Signals in the Noise

Executive Summary

Amid an evolving cyber threat landscape, governments are facing increasing pressure to strengthen their capabilities to detect cybersecurity events and incidents. Detection—the ability to spot signals of malicious activity throughout the noise of billions of daily digital interactions—is a cornerstone of effective cybersecurity. While some countries and regions, including the EU, have taken steps to prioritize detection capability development, many still lack the necessary policies, legal frameworks, tools, and skills to monitor and analyze threats within their jurisdictions.

In general, states have become more outspoken about the shortcomings and gaps in their detection capabilities. Yet, detection has not been prominently reflected in multilateral international cybersecurity policy discussions so far, particularly cyber diplomacy debates at the United Nations. While some international assistance exists to help states build these capabilities, such efforts remain fragmented and have yet to receive the policy attention they deserve.

This is a missed opportunity for several reasons. Bolstering detection capabilities internationally represents untapped potential for the EU, its Member States, and other countries with advanced cybersecurity capabilities. It would be in their interest to recognize detection as a matter of strategic importance, assist states with less mature capabilities in this area, and elevate the issue on the cyber diplomacy agenda. Such an approach would generate multiple, mutually reinforcing benefits:

• It boosts the resilience of partner countries. Advancing detection capabilities in partner countries elevates their cyber resilience by improving the identification of existing and emerging threats, pinpointing preventive gaps, and refining forensic analysis for more effective incident response.

• It enhances collective security. As detection capabilities grow, a state’s national situational awareness also improves. By heightening this awareness, states become better able to identify malicious cyber activities and ultimately also attribute them to specific threat actors. This, in turn, can promote accountability and strengthen collective security among countries facing shared threats.

• It supports the implementation of UN cyber norms. Because detection capabilities are a key enabler for implementing many of the international community’s agreed norms of responsible state behavior in cyberspace, helping partner countries build these capabilities improves their ability to comply with these political commitments. In doing so, donor countries can also foster greater convergence on how these collective behavioral expectations can be operationalized in practice.

This paper serves as a practical resource for policymakers seeking to act on this strategic opportunity by linking operational realities, technological developments, policy considerations, and diplomatic efforts. It distinguishes between two core components of governmental detection capability and analyzes the factors that enable states to fulfill these responsibilities: (1) monitoring and analyzing the operational environments of individual public sector entities, and (2) fostering detection across a country’s broader digital ecosystem, including both governmental and private infrastructure, and across national jurisdictions. Policymakers in donor countries, together with their counterparts in partner countries, can use these insights to identify gaps, set priorities, and design targeted support measures.

The paper concludes with three overarching considerations rather than specific recommendations, as appropriate international detection capability-building actions will always be determined by each partner country’s needs, context, and existing capabilities:

• Basics first: Activities should be aimed at developing detection capabilities gradually, starting with foundational policy, governance, and organizational measures before progressing to more advanced measures.

• Leverage unique added value: Capability development should focus on areas where public-sector action can have the highest long-term impact to fulfill governmental detection responsibilities and leverage existing external resources for specific, noncritical tasks.

• Invest in human expertise and community building: Governments should prioritize fostering a diverse cybersecurity talent pipeline and trusted networks to ensure that detection capabilities are sustained and their impact is amplified beyond the duration of specific assistance programs.

By recognizing and acting upon the strategic value of detection capability-building, the EU and its Member States can advance their objective of aligning cyber capacity-building with UN cyber norms while generating the additional benefit of raising external awareness of the relevant EU acquis and deepening collaboration with like-minded partners.

Introduction

Amid an evolving cyber threat landscape and rising risks driven by the advancing sophistication of threat actors, among other factors, governments are facing increasing pressure to strengthen their abilities to detect cybersecurity events ¹ and incidents. ² Therefore, high-level policymakers are also increasingly recognizing the need to observe and analyze signals of malicious activity throughout the noise of billions of daily digital interactions. The need is further reflected in strategic planning and legislation, focusing, for example, on accelerating incident detection within government infrastructures, mandating detection-related measures for specific entities, or strengthening the ability to identify and thereby deter threat actors.

Four examples of the last few years:

• United States: In May 2021, then U.S. President Biden signed Executive Order 14028 on Improving the Nation’s Cybersecurity. ³ The order underscores that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security” and outlines steps for the U.S. federal government to accelerate its capabilities. ⁴ In the area of detection, the order stipulates that “the Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks” and, inter alia, mandates the establishment of a so-called “Endpoint Detection and Response (EDR) ⁵ initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure.” ⁶ Thus far, this policy has largely been sustained by the Trump administration.

• United Kingdom: Relevant UK strategies underscore that detection capabilities are vital for the UK’s external and internal security. The UK’s most recent National Cyber Strategy (2022) identifies “detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace” as one of its five pillars. ⁷ Looking inward, the UK’s Government Cyber Security Strategy (also published in 2022) highlights “detecting cyber security events” as one of its seven priorities. ⁸ Among its objectives for 2025–2030 is the scaling of detection capabilities across government organizations, including the goal that “every government digital system [...] have 24/7 security monitoring.” ⁹

• European Union: Detection is also being progressively included in recent EU legislation in two ways. On the one hand, the EU has taken measures to increase detection capabilities within and across EU Member States. For example, the EU’s Cyber Solidarity Act (CSOA), ¹⁰ which entered into force in February 2025 establishes a European Cybersecurity Alert System. This network of national and several cross-border “cyber hubs” of three or more national hubs aims to “build and enhance coordinated detection and common situational awareness capabilities” (Art. 1(1), point (a)). Participation is voluntary for EU Member States (Art. 3(1)) and they can receive financial support from EU funds ¹¹ to ensure that they have the necessary capabilities in place to participate if interested (Art. 9). On the other hand, the EU is increasingly placing obligations on specific entities to implement detection-related measures to strengthen their cybersecurity posture. For instance, the Digital Operational Resilience Act (DORA) ¹² requires financial entities to take steps towards detecting potentially adverse activities and regularly testing measures taken (see further, e.g. Art. 10). ¹³

• Germany: In June 2025, during his visit to Israel, German Minister of the Interior Alexander Dobrindt called for the establishment of a so-called “Cyber Dome” for Germany and expressed interest in learning from Israel in this regard. ¹⁴ Drawing an analogy to its Iron Dome, Israel’s National Cyber Directorate has been operating a Cyber Dome since 2011, which monitors and analyzes the Israeli internet in real time. ¹⁵ The proposal for a German Cyber Dome was reiterated as one of three policy areas for enhancing cybersecurity, as adopted by the new German Federal Government in August 2025. ¹⁶ However, despite these announcements, as of November 2025, it remains unclear which specific measures and activities the German government plans to include in its proposed Cyber Dome initiative. ¹⁷

These policy developments illustrate that detection capabilities are foundational to effective cybersecurity. They not only facilitate the discovery of anomalous activity, but also reflect a continuous process within a governmental cybersecurity strategy, serving a wide array of objectives and functions:

• Enabling network visibility and providing an understanding of both the current and historical state of systems and network activity, supporting national situational awareness and the identification of ongoing and emerging threats;

• Facilitating the evaluation and continuous improvement of preventive measures by highlighting what existing defenses may have missed, which can inform policies and investment planning by clarifying the specific threats public sector entities need to protect against (connection to prevention); and

• Serving as a trigger for initiating incident response and providing a source of evidence that supports forensic investigations and analysis of incidents (connection to response).

Figure 1: The Role of Detection Capabilities for Effective Cybersecurity

The policy developments also indicate that governments face various responsibilities and many feel the need to further develop strategies and strengthen legislative frameworks to better detect anomalous behavior. They also highlight a clear need for action and compliance from a wide range of actors, from public sector institutions to individual entities operating within a country’s jurisdiction, to implement these commitments effectively. As a result, governments face numerous “to-dos” in accelerating their capacity to detect anomalous behavior, whether by following through on existing commitments made or by establishing the necessary policies and legal frameworks in the first place.

In addition to taking steps towards building their own detection capabilities, some states and other players are also engaging in international assistance measures in selected partner countries that also have a detection component. For example, such efforts can include those aimed at building relevant institutional structures like national Computer Security Incident Response Teams (CSIRTs) ¹⁸ or Security Operations Centres (SOCs). ¹⁹ For many years, states have also progressively collaborated with each other through CSIRT-to-CSIRT cooperation formats, exchanging detection-relevant data and contextual information at the technical level, including in military settings.

Nonetheless, the integration of detection into UN-level cyber diplomacy debates has remained limited. Although cybersecurity has been on the UN agenda for a quarter-century, the capacity to detect cybersecurity incidents was mentioned in a relevant report for the first time only in 2021. The reports from relevant UN fora discussing cybersecurity—most recently the UN Open-ended Working Group (UN OEWG) on security of and in the use of information and communications technologies—mention them only in passing together with other capabilities.

While states agreed by consensus in these reports, inter alia, on the increased vulnerability arising from inadequate detection capacities ²⁰ and recommended it as one priority area for international capacity-building, ²¹ there is no elaboration on what these capabilities entail or how they could contribute to advancing responsible state behavior. The modest attention to date likely reflects a combination of various factors, including the perception of detection as a primarily technical and operational concern rather than an international security issue. The marginal uptake since 2021 may also be a result of the growing number of states participating in UN cybersecurity discussions, which expands the pool of countries that may face gaps in this area.

This policy paper argues that the limited strategic and dedicated focus given to the development of detection capabilities and related international capability-building in cyber diplomacy circles represents an overlooked opportunity. Detection capabilities provide a prime example of where operational realities, technological developments, policy considerations, and diplomatic efforts can intersect and inform each other to generate synergies. For this reason, this paper offers a practical resource for cyber diplomats and policymakers working on international cybersecurity policy who are interested in tapping into this potential. It is aimed at supporting them in translating highly technical needs and requirements for building detection capabilities into actionable strategies for strengthening these capabilities at the international level and enhancing collective resilience.

To do so, the paper first makes the case for why cyber diplomats should care about supporting partner countries in developing incident detection capabilities (Chapter 3). It then addresses how states can do so by defining capability-building ²² and discussing the two core responsibilities that make up a governmental detection capability (Chapter 4). Subsequent chapters explain what these responsibilities involve by walking through (some of) the procedural mechanisms, technical tools, and human expertise that public-sector entities need to take on these responsibilities (Chapters 5 and 6) and illustrating how some international initiatives are already implementing detection capability-building in practice (Chapter 7). The analysis then highlights key challenges governments face in developing and enhancing these capabilities (Chapter 8) before concluding with overarching considerations for policymakers in donor countries for designing activities aimed at strengthening detection capabilities across the globe (Chapter 9).

Why Cyber Diplomats Should Care About Building Detection Capabilities Across the Globe

Governments across the board—from small island developing states to members of the Group of Seven (G7) ²³ —have expressed interest in detection, are actively seeking to enhance their capabilities, or have already taken political steps at the highest levels. Thus, developing and enhancing detection capabilities offers great potential for international assistance measures.

For interested donor governments, building detection capabilities in other states offers to address various differentiated objectives at once:

First, detection capability-building furthers an essential cybersecurity capability in a partner country, addressing a need progressively expressed by many countries. For all countries, having these capabilities is fundamental from a technical perspective, as they also provide insight into what to defend against and support the fine-tuning of their responses to emerging risks. For instance, South Africa called “posses[ing the] technical capacities to monitor [information and communications technologies] ICT networks for early detection of threats” ²⁴ a must and designated “limited incident detection and response capabilities [... as] a cause for concern” ²⁵ (for other examples of relevant statements see Annex I).

Second, as a side effect, international cooperation on building detection capabilities also bears great potential for building confidence among donor and partner countries. This stems from exchanging experiences and leveraging synergies to address common challenges pertaining to a shared threat landscape (see further, Section 8.2).

Third, decision-makers may be interested in implementing measures aimed at building detection capabilities in other states by viewing this as a strategic tool to contribute to their own and collective security amidst competing geopolitical visions. As Pawlak put it: “donors increasingly view cyber capacity building projects not only as means to address the needs and improve [the] security of their partners but also as an investment in promotion of their own preferred vision of cyberspace.” ²⁶ Detection capability-building appears to be a good use case since donor countries are likely to be highly interested in enhancing detection capabilities in selected states especially when both face the same threat actors in their networks. For instance, the UK has been particularly outspoken in this regard, framing detection as an enabler of the disruption and deterrence of adversaries ²⁷ and expressing its “committ[ment] to building our collective resilience to detect, disrupt and deter state and non-state threats around the world.” ²⁸ In a similar vein, the EU’s 2025 International Digital Strategy emphasizes that “strengthening cybersecurity and cyber defence [of partner countries], including the capacity to detect, prepare for and respon[d] to cybersecurity threats and incidents, [...] is a direct investment in the EU’s own security.” ²⁹

Fourth, since situational awareness is the basis of any type of political response to cyber operations, ³⁰ improved detection capabilities can support not only the identification of “irresponsible” activities but also contribute to their attribution to specific threat actors or states. When this information is shared publicly or privately, it can help hold states accountable through diplomatic processes for not following the agreed dos and don’ts for responsible state behavior in cyberspace. ³¹ Developing more advanced detection capabilities also has the side effect of increasing the chance of detection, which may influence other states’ cost–benefit calculus when deciding whether to engage in behavior that contravenes norms.

Lastly, detection capabilities are a key enabler in implementing UN cyber norms. ³² Hence, enhancing detection capabilities also has the side effect of accelerating a partner country’s ability to comply with UN cyber norms. Of the 11 UN cyber norms, nine are closely associated with detection capabilities (see also Annex II). ³³

Figure 2: UN Cyber Norms Whose Implementation Is Supported by Detection Capabilities

By advancing detection capabilities, cyber diplomats can thus also foster greater convergence on how international norms can be operationalized in practice. ³⁴ This, in turn, can make their implementation more tangible and contribute to building further political support. At a systemic level, this can help move UN discussions beyond the persistent debate over whether to prioritize the implementation of existing norms or the development of new ones, as it can facilitate dialogue on concrete steps governments can take to put the existing norms into effect.

The pop-out windows below explain how detection capabilities can support the implementation of each of the nine identified norms:

How to Build Governmental Detection Capability in Partner Countries: Responsibilities of Public Sector Entities

When discussing how to improve a country’s ability to detect adverse events and incidents, it is important to first underscore the distinction between capabilities and capacities. In the context of a CSIRT’s tasks, the Forum of Incident Response and Security Teams (FIRST) defines these terms as follows: ³⁸

Table 1: Terminology – Capability vs. Capacity

In line with this distinction, detection capabilities encompass hardware- and software-based technical tools (technology), human expertise (people), and procedural mechanisms (processes) ³⁹ to monitor and analyze cybersecurity events—“any observable occurrence[s] in a network or system” ⁴⁰ —to identify unauthorized access attempts within designated IT environments. ⁴¹

Building on the definition of detection capabilities and the FIRST differentiation, international detection capability-building involves helping partner countries or international organizations strengthen their technology, people, and process capabilities to monitor events and identify adverse cyber events and incidents. In contrast, detection capacity-building would entail improving and scaling already existing detection capabilities to, for example, cover more networks and infrastructures simultaneously. Despite the predominant reliance on the term cyber capacity-building (CCB), ⁴² this paper therefore intentionally employs the term detection capability-building.

Figure 3: Responsibilities of a Governmental Detection Capability

In simplified terms, a governmental detection capability involves two core responsibilities that are carried out by different governmental entities within a national jurisdiction:

• Responsibility I (see further Chapter 5): Implementing detection for their own operational environment (akin, for example, to a ministry Chief Information Security Officer (CISO)’s responsibility). This responsibility necessitates having visibility into a government’s and public sector’s own systems paired with the ability to analyze this data. As such, individual public sector entities, such as governmental CSIRTs/SOCs of particular ministries, need to put in place measures within their organization to monitor and analyze their own operational environment. Subject to the level of financial investment and available in‑house resources, these capabilities may be outsourced, in whole or in part, to be implemented by commercial external third parties, for example, through SOC-as-a-Service models (SOCaaS).

• Responsibility II (see further Chapter 6): Advancing detection across the government and private infrastructure of a country (akin to, for example, a national cybersecurity agency). This responsibility requires a country to undertake steps aimed at fostering a whole-of-nation approach to detection to enhance cross-entity coordination. In this regard, a centralized entity with a nation-wide mandate, such as a national cybersecurity authority (NCA) or national CSIRT, can play a fundamental role in strengthening a nation’s domestic and international detection ecosystems. This is important because effectively detecting potentially adverse events across a nation is not an isolated activity. Effective detection depends on engagement and collaboration across a wide range of actors. Hence, a multi-stakeholder approach ⁴³ is essential, not only because coordinated action strengthens the overall resilience of the ecosystem, but also because much of the relevant data such as cyber threat intelligence (CTI) often lies outside the direct reach of governments (e.g., with private entities such as ISPs).

This distinction between entities is important because these different actors not only have distinct responsibilities but also different levers at their disposal when it comes to carrying out these functions, which in turn shape the measures and activities that can be implemented to develop or enhance their capabilities.

Donor governments can use these distinct responsibilities as potential fields of action to make a tangible impact on the ground. They can further support assessment efforts by first evaluating a country’s detection maturity. Such an assessment can involve examining which specific measures outlined in the subsequent chapters are already in place and at what level of implementation. It also permits identifying gaps in the current situation, such as missing policies, (legal) frameworks, or organizational structures that are needed to ensure effective and sustainable governance. Based on this understanding, funders and beneficiaries can collectively define cyber-related development goals and design (an) appropriate intervention logic(s) ⁴⁴ to guide targeted activities aimed at establishing or strengthening detection capabilities.

Importantly, it should be noted that both developing and enhancing detection capabilities is not a one-time effort. Since maintaining pace with threat actors (see also Section 8.2) requires continuously advancing capabilities, there is never a definitive “finish line.” This requires strategic long-term patience and continuous investment in strategy, people, and tools—as this is also the case for already well-resourced countries with mature cybersecurity capabilities. ⁴⁵

Capabilities For Fulfilling Responsibility I: Detecting Adverse Cybersecurity Events

To find and analyze possible compromises within their operational environment, public sector entities need to put in place measures aimed at detecting adverse behavior. An entity’s operational environment includes all assets, systems, services, interfaces, and environments used for information processing, including on-premise systems, networks, and cloud-based infrastructure.

Monitoring this environment includes collecting and analyzing endpoint and network-level data for holistic visibility. This can cover information such as who logs in at what time from where, what programs are opened, whether anyone tries to change important system settings, and what happens among systems and how they communicate within and beyond an entity’s operational environment.

The U.S. National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) includes detection as one of its six core functions. ⁴⁶ Specifically, the CSF lists two task categories for carrying out the “detect function”:

Table 2: Components of the “Detect Function” in the NIST CSF

As the NIST CSF does not consider the six functions in isolation—and since detection can contribute significantly to the response, recovery, and protection pillars as alluded to in the introduction—effective monitoring and analysis often require and rest on preparatory groundwork. Much of this groundwork falls under the NIST CSF’s “govern” and “identify” functions, which act as enablers for the successful development and delivery of other functions.

Against this backdrop, the following sections outline selected measures ⁴⁷ that can enable public sector entities to detect adverse events within their operational environment from three angles:

1. The organizational context and operating framework in place (Section 5.1);

2. The measures to ensure continuous monitoring of its operational environment (Section 5.2); and

3. The foundations for analyzing adverse events occurring within their operational environment (Section 5.3).

The measures outlined are not exhaustive but can serve as a foundational baseline, offering inspiration for potential efforts in partner countries, particularly where public sector detection maturity remains at lower levels. They are not intended to be prescriptive. Rather, each public sector entity must determine how best to ensure continuous monitoring and analysis of adverse events within its operational environment. This requires thoughtful consideration of key factors such as the entity’s most critical assets, the tools that can be acquired, potential limitations in this regard, available funding, and the internal talent and resources that can be leveraged. Approaches will therefore naturally vary, and additional or different measures may be necessary depending on factors such as existing capabilities, the specific tactics, techniques and procedures (TTPs) of threat actors targeting the entity or country, as well as emerging technological developments.

Figure 4: Capabilities For Fulfilling Responsibility I: Detecting Adverse Cybersecurity Events

Organizational Context and Operating Framework

To build effective detection capabilities, an entity should have several foundational policies in place to support both their effectiveness and planned implementation.

Governance

Most importantly, an entity should have a clear distribution of responsibilities throughout the entire process laying out who does what and when. ⁴⁸ For example, this includes which functional areas of the entity and which persons are responsible for operating and auditing relevant logging and analysis infrastructures, who configures the log sources, and who uses detection-related infrastructures and for what purpose to achieve well-defined interfaces between functional areas. ⁴⁹ Depending on the entity’s internal structure, these tasks may, for example, involve functional areas such as IT security operations, IT administration, information security management, auditing, and, where applicable, the entity’s user help desk. ⁵⁰

Logging policy

Putting in place a comprehensive logging policy is essential for effective monitoring and, ultimately, for supporting incident response activities. Such policies lay the foundation for subsequent steps and measures aimed at detecting potentially adverse events within an entity’s IT environment. Given the large volume of log ⁵¹ data generated within their networks, entities must establish processes to manage and analyze this data effectively.

In developing a robust logging policy, an entity should consider the following:

• Determine the applicable legal and contractual parameters relevant to the entity’s detection capabilities, as these may influence or stipulate what data can be collected, how it is evaluated, or how long it may be retained; ⁵²

• Identify data sources that produce valuable information for detection purposes and clearly define which sources are to be logged where in the entity’s operational environment; ⁵³

• Specify retention periods for logs that comply with any applicable legal and contractual requirements, also taking into account the organization’s risk profile ⁵⁴ and ensuring logs are deleted once the defined retention period has elapsed; ⁵⁵

• Designate the information to be recorded by each log, for example, accounting for “the date and time of the event, the relevant user or process, the relevant filename, the event description, and the information technology equipment involved;” ⁵⁶

• Indicate which event logging facilities are being used and how logs are to be transferred to a central logging infrastructure (see further Section 5.2); ⁵⁷ and

• Consider “any shared responsibilities between service providers and the organization.” ⁵⁸ For example, if the entity has outsourced parts of IT infrastructure, it must ensure that the defined detection-related minimum baseline requirements are met by the relevant service providers. ⁵⁹

An entity should treat its logging policy as a living document, regularly reviewing its implementation and updating it to reflect any significant changes in its IT environment. ⁶⁰

Guidance, thresholds, and reporting channels

In addition to a logging policy, once it has been decided what is monitored and how, it is equally important to develop guidance on triaging alerts during the analysis stage, ⁶¹ to establish thresholds for security-relevant events, and to put in place and regularly test the channels and structures for reporting them. ⁶² For example, an entity may leverage tabletop exercises. In this regard the FIRST CSIRT Services Framework notes: “Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs).” ⁶³

Evaluation

In addition to planning and implementing measures aimed at detecting potentially adverse events, entities should also evaluate the effectiveness of these measures and incorporate lessons learned from their operation. A continuous feedback loop from triage and incident escalation (see Section 5.3)—which, among other things, links detection-related findings to prevention controls and analyst tuning—can strengthen an entity’s overall detection posture. This feedback informs refining detection logics and processes, which can contribute to more valuable alerts over time. Ideally, this can also help prevent incidents similar to those successfully detected in the past and reduce false positives over time. ⁶⁴

Interdependencies with other fundamental measures

Because an entity’s detection capabilities rely on its overall cybersecurity posture and thus the interplay with other functions of the CSF, there are various activities an entity can undertake that enhance its overall cyber resilience while fostering an environment in which its detection efforts can succeed. Importantly, the insights generated can also inform decisions on the technical tools, processes, and expertise required to achieve comprehensive monitoring and analysis, as outlined in the subsequent sections.

A few examples:

Maintaining a comprehensive and up-to-date inventory of an entity’s assets ⁶⁵ can aid an entity in developing policies on logging and detection by helping it understand the extent of its monitoring coverage, which can support “eliminat[ing] blind spots and gaps in coverage.” ⁶⁶

To determine where an entity should focus its detection efforts (e.g. which sources to monitor first under resource constraints), it is also useful for an entity to prioritize based on (at least) two factors: importance and risk. This requires understanding how critical specific networks, systems, and information are to the entity. ⁶⁷ It also involves identifying and evaluating risks to the entity through a risk assessment. ⁶⁸ For example, a risk assessment can help determine the extent of coverage needed based on the entity’s required level of protection. A continuously updated threat profile that informs the risk assessment can further identify specific threats to enable risk prioritization.

Complementary to measures aimed at monitoring at the technical level (see Section 5.2), raising employee awareness can have a positive impact on an entity’s detection posture. Since employees are system and network users, they are often well-positioned to notice unusual or suspicious behavior in their daily work. ⁶⁹ To leverage this, entities should invest in continuous security awareness training to help employees become more sensitized and vigilant to potential threats. Simultaneously, to ensure that any employee observations contribute effectively to detection efforts, it is important to have clear procedures in place for reporting such irregularities or suspicions to appropriate internal channels.

Monitoring

After outlining a general logging policy, an entity’s focus should shift to the actual collection of logs and their subsequent management. The term log management refers to the “process for generating, transmitting, storing, analyzing, and disposing of log data.” ⁷⁰ Log collection refers to the process of automatically transferring events to be logged to a central logging infrastructure and storing them there. ⁷¹ The analysis of log data will be addressed separately in Section 5.3.

Log collection

In the log collection stage, an entity should ensure that all data sources identified during the logging policy stage are covered, providing full visibility into these sources. ⁷² The type of log source determines both what kind of data an entity can collect for monitoring and how that data can be collected.

To collect this information, an entity should configure IT systems and applications within its operational environment to log all security-relevant events ⁷³ with regular reviews to ensure that logging is functioning as intended. An entity should also consider integrating additional tools to guarantee the logging of general and security-relevant logs from the network perspective and achieve the intended level of coverage as specified in an entity’s logging policy.

To gather the relevant telemetry, an entity has various tools at its disposal, including Domain Name System (DNS) logging tools, ⁷⁴ tools for collecting network flow data (NetFlow tools), ⁷⁵ malware and vulnerability scanners, antivirus software, intrusion detection systems (IDS), ⁷⁶ endpoint monitoring systems such as EDR ⁷⁷ solutions, or cloud detection tooling such as cloud security posture management (CSPM). ⁷⁸ Some of these tools also have built-in analytical capabilities that automatically trigger alerts for further analysis (which will be further discussed in Section 5.3).

Log management

Once processes and technical measures have been implemented to collect logs across an entity’s infrastructure, it is essential to ensure their proper management. This requires a centralized log management infrastructure to which the designated systems and implemented tools can automatically feed their log data. ⁷⁹ The central goal at this stage is log aggregation to enable effective log analysis in a subsequent step. Maintaining a centralized log repository is essential, as only such a repository allows analysts to view, filter, and systematically analyze log data. ⁸⁰ This is especially important, since indications of malicious activity are “rarely [...] isolated events on a single system component or system.” ⁸¹

There are various tools differing in scope and sophistication available to enable centralized log aggregation and management. ⁸² The predominant tool used is a Security Information and Event Management (SIEM) system, ⁸³ which integrates log collection as one component of a more comprehensive solution for security monitoring and analysis. ⁸⁴ Logs should be forwarded to the entity’s centralized logging infrastructure in near real time to enable the timely detection of suspicious activity and reduce response latency. ⁸⁵

In initiating and maintaining a centralized logging infrastructure, an entity should consider various factors:

• Sizing the infrastructure in such a way that the logged events could be retained for twice the duration of the identified retention period; ⁸⁶

• Ensuring event log backups and implementing “data redundancy practices;” ⁸⁷

• Protecting event logs during transit and at rest; ⁸⁸

• Providing for and monitoring restrictive access ⁸⁹ to the infrastructure and putting in place technical safeguards against unauthorized access, tampering, or uncontrolled deletion of log data; ⁹⁰ and

• Continuously monitoring the logging infrastructure for error conditions. ⁹¹

Ideally, the infrastructure should be operated in a physically segmented network zone with enhanced security controls given its high attractiveness to threat actors and potential to become a “single point of failure in an organization’s detection capability.” ⁹² However, it should be noted that this element is less feasible for entities that have outsourced (parts of) their incident management. For example, in managed service contexts or cloud computing environments such physical segmentation no longer exists in the same form. Where segmentation is not (or not yet) feasible, other options such as cloud-based log aggregation can serve as interim solutions.

Moreover, given the variation in log structure, an entity should also determine whether enriching or normalizing log data is required to enable their subsequent analysis as this can enhance consistency and improve correlation. ⁹³

Analysis

Following the collection and aggregation of log data, it is even more important to implement measures aimed at their analysis, defined as the “study[... of] log entries to identify events of interest or suppress log entries for insignificant events.” ⁹⁴ Whereas monitoring aims to identify anomalies in the first place, analysis focuses on interpreting and making sense of the detected irregularities.

Tools

It is essential for entities to incorporate automated analysis tools that continuously evaluate the collected data. The tools that an entity can use for that purpose vary in sophistication as they have the ability to “apply a range of methods, from simple logic or pattern-matching rules to the application of statistical models or machine learning.” ⁹⁵ When selecting tools, entities should consider both the requirements for using AI-powered software and the potential security implications of open-source tools. Careful tool selection, proper integration into an entity’s detection posture, and knowledge of potential risks are essential in this respect. In cases where an automatic qualification of alerts is not possible, an entity must account for their manual analysis. ⁹⁶

Once logs have been aggregated in a centralized logging infrastructure, organizations should facilitate their analysis in a resource-efficient and -preserving manner. Given the vast volume of log data generated, manual analysis should not be the default option and should be reserved for selected, already prioritized alerts. To this end, the Australian Cyber Security Centre (ACSC) and some of its international counterparts recommend that entities “consider filtering [and selecting] event logs before sending them to a SIEM or [Extended Detection and Response] XDR ⁹⁷ to ensure [the tool] is receiving the most valuable logs to minimise any additional costs or capacity issues.” ⁹⁸

Tools like SIEM or XDR can then automatically compare system and network data against a variety of metrics to detect anomalies and potential threats. These metrics can be sourced externally (e.g. through “rulesets provided by the vendor [... which] should be updated regularly” ⁹⁹ ) or developed and maintained internally and tailored to a specific entity profile, provided the log analysis tool supports such as individualized configuration. ¹⁰⁰

The overarching goal at this stage is to have these automated tools generate alerts for potentially adverse events, such as when specific activities are detected to exceed particular predefined thresholds. These events are then collated, reviewed, and validated by human analysts. Those that exceed a predetermined severity threshold are escalated to incidents, which then trigger a response.

Measures that can guide both the tools’ and human experts’ analytical direction include the following, which will be discussed in greater detail in subsequent subsections:

• The collection and integration of CTI and other contextual information;

• The establishment and maintenance of a baseline of acceptable normal activity; and

• The development and upkeep of detection logic or custom detection use cases.

The analysis of adverse events can further benefit from an entity maintaining a risk assessment and threat profile, which help contextualize observed irregularities and assess event severity. Furthermore, an updated asset inventory can provide indications of the potential scope and degree of exposure.

CTI integration

To collect CTI, entity personnel can draw upon “open discussion forums, trusted relationships, paid-for contracts with threat intelligence companies or [internal] generat[ion],” ¹⁰¹ which can shed light, for example, on known indicators of compromise (IoCs), specific malware types, or new TTPs. ¹⁰² This step also involves continuously monitoring information on technical vulnerabilities and intrusion patterns related to the systems used by the entity, as well as determining their relevance for the entity’s operational environment. Information sources include system manufacturers or national cybersecurity authorities (NCAs). ¹⁰³ The UK NCSC recommends accounting for the possibility of automatic ingestion of CTI feeds in an entity’s analytical detection infrastructure, which could be a SIEM. ¹⁰⁴ If an entity maintains a threat profile, this can facilitate prioritizing the ingestion of CTI specific to the identified threats.

Baseline

A baseline comparison of what normal benign activity looks like within an organization’s operational environment can support identifying and qualifying legitimate versus illegitimate signs of activity. ¹⁰⁵ To develop and maintain such a baseline that helps with analyzing deviations (i.e., abnormalities) from the baseline, it is important that an entity has a “good understanding of normal system behaviour (e.g. what software is authorised and how it would normally behave, how user accounts normally access network resources or how network components connect to each other and transfer data).” ¹⁰⁶ This also includes recognizing regular patterns and dependencies, such as day/night or weekend traffic, scheduled maintenance, and holiday periods. ¹⁰⁷ An entity should ensure that it regularly assesses whether its baseline understanding requires recalibration and updates, such as when there are changes to the system or network perimeter or based on “current threat intelligence.” ¹⁰⁸

Detection use cases and detection logic

Depending on an entity’s individual risk profile, it should be taken into consideration that, when using commercial tools, “detection is biased towards techniques that benefit the widest range of customers.” ¹⁰⁹ As a result, global vendors’ detection tools may be unable to reflect regional/local threat landscapes or sector-specific risks. To address this potential bias, public sector entities should consider whether they need to supplement commercial tools with context-specific threat intelligence or detection rules tailored to their local threat landscape. If an entity has an elevated risk profile or specific monitoring coverage requirements (e.g., through proprietary systems), it may also need to develop custom detection use cases ¹¹⁰ and techniques. ¹¹¹ Doing so comes with various prerequisites in terms of resources, such as the configurability of tools and the availability of highly skilled personnel to develop and maintain detection rules. ¹¹²

Correlation, triage, and qualification

Once there is an indication of a potential incident based on the collected logs and initial (automated) analysis, an entity must distinguish between a real information security incident and a false alarm. This process involves “identify[ing] events directly related to other potential or ongoing security incidents” by “grouping [...] related potential information security incidents for combined qualification or updating to an existing information security incident already handled” (correlation) and “triag[ing] and qualify[ing] detected potential information security incidents in order to identify, categorize, and prioritize true positives.” ¹¹³

If an entity maintains an in-house analytical capability, the triage of alerts and, if needed, their manual qualification requires highly specialized personnel. ¹¹⁴ Therefore, an entity should ensure that adequate budget is reserved for their continuous training, such as when new IT components are introduced into the entity’s perimeter that could affect its overall detection posture. ¹¹⁵ To reduce “alert fatigue,” ¹¹⁶ organizations should consider implementing at least some form of automated triage, ¹¹⁷ enabling human analysts to concentrate on the most critical detected events in alignment with the organization’s overall risk profile. Where automation is not yet feasible, basic manual triage guided by structured playbooks can still improve distinguishing true security threats from irrelevant or false alerts. Given the vast volume of log data that must be analyzed to make such decisions, the evolving development of AI-based tools offers considerable potential to assist entities in investigating alerts and providing guidance for determining whether they represent false alarms or true positives.

Capabilities For Fulfilling Responsibility II: Fostering (Inter)National Detection Ecosystems

NCAs play a central role in building and advancing national and international detection ecosystems due to their mandate to oversee national cyber resilience and convene stakeholders across sectors. In the context of this paper, an NCA’s institutional setup is treated as a black box, acknowledging that its structure, mandate, and resource level can vary significantly across countries depending on local circumstances. For the purpose of this discussion, it is simply assumed to hold a central coordinating role within a country’s cybersecurity ecosystem. For example, an NCA may take the form of a national cybersecurity agency or a national CERT/CSIRT in states with the requisite capacity. ¹²²

NCAs can promote the development and adoption of detection tools and processes, support capacity building across public and private actors, and foster (platforms for) trusted information sharing and interoperability—all of which contribute to enhancing whole-of-nation situational awareness and preventing fragmentation. In practice, this requires an NCA to collaborate with multiple layers of target audiences, both nationally and internationally:

• Layer 1: Relationships with other public sector entities within their jurisdiction, such as various government departments, entities administering unemployment benefits, law enforcement agencies, central banks, or municipalities and cities;

• Layer 2: Interactions with non-governmental actors at the domestic level, such as privately owned critical infrastructure operators, ISPs, the cybersecurity community or academia; and

• Layer 3: Collaboration with other states and internationally operating stakeholders, such as national cybersecurity entities in other states, multinational companies, regional or multilateral fora like CSIRT networks, or international non-governmental organizations such as FIRST and the Shadowserver Foundation. ¹²³

To achieve this, NCAs can leverage a range of tools and instruments to establish and nurture the interactions necessary for a robust detection ecosystem. The roles they undertake—and the extent to which they are exercised in practice—can vary significantly in nature, scope, and required capacity. For example, depending on the country in question, some functions undertaken by NCAs, like maintaining central threat intelligence-sharing platforms, may require substantial new investment in financial and human resources, while other functions can be performed as an expansion of existing functions. Others may arise from legal obligations, as is the case, for example, for EU Member States under the NIS 2 Directive, whereas some functions may be adopted voluntarily in pursuit of broader strategic or political objectives. In a similar vein, certain tasks may require a specific legal basis, as outlined in frameworks like the 2015 U.S. Cybersecurity Information Sharing Act. ¹²⁴

To illustrate the diversity of potential contributions by NCAs in furthering (inter)national detection ecosystem(s), this chapter outlines three activity areas:

1. Monitoring and analysis (Section 6.1);

2. Information sharing and operational advice (Section 6.2); and

3. Operational, financial, and non-material assistance (Section 6.3).

Figure 5: Capabilities For Fulfilling Responsibility II: Fostering (Inter)National Detection Ecosystems

In the following sections, each activity area will be explored via concrete examples of what could be done—and not necessarily what every NCA should be doing—highlighting this broader ecosystem in action. An NCA’s ability to fulfill these roles requires not only technical capacity and legal authority but ultimately hinges on its ability to build trust and credibility within the cybersecurity community, making both formal and informal community-building essential enablers.

Monitoring and Analysis

In many jurisdictions, NCAs are directly responsible for protecting government systems and other public sector networks from malicious cyber activities. In the EU, the NIS 2 Directive also stipulates that the tasks of national CSIRTs comprise the “monitoring and analysing [of] cyber threats, vulnerabilities and incidents at national level” (Art. 11(3), point (a)). ¹²⁵ Often, this protective mandate also involves carrying out detection-related analytical tasks for entities within an organization’s protective remit and other public sector bodies. For example, this may include the monitoring network traffic of entities, collecting information on anomalous activity, or offering “detection-as-a-service” (DaaS), through which public sector entities can send their logging data to the NCA for analysis.

Three examples of programs implemented by existing NCAs are as follows:

Given their importance to national cybersecurity, many NCAs also offer services to  critical infrastructure or other domestic entities of essential importance within their jurisdiction. Providing support to them will often fall within an NCA’s mandate to protect the nation against sophisticated cyber threats. ¹⁴² Depending on the institutional set up of a CI in a given country, these operators may be public (Layer 1) or private entities (Layer 2).

The services offered by an NCA to essential entities are typically offered free of charge on a voluntary basis or upon request. The scope and extent of these responsibilities usually depend on the type of actor and its criticality to functions of essential importance for the state. The support provided by an NCA is particularly important, as detection-related services are resource-intensive and therefore often limited in availability, which can lead to gaps in entities’ detection posture.

Assistance by NCAs may include operating sensor networks to detect breaches across critical infrastructure sectors, actively searching for anomalies within networks and notifying entities when issues are identified, or helping them establish real-time monitoring capabilities. Oftentimes, the degree of NCA support possible will depend on the level of visibility granted by each entity into its operational environment.

Within the EU, the NIS 2 Directive provides for a national CSIRT’s ability to “carry out proactive non-intrusive scanning of publicly accessible network and information systems of essential and important entities [...] to detect vulnerable or insecurely configured network and information systems and inform the entities concerned” (Art. 11(3)), thereby adding the carrying out of port scans ¹⁴³ to the portfolio of CSIRT tasks.

Three examples of tasks undertaken by existing NCAs are presented in the following:

Activities in this area involve handling sensitive information, such as logs that could be relevant to states’ intelligence efforts. As a result, NCAs directly supporting other states, for example in monitoring and analyzing their public sector networks (Layer 3) by sending personnel to another country to observe and detect malicious cyber activity, are less feasible at scale and require very close collaboration among the countries involved. Nonetheless, there have been efforts that fall under this category, notably the “hunt forward” operations (HFOs) conducted by the United States (for more information, see Chapter 7). Despite these rare cases, an NCA’s collaboration with other states is generally more viable at a higher level, focusing on sharing information and guidance that support detection rather than direct involvement in detection-related monitoring and analytical tasks, as the next activity area will address.

Information Sharing and Operational Advice

NCAs play an important role as reliable information providers and advisors by outlining, for example, currently observed malicious behavior or emerging trends and providing detection-related guidance. Like the first activity area, the main target audience of the activity area information sharing and operational advice is domestic stakeholders (Layer 1 and 2), but the reach of these activities may also extend to international actors (Layer 3), especially when information and advice are provided publicly.

The role of an NCA as an information steward and advisor in a detection context may include the following activities, which are further elaborated below:

1. Sharing IoCs, TTPs, detection methods, vulnerability data and contextual intelligence (Section 6.2.1);

2. Facilitating (in)formal information-sharing arrangements and maintaining information services (Section 6.2.2);

3. Participating in (in)formal information-sharing arrangements (Section 6.2.3); and

4. Issuing recommendations, guidelines, and standards (Section 6.2.4).

Sharing IoCs, TTPs, detection methods, vulnerability data and contextual intelligence

The most publicly recognized activity that an NCA may undertake as an information provider is the issuance of alerts, advisories, and reports, which often share IoCs and TTPs. ¹⁴⁸ This and other information shared by an NCA is essential, as it can contribute to reducing the time needed to detect specific threats, especially for organizations without in-house threat research teams. This information can be incorporated by the recipients into their own analytical efforts, for example, enabling them to compare it against collected logs to identify potential threats.

NCAs can and have in the past also used alerts, advisories, and other formats such as GitHub repositories to provide or verify specific detection rules. By turning threat intelligence into something actionable, NCAs can thereby provide operational advice for pathways for detecting specific malicious activities.

A few selected examples, among many more in practice, include the following:

The issuance of alerts and advisories also offers considerable potential for international collaboration, as demonstrated by the growing number of jointly published alerts and advisories. This also extends to collaboration with private sector entities or references to industry detection advice. ¹⁵⁸ In the past, alerts and advisories increasingly included official public political attributions of threat activities to a particular state or APT group, underscoring the political implications of their threat assessment. ¹⁵⁹

In addition to specifying IoCs, TTPs, and detection rules, NCAs also play a significant role when it comes to circulating vulnerability data and contextual intelligence among various stakeholder groups. ¹⁶⁰

Two examples from the United States are as follows:

When sharing IoCs, TTPs, detection methods, vulnerability data, or contextual intelligence, NCAs should always have their constituencies in mind and, if necessary, tailor information for actionability across differing technical maturity levels to make it easier to process. ¹⁶³ In sharing such detection-related information and providing operational advice, NCAs should consider integrating widely recognized taxonomies and frameworks so that their substantive input is comprehensible and easily shareable across jurisdictions and entities. ¹⁶⁴

Facilitating (in)formal information-sharing arrangements and maintaining information services

Information shared by NCAs may be public or restricted. Often, specific arrangements, such as the Traffic Light Protocol (TLP), can be used to maintain designated confidentiality levels across stakeholder groups. In addition, the impact and effectiveness of information-sharing arrangements often hinges on the submission and provision of information in standardized formats to ensure interoperability (see also, for example, footnote 164).

Depending on the type of information shared and target group envisioned, recipients may range from other public sector bodies to NCAs or companies in other countries that may rely on the shared information. The NIS 2 Directive also mandates European national CSIRTs to “provid[e] early warnings, alerts, announcements and dissemination of information to essential and important entities concerned as well as to the competent authorities and other relevant stakeholders on cyber threats, vulnerabilities and incidents, if possible in near real-time” (Art. 11(3), point (b)). ¹⁶⁵

Against this backdrop, NCAs can play a crucial role in facilitating ¹⁶⁶ the exchange of relevant information between various entities, especially at the domestic level. This is important for advancing detection ecosystems, since sharing information and operational advice (e.g. IoCs and other data discussed earlier) often relies on these arrangements being in place. These arrangements not only define how information is and can be shared but oftentimes also address other issues, such as exempting the sharing entity from potential liability claims. ¹⁶⁷ The information received can also support other detection-related functions of the NCA by helping to assess whether observed malicious behavior affects government or critical infrastructure networks and inform the issuance of (public) alerts. ¹⁶⁸

Broadly, there are two types of information-sharing arrangements that an NCA can facilitate:

1. Bidirectional or multidirectional information-sharing arrangements where the NCA shares information and members can also share with selected stakeholders, and

2. Unidirectional information-sharing arrangements, where the value lies mainly in the NCA providing specific information to particular member entities.

These arrangements often function as closed, members-only networks focused on particular constituencies such as within a single country (Layers 1 and 2) or across multiple jurisdictions (Layer 3). From the perspective of the NCA, their maintenance often requires significant resources, as such arrangements call for structures that enable—and if necessary, oversee—information exchanges.

As a side effect, arrangements of the first kind can also contribute to strengthening community-building. Their function in establishing and maintaining trusted relationships is crucial, as only then are participants willing to share in-depth information. Without trusted relationships, there may be reluctance to do so, even when sharing would be technically possible. In this regard, an NCA should pay due regard to the size of the group included, as this has implications for the level of trust possible and realistic. ¹⁶⁹

For example, in support of bi- and multidirectional threat information sharing, ¹⁷⁰ existing NCAs maintain the following networks and platforms with entities ranging from domestic public sector entities (Layer 1) to national CSIRTs of other countries (Layer 3):

As a method of enabling unidirectional threat information sharing, some NCAs also maintain dedicated information portals or services:

Participating in (in)formal information-sharing arrangements

In addition to facilitating information-sharing arrangements predominantly at the national level (Layers 1 and 2), NCAs often engage in cooperation at the international level (Layer 3). While such cooperation can take place on an ad hoc basis (e.g., when a country detects malicious activity in networks located within the jurisdiction of other countries or behavior suggesting that others may also have been affected), there are also more formalized and regular information-sharing arrangements at the 1) international, regional, and subregional levels or 2) bilateral levels. Examples of the former include participation in the following:

• 1a) International networks such as FIRST, ¹⁹³ or

• 1b) Regional platforms such as the African Forum of Computer Emergency Response Teams (AfricaCERT), the Asia Pacific Computer Emergency Response Team (APCERT), the ASEAN Regional Computer Emergency Response Team, the CSIRTAmericas Network, the EU’s CSIRTs Network, the Organisation of The Islamic Cooperation Computer Emergency Response Teams (OIC-CERT), the Pacific Cyber Security Operational Network (PaCSON), or TF-CSIRT. ¹⁹⁴

Examples of the latter include 2) bilateral agreements aimed at leveraging synergies in detecting malicious activities through enhanced information sharing, such as the UK–Republic of Korea Strategic Cyber Partnership ¹⁹⁵ or the Canada–Ukraine Agreement on Security Cooperation. ¹⁹⁶ However, given the high thresholds for sharing sensitive threat intelligence, it should be noted that there is no public indication as to whether any concrete steps were taken to advance these commitments in practice beyond mere political declarations of intent.

Issuing recommendations, guidelines, and standards

NCAs are also exceptionally well-positioned to take on an advisory role that can support entities in establishing, enhancing, and standardizing their detection capabilities, for example, by sharing knowledge and identifying key areas to prioritize. Closely related, such efforts may also clarify specific requirements that certain entities may be obliged to follow by providing comprehensive frameworks to facilitate compliance. Such documents can, for example, provide recommendations on implementing specific tools to detect cybersecurity threats, offer guidance on prioritization in resource-limited environments, or define specific baseline requirements.

In addition to the possibility of providing dedicated guidance documents, NCAs can and have incorporated detection-related recommendations into their alerts and advisories. ¹⁹⁷ Such inclusion can maximize the utility of advisories and contribute to their sustained relevance. Similar to alerts and advisories, issuing recommendations, guidelines, and standards offers great potential for international collaboration among NCAs. In doing so, NCAs can leverage synergies and expand the expertise available and their insights into relevant best practices.

Examples illustrating how NCAs have performed these functions—unilaterally or through international collaboration—include the following:

Operational, Financial, and Nonmaterial Assistance

NCAs also play an important role in providing operational, financial, and nonmaterial assistance, particularly among domestic nonpublic sector actors (Layer 2). This may include the following activities, which are further elaborated below:

• Developing and maintaining open source tools (Section 6.3.1);

• Providing funding (Section 6.3.2); and

• Collaborating with non-governmental stakeholders on research (Section 6.3.3).

Developing and maintaining open-source tools

NCAs can leverage their expertise by developing and maintaining open-source tools that can serve as force multipliers by facilitating adoption in resource-limited contexts and reducing cost barriers. ²⁰⁴ These tools can be freely downloaded and used by entities to support their detection efforts, thereby contributing to  the overall cybersecurity posture both domestically (Layers 1 and 2) and internationally (Layer 3). The functions are tool-specific but can, for example, facilitate log management and malware analysis.

Three examples of countries providing detection-relevant tooling are as follows:

Providing funding

The role of an NCA may also extend to providing financial support to certain entities, for example, to enable them to benefit from non-government-provided threat detection services. One example is past U.S. activity in this regard, with the caveat that the agreement providing U.S. funding for this program was terminated on September 30 this year:

Collaborating with non-governmental stakeholders on research

In addition to operational and financial support, NCAs may also support research efforts by providing non-material input and offering means to validate findings or collaborating on specific projects—activities that can not only advance external research but also allow an NCA to benefit from and possibly leverage their external expertise. As a positive side effect, such measures not only provide interesting research avenues (which ideally creates a win-win situation for both sides) but can also promote and positively contribute to a country’s talent pipeline.

Two examples of tasks undertaken by existing NCAs include the following:

Examples

International detection capability-building, as discussed in this paper, is not a new concept. Some states, international organizations, and international and regional development banks are already engaged in international assistance projects—often under the label of CCB activities—aimed at enhancing cyber detection capabilities in other countries, which is a good sign. Yet, many of the relevant efforts currently underway tend to go largely unrecognized in terms of their policy importance and appear as isolated individual activities that are not put into a broader context with each other, limiting their strategic potential and the ability to amplify their impact.

The identified, already implemented international detection capability-building actions cover a very broad spectrum. They encompass activities aimed at developing or enhancing some of the technology, people, and process capabilities discussed in the previous two chapters. Specifically, they range from support for the establishment of national CSIRTs—provided these also include any detection-related activities pertinent to monitoring, analysis, or information-sharing—or SOCs to the provision of training and workshops, as well as the hiring and financing of seconded personnel. Their scope varies depending on the financial and human resources invested, the actors funding and implementing them, and their time horizon. Mostly, donor governments invest in detection capability-building in certain priority regions, mostly in partner countries in or near their immediate geographical vicinity.

A few concrete examples from various regions show how certain countries and other funders are engaging in such activities (see Annex III for further examples):

• United States → Costa Rica: In March 2023, the United States pledged to spend $25 million dollars to “enable Costa Rica to establish a national security operations center [within the Costa Rican Ministry of Science, Innovation, Technology, and Telecommunications] to quickly detect and respond to cyber attacks and implement cybersecurity protections for its government systems.” ²¹⁷ This move came shortly after Costa Rica declared a state of emergency in 2022, following heavy targeting of government entities. In addition, the United States provided $10 million to build an entity-specific SOC within the Costa Rican Ministry of Public Security by the next year, with the assistance aimed at providing “state-of-the-art equipment, specialized training, and logistical support.” ²¹⁸

• European Union → Albania, Montenegro, and North Macedonia: Through funding the Cybersecurity Rapid Response 2.0 project, which ran from April 2024 to September 2025 and was implemented by the Estonian e-Governance Academy (eGA), the EU aimed to “increase [the] operational cyber capacities of Security Operations Centres and Computer Security Incident Response Teams of beneficiaries” and to “improve inter-institutional information sharing” ²¹⁹ as two of its primary objectives. The project has €4.4 million ²²⁰ in funding and its beneficiaries are Albania, Montenegro, and North Macedonia. One of the project outcomes is the opening of Montenegro’s government SOC, during whose establishment phase eGA “supported [with] the procurement of necessary equipment.” ²²¹

• Germany → African Union Commission: In 2024, Germany’s development agency GIZ hired an IT project officer employed by the GIZ Addis Ababa field office and seconded to the African Union Commission (AUC)’s Management of Information Systems Directorate (MISD). The officer is tasked with creating a SOC within the AUC. His responsibilities include ensuring that the created SOC can, inter alia, “detect and take quick actions for any threats in the infrastructure of [the] AU” and “provide a preventive monitoring of the IT infrastructure of the organization.” ²²²

• Japan → Asia-Pacific region: Detection capabilities played a role in various training programs carried out by Japanese entities, three of which are discussed. In October 2016, JPCERT/CC provided log analysis training for participants from Indonesia, Brunei, Cambodia, Laos, Myanmar, Timor-Leste and Vietnam in the framework of a project by the Japanese International Cooperation Agency (JICA). ²²³ As part of training for national CSIRTs, JPCERT/CC also introduced its TSUBAME detection platform and assisted in the installation of sensors, for example, in Vietnam. ²²⁴ In February 2020, JICA conducted a cybersecurity seminar in Myanmar for staff from Myanmar’s National Cyber Security Center (NCSC), covering topics such as network security and the role of government SOCs. ²²⁵

• World Bank Cybersecurity Multi-Donor Trust Fund → Multiple countries: For example, in Bangladesh, a 2017–2020 World Bank project supported the development of strategic cyber awareness across critical information infrastructures by deploying coordinated cyber visibility measures and installing cyber sensors, inter alia, to enhance their detection capabilities. ²²⁶ Another detection-relevant grant amounting to $200,000 was given to Mongolia in 2023 so that the newly established Mongolian national CSIRT can finance “several innovative trials on the use of AI” relevant to the performance of its functions. These pertain specifically to “advanced threat detection, by analyzing vast amounts of data and detecting patterns that may indicate the presence of a cyber threat or attack” and “real-time, continuous monitoring of data sources to identify and alert security teams about any unusual behavior or potential threats with higher precision.” ²²⁷

In addition to these activities, other relevant projects have been supported by the International Telecommunication Union (ITU) and the Inter-American Development Bank (IADB) or were provided in the context of the Tallinn Mechanism.

Most of the activities outlined above pertain mostly to international assistance from a development aid perspective. However, relevant state practice highlights that there is also a cyber-defense angle ²²⁸ to international detection capability-building, demonstrated by the following two publicly known example activities:

• European Union → Moldova and Georgia: Under the European Peace Facility (EPF), ²²⁹ the EU funds two assistance measures aimed at the Republic of Moldova and Georgia. ²³⁰ Like the EU’s Cybersecurity Rapid Response 2.0 project, these assistance measures are also implemented by the eGA. In the case of Moldova, the “cybersecurity support [provided] aims to increase the ability of the Moldovan Armed Forces and the Ministry of Defence to detect intrusions into the information systems and to counter cyber-attacks.” ²³¹ The assistance measure, amounting to €4 million from December 2022 to September 2025, seeks to support Moldova through the provision of equipment and the organization of practical hands-on exercises. ²³²

• United States (+ Canada) → Multiple countries: The United States, once jointly together with the Canadian Armed Forces, ²³³ also takes steps of a more interventionist nature under the pretext of enhancing detection capabilities in other states within the framework of what it calls “hunt forward operations”. ²³⁴ In the context of these operations, U.S. Cyber Command—specifically the Cyber National Mission Force (CNMF)—personnel “deploy[s] to partner nations to observe and detect malicious cyber activity on host nation networks” ²³⁵ at their invitation. The United States envisions these efforts, usually a few months long, to contribute to building capabilities and personal connections ²³⁶ in the “host nation.” The United States also asserts that there is an immediate benefit for its own constituents, such as government entities and critical infrastructure operators, as well as international counterparts, since it pledges to share insights on adversary behavior identified through HFOs—if permitted by the respective country. ²³⁷ The acting commander of the U.S. Cyber Command testified that, as of May 2025, “CNMF personnel have deployed more than 85 times to over 30 countries in partner-enabled missions to hunt on host networks.” ²³⁸ This includes missions in Albania, ²³⁹ Croatia, ²⁴⁰ Estonia, ²⁴¹ Latvia, ²⁴² Lithuania, ²⁴³ Montenegro, ²⁴⁴ Ukraine ²⁴⁵ and Zambia. ²⁴⁶

In addition to these “funder-to-country activities,” relevant detection-related support can be provided also indirectly to partner countries. For example, governments may fund activities carried out by non-governmental organizations—such as the Australian, Swiss, and UK governments (and others) supporting the capacity-building work of FIRST, ²⁴⁷ or the UK Foreign, Commonwealth and Development Office (FCDO) funding the Shadowserver Foundation’s dashboard, which provides various types of daily updated high-level information. ²⁴⁸ Sources like these can be leveraged by multiple governments in carrying out their detection responsibilities.

Challenges

Research into relevant examples of international detection capability activities, some of which are enumerated in the previous chapter (see Annex III for a full overview), has highlighted a challenge that pertains specifically to building incident detection capabilities worldwide: states and other funders pursue different angles and interests, carry out initiatives at varying levels, target diverse audiences, and allocate differing financial resources. This underscores the complexity—or the fragmentation ²⁴⁹ —of capability-building efforts spanning across numerous actors.

Even for a very specific focus area such as detection capabilities, it is difficult to gain a comprehensive overview, distinguish projects, or assess what has specifically been implemented beyond what is described in public summaries. Evaluating the concrete impact of these efforts on enhancing the detection maturity of public sector entities or national cybersecurity authorities is even more challenging. ²⁵⁰ This represents a challenge, as the difficulty in maintaining an overview can hamper coordination, which in turn may hinder the meaningful interplay of measures, especially since building detection capabilities is a long-term endeavor. Consequently, it may also lead to additional or overlapping activities that can further strain the already limited capacity of partner countries to absorb numerous capability-building offers.

In addition to these systemic challenges, two further categories of challenges may impede the development of capabilities necessary for carrying out governmental detection responsibilities. The first set involves organizational, legal, and capacity-related constraints that partner countries may face (Section 8.1). The second set concerns the threat landscape and the adaptive TTPs of threat actors, which make detection an increasingly complex endeavor and require entities to continuously refine their capabilities to account for these developments (Section 8.2). Depending on their respective relevance to a specific partner country’s context, these factors can influence the implementation of specific activities by shaping which capability-building measures are feasible despite particular challenges or by determining where targeted interventions could focus on addressing a challenge (or a set of related challenges) directly.

Organizational, Legal, and Capacity-Related Challenges

Some of the hurdles states face when seeking to build detection capabilities become apparent when examining Cybersecurity Capacity Maturity Model (CMM) reviews that employ the University of Oxford’s Global Cyber Security Capacity Centre model. ²⁵¹ Although some of these reports are becoming dated, they continue to offer a valuable baseline for assessing common detection challenges across national contexts.

The reports highlight various issues that have implications for a country’s ability to comprehensively detect adverse behavior:

• Most evidently, the absence of a national CSIRT ²⁵² or government SOC. ²⁵³ Such an institutional void can inhibit centralized coordination and visibility over national-level cyber threats, which in turn impairs detection response time and cross-sector information sharing;

• A culture of concealing detected issues, such as vulnerabilities, which persists because they are considered “confidential, commercially valuable information.” ²⁵⁴ Concerns regarding data sensitivity and trust barriers can thus result in “no information [being] shared formally with other institutions, either within or across sectors,” ²⁵⁵ which impedes collective situational awareness and limits sector-wide learning from incidents. This lack of information sharing may be further reinforced by the absence or underenforcement of mandatory obligations to report detected issues and incidents at the national level;

• Limited detection capabilities among national critical infrastructures, some of which are operated by domestic public sector entities such as small municipal governments, leaving them very vulnerable to compromise. Some CMM reviews note that detection capabilities across critical infrastructure are “uncoordinated and vary in quality,” with  various critical infrastructure operators lacking the required knowledge and expertise; ²⁵⁶ and

• A country’s private sector entities outpacing the public sector in detection capabilities. For instance, in the case of Madagascar “only the major international institutions, primarily in the financial and telecommunications sector, along with some of the larger local companies, apply network intrusion detection systems or implement security operations centres.” ²⁵⁷ Yet, it should be noted that this outpacing may apply to “only a very limited number of organisations” ²⁵⁸ in a country and that capacities within the private sector can be distributed quite unevenly. For example, a 2017 survey of 300 Swiss SMEs referenced in the country’s CMM review came to the conclusion that “systems to detect cyber-incidents have been fully introduced in only a fifth of companies.” ²⁵⁹

Depending on local circumstances, challenges can also arise at a very practical level that may limit the availability of the infrastructure required for detection efforts. These include issues such as infrastructure outages or unreliable internet connectivity, which necessitate comprehensive backup solutions such as additional power generators.

With cybersecurity capability hinging on both resources and expertise, it is only consequential that CMM reports and other sources highlight additional fundamental challenges relating to insufficient funding, shortages of skilled personnel, and brain drain. In addition, in many states, salary competition from the private sector further exacerbates workforce retention challenges in public sector detection roles. In a detection context, the scarcity of personnel can become especially critical when large amounts of data are collected and aggregated, but few people are available—and have the necessary expertise—to analyze, make sense of, and act upon raw data such as atomic IoCs, which may contribute to “missing critical needles [—signals—] in the haystack.” ²⁶⁰ Ukraine provides a telling example in this respect. In 2025, the country’s Ministry of Digital Transformation highlighted that its “government institutions often face limited resources and a shortage of qualified specialists [that] prevents them from effectively monitoring threats in real time and responding quickly to cyber incidents.” ²⁶¹ Examples like these underscore the need for strategic workforce development planning and investments in human resources—essentially the “people” component of a governmental detection capability.

Challenges Pertaining to the Threat Landscape and Threat Actor TTPs

From an entity perspective, the complexity of ICT supply chains makes effective threat detection more difficult. As organizations—and government entities alike—rely more heavily on wide networks of third-party providers and subcontractors, their attack surface expands beyond their direct control, which can obscure malicious cybersecurity events under the guise of legitimate activity. ²⁶² This can complicate detection efforts, particularly where monitoring does not extend to third-party environments.

Additionally, specific (nation-state) threat actor behaviors pose challenges to building detection capabilities. For example, in July 2025, David Koh, the chief executive of Singapore’s Cyber Security Agency, stressed that “between 2021 and 2024, [advanced persistent threat] APT activity detected in Singapore’s cyberspace has more than quadrupled.” ²⁶³ Hence, both the quantity and the increasing sophistication of threat actor activities require continuously adapting the necessary expertise and deploying advanced tools that can keep pace, which makes detecting such activities a highly complex and resource-intensive endeavor.

A few examples of relevant developments include the following:

• Using “living off the land” (LOTL) techniques: When publicly exposing the Volt Typhoon campaign and its prepositioning activities in U.S. critical infrastructure, authorities from the Five Eyes countries underscored that the Chinese state-sponsored threat actor behind it, like some of its counterparts in other states, ²⁶⁴ was actively employing measures to evade detection. ²⁶⁵ The advisory highlighted the deployment of LOTL techniques as one of the threat actor’s TTPs. Specifically, LOTL techniques enable threat actors to “abuse [...] native tools and processes on systems [...] to blend in with normal system activities and operate discreetly with a lower likelihood of being detected or blocked because these tools are already deployed and trusted in the environment.” ²⁶⁶ As a result, by seeking to achieve objectives via built-in infrastructure within a target entity, threat actors can help avoid alerts that would otherwise be triggered once third-party applications are installed. ²⁶⁷ Hence, LOTL complicates signature-based detection and requires the implementation of behavioral baselining and analytics to spot behavior employing these techniques.

• Deleting event logs: In addition to employing LOTL techniques to cover their tracks, many threat actors also try to eliminate any data that could reveal their presence or activity within an entity’s operational environment, for example by deleting event logs and clearing other related information. The usage of such a technique was, for example, observed in Sandworm’s NotPetya operation, ²⁶⁸ as well as activities by various threat actors including Volt Typhoon, ²⁶⁹ APT28, and APT38. ²⁷⁰

• Disabling detection systems: Cyber agencies around the globe have also underscored that state-backed actors seek to delay the detection of their operations by disabling dedicated detection systems in targeted networks. In this respect, a BSI report notes the emergence and spread of so-called “EDR killers” and their availability as malware-as-a-service (MaaS). ²⁷¹

• Employing means to act anonymously: In addition, threat actors are actively using anonymization networks to evade and complicate their detection, including the use of botnets or “commercial VPNs, TOR, and proxy software.” ²⁷²

• Cloud implications: Threat researchers have further highlighted that threat actors are increasingly moving their operations to the cloud, offering them the potential of leaving no trace (e.g. on endpoints) which makes their activities even harder to detect, especially for entities with limited resources. ²⁷³

• Leveraging “AI-enabled automation to aid evasion and scalability”: ²⁷⁴ Threat actors are increasingly using automation, machine learning, and AI to create more contextualized and adaptive malicious activities. ²⁷⁵ This poses a significant challenge for entities attempting to detect such activities, as they differ from previously observed patterns in CTI and therefore cannot be easily incorporated into an entity’s (automated) analytical systems. Hence, the UK NCSC assesses that such “human-machine teaming will highly likely make the identification, tracking and mitigation of threat activity more challenging without the development of effective AI assistance for defence.” ²⁷⁶

Even though the global median dwell time—the time “an attacker is on a system from compromise to detection” ²⁷⁷ —has decreased overall in recent years, all these challenges can delay the mean time to detect (MTTD), ²⁷⁸ if a threat behavior is detected at all. Such delays can amplify the activity’s spread, potential damage incurred, and possible data exfiltration.

Considerations for Designing International Detection Capability-Building Actions

This paper made the case for why policy-makers should increasingly leverage detection capability-building as a strategic opportunity. Especially from a cyber diplomacy standpoint, such efforts not only strengthen an essential cybersecurity capability in partner countries but also offer a significant pathway for accelerating the implementation of the framework of responsible state behavior. Nonetheless, while the link between capability building and norms implementation is, in theory, widely recognized and reflected in policy documents and UN discussions, ²⁷⁹ the connection remains largely indirect in practice.

Detection capabilities provide a prime example of why this is a missed opportunity: although they clearly enable states to implement the majority of these norms (see Chapter 3), activities aimed at their development rarely highlight their relevance to high-level UN policy discussions. Making such links more explicit could support raising awareness. This does not necessarily call for changing specific elements of capability-building actions. States can already invest in small steps, such as adjusting the framing and (political) embedding of a specific activity. This, in turn, could contribute to strengthening political buy-in, demonstrating the practical relevance of norms to technical communities, and fostering broader internal socialization of norms across government entities.

States seeking to support other countries in building or enhancing detection capabilities can use the activities outlined in Chapters 5 and 6 as a starting point. These activities provide examples of what could be done; they are not prescriptions for what should be done or what is right in a specific context. In other words, they can serve as inspiration for identifying needs and setting specific cyber-related development goals aligned with local realities and priorities. The specific interventions and measures chosen should always be tailored to a partner country’s existing capacities and unique circumstances.

Importantly, care should be taken to ensure that the recipient country or organization has the capacity to absorb the proposed assistance. In many cases, there may be more offers of support than can be effectively accepted or implemented at one time. It is therefore essential to engage in consultation—at least with like-minded partners active in the relevant region or partner country—to avoid introducing additional activities that could further strain a partner country’s or region’s already limited capacity to absorb numerous capability-building offers. It is also important to re-emphasize that building detection capabilities requires strategic long-term patience and continuous investment in technology, people, and processes.

To support potential coordination among interested donor governments, Annex III provides a mapping of relevant publicly known activities. This overview can aid decision-makers in identifying already existing support, assessing potential overlaps with planned activities, and exploring opportunities to leverage synergies with others in the area of international incident detection capability-building.

In light of the challenges outlined in the previous chapter, policymakers should consider three overarching factors when planning actions to build detection capabilities in partner countries, using them to guide context-specific decisions:

Consideration 1: Basics first

Building detection capabilities should proceed in small, deliberate steps, beginning with policy, organizational, and governance prerequisites before moving to more advanced measures. Donor states considering international assistance should first assess whether these foundations are in place. In this respect, states should give due consideration to the measures stipulated in existing relevant frameworks and standards as baselines. ²⁸⁰

Depending on local circumstances, foundational prerequisites can include a clear governance structure laying out roles and responsibilities, defining reporting lines, and ensuring relevant legal requirements (if any) are understood or developed wherever necessary. Taking steps toward establishing and maintaining reliable, up-to-date asset inventory of hardware and software used in specific infrastructures is also critical. Without a comprehensive overview of what is to be defended—and should form part of an entity’s detection coverage—resources risk being wasted without effectively advancing an entity’s detection posture. Complementary measures such as risk management profiling and employee awareness initiatives can further strengthen this foundation.

Once these fundamentals are in place, efforts can progress to more advanced technical measures. The next steps should begin with targeted initiatives, based on a logging policy that is already in place or to be developed, to build partner countries’ capabilities to monitor and analyze selected government networks or critical infrastructure operators, with the option for gradually expanding coverage as capacity grows. While this paper focused specifically on detection capabilities, it is important to also pay attention to integrate detection in the rest of the defense process by ensuring, or working towards, a basic level of response capability before proceeding with technical detection measures. Otherwise, anomalous behavior would be ideally spotted and understood, but the entity would lack the basic means to act on detected incidents.

Consideration 2: Leverage unique added value

Policymakers should keep in mind that the end goal of a governmental detection capability is not necessarily for public-sector entities to carry out all responsibilities on their own. Instead, capability development efforts should focus on areas where public sector entities can provide the greatest added value in monitoring their own operational environments and fostering detection across a country’s jurisdiction. When designing an intervention logic, decision-makers in donor and partner countries therefore need a clear understanding of where public-sector action can have the highest impact to fulfill governmental detection responsibilities.

Governments should avoid investing in measures that risk duplicating existing efforts or have poor long-term cost–benefit ratios, such as highly specialized and resource-intensive capabilities that can be accessed more efficiently by involving external expertise. ²⁸¹ However, careful balancing is required; while leveraging the potential of outsourcing certain tasks, particularly as a transitional solution in lower–maturity contexts, it should remain the objective that the most critical functions are developed and maintained in–house to mitigate dependency risks.

Consideration 3: Invest in people and community building

The effectiveness of detection capabilities depends less on the technology itself and more on the people who are needed to turn information into actionable insights. Being able to do so depends heavily on sociotechnical and analytical skills, including understanding the technology and one’s environment (e.g., typical user behaviors and log-in patterns) and building relationships across entities to exchange relevant information, best practices, and lessons learned. Donor countries must therefore take heed of the fact that it is essential to invest in developing a robust and diverse cybersecurity talent pipeline. ²⁸² Efforts may also engage the existing limited workforce to reduce turnover or brain drain. Relevant activities could center on supporting domestic training and education programs at public sector institutions and key public universities. ²⁸³

In addition, in resource-limited settings, strong communities can compensate more effectively for financial and personnel constraints than technology alone, but this requires opportunities to build mutual trust. When identifying potential areas of activity, decision-makers in donor countries should therefore also consider supporting nontechnical measures, such as efforts aimed at community building. This could be done by facilitating interactions between experts, for example, at the analyst-to-analyst level or participation in domestic or regional conferences. Given the limited duration of many foreign assistance projects, fostering trusted environments at the personal level through measures like these can enhance sustainability of projects, as outputs from these efforts can be leveraged and further developed even after their conclusion.

Annex

Annex I: Selected Statements by UN Member States on Detection/Detection Capabilities in the Framework of the UN OEWG

To see the table in a new tab, click here.

Annex II: How Detection Capabilities Are Reflected in Relevant UN Norms Guidance Documents

To see the table in a new tab, click here.

Annex III: Mapping of International Efforts to Build Detection Capabilities

To see the table in a new tab, click here.

Annex IV: Glossary

Annex V: List of abbreviations

Acknowledgments

This analysis was supported by the working group “Technical Capabilities for Norms Implementation” and experts through interviews, a workshop held in Berlin in May 2025, and online collaboration. The views and opinions expressed in this paper are those of the author and do not reflect the official policy or position of the experts or of their respective employer/s.

In alphabetical order, acknowledging essential contributions of:

1. Klée Aiken, Forum of Incident Response and Security Teams

2. Joel Aleburu

3. Robert Collett

4. Samuele Dominioni

5. Andrew Dwyer, Royal Holloway, University of London

6. Tod Eberle, The Shadowserver Foundation

7. Vera Ezeanolue

8. Chris Gibson, Forum of Incident Response and Security Teams

9. Richard Harris

10. Max Heinemeyer

11. Eve Hunter, Detecon International GmbH

12. Sophia Klumpp

13. Koichiro Komiyama, JPCERT/CC

14. Lisa Lobmeyer, Security Research Labs

15. Klara Marland

16. Jiro Minier, DCSO

17. Takumi Nakano, JPCERT/CC

18. Melanie Niethammer

19. Alexandra Paulus, German Institute for International and Security Affairs (SWP)

20. Mark Peters

21. Daniel Sauder

22. Berenike Vollmer

23. Fee-Marie von der Brelie
    

At interface, the author would particularly like to thank Sven Herpig for input and advice along the way, Jasen Ho for research support, Luisa Seeling for support in editing the text, Alina Siebert for layouting the paper and designing the paper’s visuals, Helene Pleil for constructive feedback on a first draft, Iana Pervazova for helping to spread the word about this publication, and Frederic Dutke and Nicole Lemke for support in implementing the workshop.

This project was made possible by the generous support of the German Federal Foreign Office. The views expressed in this paper do not represent the official position of the ministry.