Known Detection Gaps
Purpose
This page documents known limitations in detection and monitoring coverage within the Scheol Security Lab.
It highlights situations where:
- malicious or abnormal activity may not be detected
- visibility is incomplete or unreliable
- monitoring mechanisms are not yet implemented or validated
The objective is to provide a realistic view of detection capability limits and support improvement of monitoring effectiveness.
What is a Detection Gap?
A detection gap exists when:
- a threat scenario is not covered by any detection mechanism
- a control is implemented but not observable
- logs or telemetry are missing, incomplete, or not centralised
- detection exists but is not validated or not reliable
Detection gaps are expected in evolving environments and must be:
- identified
- understood
- progressively reduced
Gap Categories
1. Visibility Gaps
- lack of log collection on critical components
- absence of telemetry (system, network, application)
- local logs not centralised
2. Detection Logic Gaps
- no detection rules for known threat scenarios
- insufficient correlation between events
- lack of use-case-driven detection coverage
3. Validation Gaps
- detection rules not tested against realistic scenarios
- no confirmation of alert triggering
- unknown false negative rate
4. Response Awareness Gaps
- alerts generated but not actionable
- lack of defined response procedures
- unclear ownership of detection events
Identification Approach
Detection gaps are identified through:
- comparison between threat scenarios and existing detection capabilities
- review of log sources and telemetry coverage
- validation exercises (simulated attacks, scenario testing)
- analysis of control effectiveness
Each gap should be linked to:
- a threat scenario
- a control or monitoring capability
- a missing or weak detection mechanism
Example Detection Gaps
| Gap ID | Description | Category | Related Scenario | Status |
|---|---|---|---|---|
| DG-001 | No centralised logging from VPS environments | Visibility | S-00X | In Progress |
| DG-002 | No detection rules for web exploitation attempts (Dolibarr) | Detection Logic | S-00X | Planned |
| DG-003 | No validation of SSH brute-force detection effectiveness | Validation | S-00X | Planned |
| DG-004 | Limited visibility on administrative actions outside bastion | Visibility | S-00X | In Progress |
Relationship with Other Sections
Detection gaps are closely linked to:
- Threat Scenarios → defines what should be detected
- Control Framework → identifies expected monitoring controls
- Validation Approach → verifies detection effectiveness
- Residual Gaps → broader view of security limitations
This page focuses specifically on the detectability of threats, not on overall control coverage.
Current Maturity
At the current stage, detection coverage in Scheol Security Lab is considered early and incomplete.
Established
- initial deployment of logging on key exposed systems
- basic visibility on SSH and web access activity
- awareness of detection as a validation mechanism
In Progress
- centralisation of logs across Heaven and future Hell SOC components
- definition of detection use cases based on threat scenarios
- identification of major visibility and detection gaps
Planned / Next Phase
- full integration with SIEM (Wazuh) and correlation capabilities
- systematic validation of detection rules through scenario testing
- improved coverage of application-level and administrative activity
- structured tracking of detection gaps over time
This page is expected to evolve as monitoring capabilities mature and validation becomes more systematic.