the benefit in terms any CISO can understand: this isn’t just detection—it’s readiness. If a team can build a working detection in under 15 minutes, they beat the average breakout time of many attackers. That’s a tangible advantage, especially when operating with limited personnel.
This conversation isn’t about a silver bullet or more noise—it’s about clarity. What’s working? What’s not? And how do you know? For organizations seeking real impact in their security operations—not just activity—this episode explores a path forward that’s faster, smarter, and grounded in reality.
Learn more about Detecteam: https://itspm.ag/detecteam-21686
Note: This story contains promotional content. Learn more.
Guests:
Fred Wilmot, Co-Founder & CEO, Detecteam | https://www.linkedin.com/in/fredwilmot/
Sebastien Tricaud, Co-Founder & CTO, Detecteam | https://www.linkedin.com/in/tricaud/
Resources
Learn more and catch more stories from Detecteam: https://www.itspmagazine.com/directory/detecteam
Webinar: Rethink, Don’t Just Optimize: A New Philosophy for Intelligent Detection and Response — An ITSPmagazine Webinar with Detecteam | https://www.crowdcast.io/c/rethink-dont-just-optimize-a-new-philosophy-for-intelligent-detection-and-response-an-itspmagazine-webinar-with-detecteam-314ca046e634
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, fred wilmot, sebastien tricaud, detecteam, detection, cybersecurity, behavior, automation, red team, blue team, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Fixing the Detection Disconnect and Rethinking Detection: From Static Rules to Living Signals | A Brand Story with Fred Wilmot from Detecteam | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Fred, you make me smile, my friend. Do my best. Good to see you. Good to see you too. We are in San Francisco, like our annual time to meet up, I don't think, we don't have much time in between to connect, but uh, I cherish these moments to see you here For sure. So, and you've been, uh, you've been busy. Super busy's been busy.
That's the other part of it, right? That's that's right. Everybody's busy. I think. Uh, hopefully it's a good sign. So obviously I know who you're, but the audience may not you, you've been a part of a lot of things, but go ahead and give the, give the folks of you who Fred is and then we'll go discuss. Yeah.
Uh, currently I'm
[00:00:44] Fred Wilmot: the CEO and co-founder of the tech team. Um, things that you've measured in the past, uh, spent a lot of time building the enterprise security environment, uh, at Splunk. Uh. Been a CISO a few times, uh, [00:01:00] released a security operations product at Devo. Uh, spent a lot of time doing security research around the boundaries of where those converged between Red Team and Blue Team.
Founded the Red Team Offensive Village and Defcon, uh, really tied to the community. Um, loved the
[00:01:16] Sean Martin: problem, love, mission. Yep. Yeah. Community loves you too. You do so much Sebastian.
[00:01:23] Sebastien Tricaud: Yeah. I'm co-founder and CTO of detective and, uh. Met Fred at, uh, Splunk in those old days, and then we worked together at, uh, and, uh, you know, touch for quite sometimes and, uh, I'm a code problem solver.
I always believe
[00:01:39] Sean Martin: we can solve from this code, right. Technology's there to help us for sure, I'm sure. And, and both of you have been at the forefront of a lot of, a lot of the innovations in incident management and response and data management for security and security analytics, and you name it. Right.
And what are you up to now? What's the detect team [00:02:00] all about?
[00:02:01] Fred Wilmot: We in that process, right? And we've probably committed a lot of the sins we're trying to, uh, atone for now. In that process, we spent a lot of time with customers and in the various fights, uh, having a discussion about how do we understand if any of the content we make actually matters?
Do any of these detections work? Does any of this stuff that we sell to people in any of the world we've been in? Make any difference. Does it buy down risk in any way, shape or form? So we spent a bunch of time with the 16th Air Force helping cyber weapons operators understand how to find adversaries and ways to train like you fight.
And from that, uh, was born this cool thing that we worked on that has grown steadily over the years to really be something we think is impactful and innovative for the market. 'cause it moves the market from being. Uh, static rules based, expert driven detection, uh, uh, [00:03:00] detections written sort of, uh, in, in spreadsheets to this autonomous continuous detection generation validation that changes the game from a daily conversation, uh, now to what's historically been known as a monthly sort of attribution problem of getting high quality detections into production with experts that are basically in danger.
Species and, uh, processes that are, you know, spreadsheets and, you know, notes on the wall,
[00:03:31] Sean Martin: if you will. Alright, so what I'm hearing is we've created a bunch of tech debt.
[00:03:38] Fred Wilmot: Yeah. We've got a lot of red in our ledger. We're trying to wipe out to steal a little phrase. Turn a phrase from Marvel.
[00:03:45] Sean Martin: There you go. So I, I had a, uh, a chat with Ally Melan from Forest, but she did a blog.
I think I did some research around it as well around the number of incidents is a low number good? Is a high number [00:04:00] good? Is there too, are there too many? Are there too little? How do you arrive at that number? What are you seeing? Not seeing how does what's in the incident help you do something about what's happening?
How much context is there? So what I'd like your thoughts on kind of that, that big picture of the state of. Of incidents and the detection alerts and all that stuff that we do.
[00:04:24] Fred Wilmot: So we're, we're rounding the corner on optimizing a broken problem here. Um, there are metrics that illustrate various capabilities looking backwards to say, oh, yep, these particular types of techniques or tactics were utilized by this adversary that compromised this environment.
And, uh. You know, we're, we're pretty fond of saying security is really not retroactive. But the challenge is that that's what the industry has built. Um, and that's also what people understand how to measure. So when we talk [00:05:00] about meantime to detect Orwell time or meantime to respond, those are thrilling from the standpoint of looking at the operational capability of a team.
But it has very little to do with whether or not you're prepared for an adversary. Right. So. The other parts of that, right? Even if you walk down the show floor, there's a lot of really great ways now to look at mitigating false positives possible. How do you make a better, true positive? How do you get quality, accuracy, coverage of actual threat behavior into the conversation?
That's
[00:05:38] Sebastien Tricaud: where you come in. Absolutely. I mean, when you look at organizations today, they all have teams and. Security tools, and yet they're being breached by the latest thing that happen. And the reason for that is most of the detections in place are about, uh, IOCs the hash and fin name and very little to do with behavior and, [00:06:00] and, and the, and the traversal of the network and all that stuff.
All of it. All of it. So you end up looking for a hash or a, a finding, I mean, alright, sure. I can rename. Or to whatever. And uh, he would bypass most of the detections too.
[00:06:17] Fred Wilmot: There's a real challenge and also that there's a massive amount of detections in the universe today, and no one knows whether they're good or bad.
So when you don't have a team of 20 lions, right, you'll get a couple of folks that go get everything they can get their hands on from open source to the vendor's detections, and you, and you hit the I believe button and you know, wait and see what happens, right? You bend your wrist to somebody that doesn't.
Understand your environment, right? Hasn't been fighting adversaries for a long time, right? Which is that expertise component and really doesn't know how your network works or breathes. It's an organism like everything else, and doesn't account for drift. So if vendors that write detections or service providers write sections and they [00:07:00] write those once a year, what does an engineering team do, right?
That's their trade craft. So you know, we're. We look at this and go, there's a more interesting story to tell about what matters the time. So imagine that instead of being concerned about sort of post exploitation activity and my team's ability to respond, my tools and the tool chain, I'm really primarily focused on how do I meet with symmetry, the adversary's behavior on an ongoing basis.
How do I account for the drift in my network? Well, we believe you do that by generating new detections based on all of the context of your environment. Mm-hmm. As regularly as possible based on all the emerging threats and the historical context you have. So don't have, don't fight the problem of figuring out how to minimize, you know, your alert triage problem.
Make better detections that generate better [00:08:00] alerts and stand by the quality.
[00:08:02] Sean Martin: So. I hate to use this, but I'm hearing shift left on incident response. Yeah. Um, sure. To where you don't wait for the, necessarily the full picture and then try to figure out tracing back to the root and blocking it and then recovering and getting everything back together.
I'm hearing look for in some indicators, wherever they are, and then shore up the. Of the detections. Yeah. So to eliminate or block lateral movement
[00:08:40] Fred Wilmot: or other, that's it. Yes. So there's this notion of, uh, instead of waiting for it to happen basically. Exactly. And even if, even if, right. So shift left even can happen after something's happened.
Right. So the breakout time, if you asked or read, uh, CrowdStrike threat report would be 49 minutes. Right? Five years ago was nine hours. So it [00:09:00] means nuts, but. Uh, 49 minutes. And that's between, uh, a compromised environment, a host, right, and lateral movement and, and expansion there. So staging and all the other things that happen, right?
So imagine that you've got 49 minutes from the first thing that you see. Okay? So if we measure that in time, and we say, and this is even without the proactive shift, left metrics, right? We would say, cool. So if I understand the implication of that and I can build and test and validate and deploy.
Detections that cover that environment in 15 minutes. Mm-hmm. I've beaten the breakout time. So we talk about preventive controls, right? And that's awesome. But it's a combination. The future isn't like static, preventive controls, static detection, static anything. It's autonomous behavior. And so in our case, that's the, let's move a little further left and say, you know, we don't need all the ILCs.
That's okay. That's it's relative and it's valuable. When they get [00:10:00] there and they're accurate and you know, they're, they're, they're pretty pro to false positives. Uh, it's how's the behavior work the way that we build scenarios, behavior of, so for example, users, machines, apps, all the above. All the above, okay.
And the adversary. So if you said, right, no, somebody is attacking a certain set of things and okay, we've got some finished national intelligence, I know exactly what to do that we'll quickly translate that in a scenario. Generated a bunch of data, generate a bunch of texts, no problem. That's easy. Right.
15 minutes done. If we look at things like there's emerging threats where there's not a lot of that information, but you know what? You have some ideas, this behavior, these tactics, you can cover all of those things proactively before you worry about whether or not this specific thing matters. And if you talk to folks that spend time in this fight, um, even the same adversary and five or six different campaigns uses different tactics.
So imagine world. Imagine a world where you, [00:11:00] you, you can assemble all those blocks and say, we'll cover all those tactics for you. This is what this adversary might use. And you test for all the things. Yep. So instead of, you know, trying to get the one thing right, where you get a positive detection for this one thing when it possibly hits, let's go see what the entire ecosystem does when we give you all the things and refine, close the loop, test, validate, and implement.
And again, this is like minutes, hours to. Weeks and months. Now,
[00:11:29] Sean Martin: is this, uh, I might get this wrong, but I'm gonna go for it anyway. Like implement, implementing a program on Mitre, on steroids.
[00:11:41] Fred Wilmot: So when we think about this, it's probably, you could think about this in a simple, in a simple set of terms. Okay.
Right. Let me apply all the detection, uh, expertise to GitHub plus a content sharing construct like. Uh, Spotify. Right. [00:12:00] So if, uh, if we were making a mix tape right, we would be on the mix tape, right. As this, right, right.
[00:12:08] Sean Martin: Community driven, community driven, engineering driven. Absolutely. Research driven. All the above.
What's that? This is our DNA. Right there. Yeah, exactly. Exactly. So, uh, so where are you? What, what have you, what have you built? What, what do you have in pilot? What do you have running? What do you see? So we have a,
[00:12:31] Fred Wilmot: we have a fully fledged project, uh, with customers and, uh, this exciting partnership we have with Devo has opened up, uh, the flood gates, um, which has been super exciting for us.
And the parts that we're also excited about is seeing so many different types of. Of protection problem spaces and environments just continues to build an ad, you know, an understanding of the benefit. [00:13:00] And primarily what's been exciting is we haven't talked to anybody who's like, that's a bad idea that that's, we don't need that.
So if you looked at a target mass, we'd say, well, a hundred percent on target, right? With the folks we've talked to, and RSA has been cool to validate that. And also hear other things the way that people are dealing with, I, I thought, you know, you always think, and being a former CISO or whatever, you have your own way of doing stuff, but when you start hearing some of the other ways people talk about what they're doing, it's mystifying to me how those folks can, can basically stand up and talk about risk and it's what they're forced to do.
So we love the idea of. Just raising the bar here and making this much more approachable, not just for the, you know, the, let's call it the wealthy class of, you know, high talented, high caliber engineers. Those guys don't need a lot of help, right? But
[00:13:59] Sean Martin: [00:14:00] everyone else does. So how, how and where does this fit in?
So you have your detection, you have your. You have your sock, you have your sim, you have your AppSec stuff. Yeah. So where do you, where do you fit into this picture? Who, who's, who's sitting in front of what, who's validating what in the environment? So a
[00:14:24] Sebastien Tricaud: lot of it is, uh, automatic with the platform. And, uh, this is why we break down detection as a process.
'cause when you look at how detection engineers would build their detection, they have data. The writer search, whatever the, the senior, they're operating XDR platform. And then from that they try to find out it's working on the base, on the feedback they have, but there is no way today as a detecting to create the data footprint to the tech is making.
So the detection can then be tailored [00:15:00] exactly to that. So not only you have the correct detection as a result. From those behaviors, but also you have a way to continuously validate that this addiction of working, right? Overturning. So when
[00:15:14] Fred Wilmot: you
[00:15:14] Sebastien Tricaud: look
[00:15:14] Fred Wilmot: at Pretty positive, yeah. When you look at an org, not false positive, you got this is, that is the thing, right?
Yeah. When you look at org, they've got, you know, a CTI team that's threat intel. You got a red team, you got security engineers, you got SOC analysts, right? Typical, you know, set of components here. Somehow you gotta operationalize intelligence, right? So you gotta take this team and. You know, I carry, I, I know the requirements.
I'm a people person, right? You gotta take the requirements over here, a a six object or something, and some way to share. And then a detection. Engineer's gotta decide, how do I decipher the higher gly and turn that into something that has the language of the sim or whatever the thing is in 49 minutes. In 49 minutes.
Right. Or less if your life is free and right. And, and the biggest challenge they have then is like, okay, I need to operationalize [00:16:00] that for a socker. Then we get into all of the other. Metrics, right? SOC engineering is, is measured, right, but not all the other pieces. So as an analyst responds to, you know, a less incredible alert, right?
We, we've hyperfocused on that, right? Everybody talks about the cyber burnouts. Uh, for me it's a culture problem. Higher up food chain. I think cyber burnout cool, right? For so analysts, that's not our, that's a real problem, but that's not the real problem, right? Is we're forcing people. Able to deal with things that we can machine problem space solve right well before that.
[00:16:36] Sean Martin: So this ties those pieces together. I love it. So I'm, I'm gonna ask this question. I ask it often on my podcast of CISOs and security leaders, where I have a dream that security people hear this all the time. I have a dream that security has. So much information, perhaps now even more in a different way, presented in a different way [00:17:00] with additional context.
But I think we have the information to not just take an existing environment and be better at prevention, detection, and response, but also here's what the environment looks like and here where the, here's where the exposure is. And to your point on burnout, if we can change. These one, two or three things, you're gonna save your team's mind, right?
'cause you're not gonna be finding as many, many issues. And the example I give is probably the lane one, but if you, if you don't use this tech, you're gonna knock out a hundred patches a month, right? And that team's not gonna be worried about patches. And oh, by the way, they're not gonna be worried about the false positives and the detections that come with all that too, just because you fixed this one app.
For this one system or this one protocol or whatever, it's so I don't your thoughts on that anymore. More pointedly to the information you're providing to give this that [00:18:00] extra boost to achieve that.
[00:18:01] Fred Wilmot: So we think there's a really positive correlation from testing and validation. Into understanding what risk actually is.
Mm-hmm. Right? And historically, everybody's, you know, a hundred thousand vulnerabilities uhhuh. How many of those are gonna kill you? Right. How many of those do you not have preventive controls for? How many of those do you not have an understanding from your detection perspective? Detection machine? Okay, well those are the things to focus on.
And then higher order bid, what's the actual business? This problem here that we're solving your business risk is what and how is your application field working? The tools that are available today, let alone the tools that are gonna be available in six months, can help you really fine grain focus down to that nuance, what is nuance of very difficult problem to solve and get coverage all around it regardless of whether or not you can defend it.
And I think that that is a new, that is a very new set of behavior and capabilities. We're using that [00:19:00] today. We'll be using an awful lot more of that as we continue to refine it. Yep. Uh, and what becomes powerful there is you don't have to go back to the source tree to remedy of vulnerability in that particular case.
Solve this in a number of other ways that can make that preventive control active, you know, faster. So there's a world very close to us that allows a fleet of folks to be able to make decisions. Agents sitting next to analysts doing the work that allows us to. Use this sort of a swarm approach to all of these problem spaces in a much faster time to mention.
So that's
[00:19:36] Sebastien Tricaud: even proactive. You want to know ahead of time. Yeah, exactly. I mean, everybody dreams about that, but when you have the attack data as we have, we just be proactive and find out, alright, how much work do we need do here? Or you wait until that thing hits you, but we know what there
[00:19:52] Sean Martin: is that Well, you know, I love this.
Space. I spent many years in it myself. Indeed. You [00:20:00] did. We did together. That's right. Together. But, uh, yeah, I'm super excited for you and your customers, uh, as they take this on and, and get ahead of, get ahead of that curve and, and get, think differently about how we, uh, approach detection and response. Um, I'm excited.
And you know what else? I'm excited for the webinar we have lined up. That's right. We're gonna get in and get into some of the nitty gritty and. Talk some more use cases and, and, uh, we're gonna have some fun on that hyper. That's right. Some details on hyperbole.
[00:20:32] Fred Wilmot: Yep. Yeah. So yeah. Excited. Yep. Always love it.
Um, all the, always back in the days when, you know, when we were doing this at a, at a vendor in Pacific, the big yellow one. Yeah, that's right. That's right.
[00:20:48] Sean Martin: Yeah. The good old days that had left us with a bunch of tech debt. It's time to get out from above. So Bob, super happy for you guys and thanks for [00:21:00] taking the time to share with us here at RCC Conference.
And, uh, stay tuned for our webinar, connect with Fred Sebastian the tech team.com. I think it's dot com. Got it. Alright, there we go. And, uh, itsp magazine.com/directory/detecting. We'll find the webinar that we have scheduled, so please do register for that and, uh, we'll sign up. So thanks everybody. Thank you guys.
[00:21:27] Fred Wilmot: Thanks for having us. For having us. The dog agrees. Yes.