SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Configuration-as-Code

Configuration-as-Code
28.11.2024

Alexey Peshik, Security Vision


Over the last decade, we have learnt that manual investigation and response processes are limiting us in terms of speed, which greatly affects our ability to handle the growing flow of incidents and threats. To help address this situation, IS professionals are beginning to adopt new approaches such as Everything as Code (EaC), which originated from software development practices.


One of the main problems of incident detection, Threat hunting and threat detection (TI) procedures is the high granularity of scripts and functions, the need for version control and change accounting. Therefore, information security engineers, in an effort to increase detection efficiency and improve the quality of work have adopted best practices from IT development and called this method Configuration-as-Code. Let's understand what it is.


What is detection-as-code?


Configuration-as-Code (or CI/CD in information security) is the division of processes and procedures into maximally atomic functions, which are handled in a code-like manner: they are separately stored, edited, versioned, tested, analysed for quality and subsequently used in completely different processes if necessary.


For example, the account audit procedure:

firstly, is broken down into many implementations and versions depending on the tools used;

Secondly, the same procedure is used in different processes: in incident management, in asset management and in any other processes as needed.

If different specialists need to adjust it, the same code will be edited and everyone will see each other's edits.




Similar to the Everything as Code (IaC) concept, Configuration-as-Code (CaC) uses a machine-readable file format and describes scalable data models that allow any infrastructure to be built, unconstrained by data volumes, types and structures.


An analogy can be drawn here with DevOps, which uses practices that help build large, complex pipelines from bricks and mortar. So, security management processes can also be decomposed, divided into atomic functions, repeatedly reusing clearly working cogs in a large well-coordinated mechanism.


Similar to the CI/CD workflow, the process of developing and implementing IS functions should include the following mandatory steps:


     1. identification of the logic behind suspicious or malicious behaviour;

     2. Reproducing (modelling) this behaviour in code. For example, if a process is launched from a non-standard parent - triggering;

     3. Writing various test cases to verify the functionality of the function;

     4. Incorporating the function into the version control system;

     5. Building, rolling it out into a prod, building a build;

    6. Continuous support, update (the IS feature support process works in a PDCA cycle of continuous update and support, for completely different cases of deviations, violations of correctness of operation).


These steps show that the Configuration-as-Code workflow should consider a procedure to improve the existing IS function repository. If necessary, for each function, it is possible to go back to the first step and roll out complex operations again through the test and rollout procedure.


The Detection-as-Code concept emerged from the need for automated, systematically repeatable and fixable approaches to security, which is its value. Threat detection had not previously been fully developed as a systematic regular discipline with effective automation and capture of results.


A threat detection method tailored to specific environments and systems has a more powerful effect. Using well-written detection code that can be tested and validated in a version control system allows engineers to create better alerts and reduce false positives, reducing burnout and eliminating unnecessary activity.


What are the benefits of Configuration-as-Code?




The benefits of Configuration-as-Code include:


     1. Creating your own flexible discovery tools using a programming language;

     2 Adopting a development through testing (TDD) approach;

     3. Integration with version control systems;

     4. Automation of workflows;

     5. Code reuse.


Writing discovery in a common, flexible and user-friendly language such as Python has many advantages.


Convenience and simplicity


Instead of using object-oriented languages with some set of constraints, you can create more customised and complex discovery methods to suit the specific needs of your infrastructure. These language rules are also often more readable and easier to understand, which can be critical as complexity increases.


Much has already been developed for you


An additional benefit of using a common language is access to a rich set of built-in or third-party libraries developed by other security professionals. For example, libraries for interacting with APIs greatly enhance detection and automation.


TDD


Quality assurance of detection code helps identify blind spots, check false positives, and improve detection efficiency. The TDD approach enables security teams to anticipate attackers‘ actions, document the insights gained, and build a library of analytics about attackers’ strategies and routes.


In addition, the TDD approach improves the quality of detection code by making it more modular, extensible, and flexible. Engineers can easily make changes to their code without fear of disrupting alerts or weakening infrastructure security.


Version control systems


When writing or changing discoveries in the form of code, version control allows experts to quickly revert to previous states in the event of errors. Version control can also provide necessary information for specific detections that trigger alerts or help identify changes to detections.


Detection methods must evolve as new data becomes available. Change control is an important process to help teams adjust discoveries as needed. An effective change control process improves documentation and validation of all changes.


Automate security processes


Information security engineers who were expecting a shift in automation will benefit from the integration of the CI/CD pipeline. Implementing it early in the delivery process helps achieve two goals:


Eliminating silos between teams that work on a common platform and test each other's code;


Providing automated testing and delivery systems to detect security breaches. Security teams retain flexibility by focusing on building accurate detection systems.


Re-using their work


Finally, Detection-as-Code promotes code reuse for a wide range of detections. As information security engineers write code for detection, they begin to identify non-obvious patterns and repeated repetitions of procedures. This decomposition provides an opportunity to optimise the process and reuse the code in similar cases in other detections.


Conclusion


Each infrastructure is unique and requires a customised approach to detection methods. The concept of Detection-as-Code (DaC) allows IS engineers to create customised rules, making regular improvements through code testing, managing versions through various software tools. The flexibility and robustness of programming languages can detect both simple and complex actions of attackers, while providing the necessary contextual enrichment. As part of this approach, experts even structure and normalise logs into a rigorous schema for executing SQL queries, which helps in the study of fault tolerance when processing large volumes of security event data.


Discovery as Code (DaC) is taking its rightful place alongside Infrastructure as Code (IaC) under the rapidly evolving concept of Everything as Code (EaC), where each layer of the stack is expressed through code.

Recommended

Autonomous approach to SOC: applying SRE lessons to Security Operation Center
Autonomous approach to SOC: applying SRE lessons to Security Operation Center

04.09.2025

Everything you wanted to know about web tokens, but were afraid to ask
Everything you wanted to know about web tokens, but were afraid to ask

07.11.2025

DMA attack and defense against it
DMA attack and defense against it

28.04.2025

The process of finding, analysing and assessing vulnerabilities
The process of finding, analysing and assessing vulnerabilities

13.01.2025

Browser fingerprint - what is it
Browser fingerprint - what is it

19.05.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Cybersecurity incident response scenarios. Part 2: runbooks, playbooks, dynamic scripts
Cybersecurity incident response scenarios. Part 2: runbooks, playbooks, dynamic scripts

13.10.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

ITAM vs CMDB – adversaries or a team?
ITAM vs CMDB – adversaries or a team?

18.08.2025

What is obfuscation? Part 1
What is obfuscation? Part 1

09.02.2026

From asset chaos to service harmony
From asset chaos to service harmony

16.02.2026

Education in IS. Expectation vs Reality
Education in IS. Expectation vs Reality

19.09.2024

Recommended

Autonomous approach to SOC: applying SRE lessons to Security Operation Center

04.09.2025

Autonomous approach to SOC: applying SRE lessons to Security Operation Center
Everything you wanted to know about web tokens, but were afraid to ask

07.11.2025

Everything you wanted to know about web tokens, but were afraid to ask
DMA attack and defense against it

28.04.2025

DMA attack and defense against it
The process of finding, analysing and assessing vulnerabilities

13.01.2025

The process of finding, analysing and assessing vulnerabilities
Browser fingerprint - what is it

19.05.2025

Browser fingerprint - what is it
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Cybersecurity incident response scenarios. Part 2: runbooks, playbooks, dynamic scripts

13.10.2025

Cybersecurity incident response scenarios. Part 2: runbooks, playbooks, dynamic scripts
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
ITAM vs CMDB – adversaries or a team?

18.08.2025

ITAM vs CMDB – adversaries or a team?
What is obfuscation? Part 1

09.02.2026

What is obfuscation? Part 1
From asset chaos to service harmony

16.02.2026

From asset chaos to service harmony
Education in IS. Expectation vs Reality

19.09.2024

Education in IS. Expectation vs Reality

Other articles

Cybersecurity – how to protect yourself from the threats of the digital world
Cybersecurity – how to protect yourself from the threats of the digital world

16.06.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Bad advice on automation
Bad advice on automation

31.07.2025

Deep Packet Inspection (DPI) - what is it?
Deep Packet Inspection (DPI) - what is it?

05.05.2025

Incident management and orchestration of various SPIs. NG SOAR Review
Incident management and orchestration of various SPIs. NG SOAR Review

01.10.2025

Vulnerability search methods and types of scanners
Vulnerability search methods and types of scanners

20.01.2025

Mathematical risk modelling: shamanism or cybernetics?
Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

Browser fingerprint - what is it
Browser fingerprint - what is it

19.05.2025

What is Internet fraud (scam), what to be wary of and how to protect yourself
What is Internet fraud (scam), what to be wary of and how to protect yourself

25.08.2025

Other articles

Cybersecurity – how to protect yourself from the threats of the digital world

16.06.2025

Cybersecurity – how to protect yourself from the threats of the digital world
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Bad advice on automation

31.07.2025

Bad advice on automation
Deep Packet Inspection (DPI) - what is it?

05.05.2025

Deep Packet Inspection (DPI) - what is it?
Incident management and orchestration of various SPIs. NG SOAR Review

01.10.2025

Incident management and orchestration of various SPIs. NG SOAR Review
Vulnerability search methods and types of scanners

20.01.2025

Vulnerability search methods and types of scanners
Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

Mathematical risk modelling: shamanism or cybernetics?
Browser fingerprint - what is it

19.05.2025

Browser fingerprint - what is it
What is Internet fraud (scam), what to be wary of and how to protect yourself

25.08.2025

What is Internet fraud (scam), what to be wary of and how to protect yourself

This website uses cookies to ensure you get the best experience.