I had an interesting 45min conversation with a security engineer from a “mostly cloud” company. We talked about how would one start a detection assessment program, mainly brainstorming ideas on what to test.

It was an impromptu chat, so I yap about for a couple of minutes, and use the “spaghetti in the wall” strategy. I have a couple of hours afterwards to rethink about what I would say, and if you are reading this man (unlikely, but whatever), I guess this is where I would start.

this is mainly about ideas on what to test first, and less about the logistic of starting such program.

Reports or Research

There is a bunch of reports or research by vendors, consultant, and many more. These publication use surveys, public incident lesson learn, etc. These can be a good place to start a discussion about where to start testing detection, of course the more specialized your organization is (in terms of its cloud architecture), these report will be less relevant. What you can also do is filtering these publications by different industry, to make it more relevant to your needs.

The latest google threat horizon report (at the time the blog posted), highlight a couple of common theme found throughout 2025, one of them is importance of foundational security, which is also highlighted in their dashboard shown below.

One of the more prominent report is by CSA, aptly named CSA top threats to cloud computing. On the last edition. CSA gather information for these publication by using two stage surveys and interview. First stage is to gather initial lists of top threats by survey, discussion that aim to be in depth. While the second one use a broad audience of 500 security professional to rank the result from the first stage.

The result is several list of top threats, similar gist with google threat horizon, where “Misconfiguration and inadequate change control”; “Identity and Access Management”; “Insecure interfaces and APIs”, which are pretty basic is highlighted as the top three threats.

CSA’s publication go even detailed by mentioning some of the common variation of these threats, the impact (technical, operational, and business), and even mentioning some anecdotes (case examples) of the threats, and even related controls. All of which are very useful in a discussion of what detection should we test.

One more point for CSA is also the amazing artwork used for their throughout the publication.

Security Benchmark and Guidelines

Security Benchmark and Guidelines, that are specifically crafted for cloud environment could be a very valuable inventory where you can start your discussion of detection assessment. Examples of these benchmark and guidelines are CSA Cloud Control Matrix, CIS Cloud Benchmark, and some of the vendor based one e.g. AWS Well-Architected Framework or Microsoft Azure Security Benchmark.

The heavy lifting on using these benchmarks are “processing” them to be used detection assessment. Since these publications are meant to be benchmark/ guidelines, most of them are prescriptive. So the process will involve discussing over at least these questions:

• do we need detection for specific that prescriptive guide?

• do we have detection for specific that prescriptive guide?

• and do our detection for that prescriptive guide works?

Nevertheless, these benchmark, as with all other sources I mentioned here is invaluable for a starting discussion on detection assessment.

Threat Models or Threat Model Framework

Threat model framework that comes to mind is UCTM, they stated that their goal is to highlight the top undifferentiated attack sequences — not every possible undifferentiated or differentiated sequence. claiming that following list covers the majority of attacks the majority of organizations will experience. Trying to be pareto principle of cloud attacks, and provide the list of their top sequences of cloud attack.

Organization will (commonly) base their defenses (i.e. detection) on their threat model. Starting from currently available threat model in your organization is also a good place to start a discussion. A common problem might be that threat model will be scoped out for a specific projects or technology, translating them to a more broad detection might present a bit of a challenge.

Based on that, threat model and frameworks is also an amazing place to start the discussion on detection assessment.

Threat Databases

Examples of threat databases are Wiz’s cloud threat landscape or datadog’s cloud security atlas. These are collection of threats and vulnerability, specifically built for cloud environment. datadog’s is a bit easier to filter and has a detection suggestion and how to reproduce it with stratus, while Wiz’s has more on related incident anecdotes.

These databases might not be a good place to start, but it will surely contribute to your vocabulary of testing, especially if you have run your detection assessment for several iteration. These databases will also be very useful to keep your testing up to date with the newest vector.

Conclusion

The most effective way to start a detection assessment, is not to simply guess what to test, but to leverage a diverse range of authoritative sources.

By starting with high-level reports from organizations like CSA and Google to understand the most common attack themes, you can focus on foundational security principles that apply to most organizations. These findings can then be cross-referenced with detailed prescriptive benchmarks from CIS and cloud providers to identify specific, testable misconfigurations.

Finally, for a more nuanced and attacker-centric view, threat model frameworks like the Universal Cloud Threat Model (UCTM) and specialized threat databases can provide actionable "attack sequences" and up-to-date vectors, ensuring your detection program is both comprehensive and relevant to the current threat landscape. This layered approach transforms a daunting task into a strategic, data-informed process, ensuring that even a small team can make a significant impact on their organization's security posture.