Tuning and Feedback

Improving detection as a byproduct of our triage and investigation process

Red Canary’s detection process relies on the scalability of big data and machine learning to amplify the intuition and innovation of Red Canary’s Threat Analysts. A critical part of this is process involves capturing analyst feedback on detection criteria during their investigation.

The outcome: expanded and more accurate detection based on near real-time threat information.

Do I have to tune and develop detection criteria?

As one of our customers, you never have to tune or expand detection criteria. Our Threat Analysts and Detection team are responsible for maintaining our detection criteria. 

“There is a level of impact you can make with automation, but you’ll never get to the scale of a vendor who is seeing all different things in different customers’ environments. We would have had to hire more people or sacrifice quality. You can’t have it all—unless you partner with a solution like Red Canary.”

Lead Security Engineer, Enterprise Technology Provider

Two key ways analyst triage teaches the Red Canary Threat Detection Engine


When a Threat Analyst reviews a potential threat and determines it is a false positive, our engine records information about that specific incident and why it was nonthreatening. Going forward, events matching that exact criteria will no longer be surfaced for analyst review.

Threat Scoring

Historical information about the conversion rate of a specific piece of detection criteria is used to estimate the likelihood, severity, and prioritization of new potential threats.

This cuts the time from detection to response by ensuring our analysts are looking at the right events- the events most likely to be threats.

Learn 3 Ways to Take Control of Your Response Operations


Does your managed provider have what it takes to deliver Managed Detection and Response?