Same Mat, Same Curriculum

fun·da·men·tals /ˌfəndəˈmen(t)əlz/ n. pl. The core techniques, positions, and transitions that every practitioner trains, regardless of rank. In jiu-jitsu: guard retention, passing, escapes, submissions from dominant position. In detection engineering: threat research, rule authoring, tuning, validation, measurement, iteration. The difference between white belt and black belt isn't the curriculum. It's the precision.

Detection engineering is jiu-jitsu. The path from junior to principal isn't about learning secret techniques. It's about returning to the fundamentals until they become fast, calm, and nearly effortless.

The shared curriculumThe archetypesWhat seniors do differentlyPrinciples

The shared curriculum

In Brazilian jiu-jitsu, a white belt and a black belt train the same positions. Closed guard. Side control. Mount. Back control. The white belt learns what these positions are. The black belt has been through them ten thousand times and operates from each one with economy, timing, and intent.

The black belt isn't doing different jiu-jitsu. They're doing the same jiu-jitsu with less wasted motion. Detection engineering works the same way.

The senior engineer isn't doing different work. They're doing the same work faster, cleaner, and with better judgment about where to spend effort.

The curriculum

Understand the threat before writing anything
Translate adversary behavior into detection logic
Author rules with clear intent and clean metadata
Tune against real telemetry, not assumptions
Validate: did the rule fire where it should?
Test under emulation: does coverage hold?
Measure signal quality, not just alert volume
Document assumptions, limitations, and gaps
Iterate. The lifecycle never ends

White belts write noisy detections

Walk into any jiu-jitsu academy and watch a new white belt roll. They don't know where to put their hands. They grip everything too hard, burn all their energy in the first minute, confuse movement with progress, and get submitted repeatedly by someone half their size who's barely trying.

None of this is failure. It's the cost of entry.

New detection engineers do the same thing. They rush into writing rules before understanding the threat. They overcomplicate logic because complexity feels like quality. They skip validation, treat every false positive like a personal failure, and optimize for cleverness over reliability.

The white belt confuses effort with effectiveness. So does the engineer with twelve draft rules open and none validated.

Specimen

Engineer opens an editor 10 minutes after reading a threat report headline...

process where process.name : "*cobalt*"

// TODO: check if this fires on anything

// TODO: add MITRE mapping

// TODO: what OS?

[No threat model. No telemetry check. No understanding of what the adversary actually does after initial access.]

no research · no context · technique in isolation

The Arm-Locker

Writes rules before understanding the threat. Skips research and goes straight to query logic like a white belt who learned one armbar from YouTube and tries it from every position. The technique exists in isolation. It doesn't connect to anything.

They heard "Cobalt Strike" in a meeting and started writing. No read on the campaign. No check on what telemetry exists. No understanding of the actual behavior chain. The rule might fire. It won't matter.

The Staller

Mistakes complexity for quality. Builds elaborate multi-condition queries that are brittle, unmaintainable, and impossible for anyone else to tune. Like the grappler who invents a seven-step sweep from an obscure position nobody plays. Impressive in theory. Unreliable under pressure.

If your rule requires a README to explain the query, the query is the problem.

Specimen

PR review comment from a teammate:

@reviewer: This query is 47 lines with 12 nested conditions and 3 optional sequences. Can you walk me through the logic?

@author: Yeah it covers all the edge cases I found during testing.

@reviewer: What happens when the adversary changes one variable?

@author: ...

[Rule breaks on the next campaign variant. No one else can tune it.]

brittle · unmaintainable · impressive to no one in production

Specimen

Sprint retro, 3 weeks in:

Lead: Where are we on the persistence detections?

Engineer: I have 6 rules drafted. Still working on getting the test environment set up.

Lead: Have any of them been validated?

Engineer: Not yet, but the logic looks solid.

[6 rules that "look solid" and zero that have been proven to fire on real behavior.]

never tested · lives in drafts · theoretical coverage

The Mat Avoider

Never validates against real telemetry. Rules exist in development branches and notebooks but never get tested under live conditions. Equivalent to drilling techniques but refusing to spar. You cannot know if your defense works until someone is actually trying to pass your guard.

Untested rules are not coverage. They are assumptions.

The Spaz

Treats every false positive like a catastrophe and every missed detection like a personal failure. Reacts emotionally to noise instead of diagnosing it. Burns energy thrashing between rewrites. In jiu-jitsu, this is the white belt who panics in bottom side control. They exhaust themselves fighting the position instead of working an escape.

A false positive is a signal, not a verdict. Diagnose before you rewrite.

Specimen

Slack thread, 8:47 AM:

Engineer: The lateral movement rule fired 200 times overnight. Disabling it.

Lead: Did you look at what triggered it?

Engineer: Some admin tool on the finance hosts. I'm rewriting the whole rule.

Lead: That sounds like an exception, not a rewrite.

Engineer: Already started the rewrite.

[Third rewrite this month. Same rule. Same class of FP.]

reactive · exhausting · no diagnosis

What senior practitioners actually do differently

Watch a black belt roll. The first thing you notice is how little they move. They conserve energy. They wait. When they act, it's precise. One grip, one angle change, one frame, and the position shifts entirely.

A principal detection engineer operates the same way. They read a threat report and immediately find the behavioral pivot, the one durable signal that survives across tooling variants. They validate quickly, document clearly, and ship with confidence because the process is internalized.

“The difference isn't what they know. It's how little effort it takes them to apply what they know.”

On the mat

This is called "mat time." There's no substitute. You can't read your way to a black belt. You have to get choked, get your guard passed, get flattened from mount, and work your way out. Hundreds of times. Until the response becomes reflexive.

At the keyboard

The equivalent is reps through the lifecycle. Ship rules that are noisy and learn to tune them. Miss threats and trace back what the telemetry was telling you. Build something brittle and learn why inclusive logic with managed exceptions beats exclusionary logic.

There's no shortcut. The painful reps are the curriculum.

A good team trains the same way

A serious academy has a curriculum. White belts and black belts train in the same room, often drilling the same technique. The white belt is learning the movement. The black belt is pressure-testing edge cases and teaching the room. Same technique. Different depth.

A healthy detection engineering team works the same way. The junior and the principal should be aligned on what good looks like. They should speak the same language and evaluate work against the same standards.

When a team doesn't have a shared curriculum, you get inconsistency. Rules that follow different conventions. Validation that happens sometimes. Knowledge that lives in one person's head instead of in the process.

Process discipline isn't bureaucracy. It's what scales individual excellence across a team.

Same playbook, different depth

JuniorFollows the process with guidance
Mid-levelExecutes independently, identifies gaps
SeniorDesigns the process, builds tooling, mentors

“Curriculum beats chaos. Repetition beats improvisation. Fundamentals create the conditions for mastery.”

Positions, pressure, and the rule lifecycle

Jiu-jitsu organizes around positions. Every position has attacks and defenses. Side control isn't "good" or "bad." It depends on whether you're on top or bottom, and what you do from there.

The detection rule lifecycle is positional too. Research is a position. Development is a position. Validation, tuning, measurement, improvement. Each one is a distinct state with its own objectives, risks, and transitions.

Positional discipline is what separates a rule that lasts from one that gets disabled in a week.

The 5% rule

Beginners fixate on submissions. The finish. But the submission is the last 5% of the work. The real skill is in the transitions: passing guard, advancing position, maintaining pressure.

Shipping a rule is the same. The query logic is the last 5%. The real work is the research, the telemetry check, the validation, the tuning, and the documentation that lets the next person maintain it.

Principles

Seven stages. One continuous loop. Every detection artifact follows this path, and the path always circles back.

Hover or tap a stage to read its principle. The loop never ends.

The path from junior to principal in detection engineering isn't about escaping the fundamentals. It's about returning to them so many times that they become fast, calm, precise, and nearly effortless.

In jiu-jitsu, we call this "rolling with flow." The black belt isn't thinking about each grip, each angle, each transition. The positions connect. The defense becomes the attack. The whole game is the fundamentals, expressed fluently.

The same mat. The same curriculum. Different depth.

This piece reflects how I think about building detection engineering teams and the craft of threat research, as I'm currently on my own BJJ journey. If you work in either space and any of this resonated, I'd like to hear from you.