Detection Toolkit

Offline detection rule testing that actually runs in labs. Validate Sigma and more with deterministic test workflows.

Status: Planning
View on GitHub

Detection Toolkit is an offline framework for testing detection rules via deterministic stimulus–observation–assertion workflows. Start with Sigma over local JSON logs, then expand to Splunk/Zeek/Suricata collectors and PCAP replay—no SIEM required.

Highlights

  • Declarative test definitions (YAML/JSON) executed by an orchestrator
  • Sigma + JSONL MVP with pass/fail assertions and checksums
  • Structured outputs (JSON/Markdown/JUnit) for audits and CI
  • Rust static binaries, TUI option, plugin-friendly architecture
  • Zero telemetry; reproducible runs with controlled seeds/timestamps

Usage

detection-toolkit run --tests ./examples/sigma-basic/ --format md --out results.md

Key Features

Declarative Testing

Define test scenarios in YAML/JSON format for consistent and repeatable testing workflows.

Multiple Rule Types

Start with Sigma rules and expand to support Splunk, Zeek, Suricata, and other detection rule formats.

Structured Outputs

Generate reports in JSON, Markdown, or JUnit formats for integration with CI/CD pipelines and audit processes.

Offline Operation

Complete testing framework that works without external dependencies or cloud services.

Ready to Get Started?

Download Detection Toolkit and start using it in your environment.