How Detection Engineering Elevates Cybersecurity

Detection engineering is emerging as a critical defense strategy in cybersecurity — and at Cleveland Clinic, it's driving measurable progress.

Cleveland Clinic is a non-profit academic medical center. Advertising on our site helps support our mission. We do not endorse non-Cleveland Clinic products or services. Policy

Since January, a newly formed team has been using digital “tripwires” to detect and respond to malicious activity, significantly boosting the organization’s cybersecurity maturity. Using the National Institute of Standards and Technology (NIST) framework, the team raised its maturity score from 3.5 to 3.9 — a notable leap in a field where even incremental gains can take years.

Specifically, a maturity score measures the overall strength and effectiveness of an organization’s cybersecurity practices by evaluating governance, risk management, controls, incident response and adaptability to emerging threats.

Protecting data

Detection engineering is a critical discipline in modern cybersecurity. Its purpose is to design systems that identify suspicious behavior and eliminate ambiguity. This involves crafting detection rules that act like tripwires — quietly monitoring systems for anomalies and triggering alerts or automated responses when something unusual occurs. Over time, these custom-built tripwires, tailored for the Cleveland Clinic environment, create a strategic ‘homecourt advantage’ by enhancing threat detection and response capabilities.

At Cleveland Clinic, this approach is especially crucial. As a large, well-respected health system, the organization handles vast amounts of sensitive patient data, making it a prime target for cyberattacks. The stakes are high: a breach compromises privacy, delivery of care and patient safety.

Becoming more proactive

Recognizing this, the detection engineering team is dedicated to formalizing and scaling the process of threat detection. They also work to align it with the NIST Cybersecurity Framework — a widely adopted standard that helps organizations assess and improve their cybersecurity posture.

“We wanted to move from reactive to proactive,” says Austin DeFrancesco, a cybersecurity engineer within Cleveland Clinic’s Digital Shared Services. “Instead of waiting for alerts to come in, we’re designing systems that anticipate threats and respond automatically. We’re fielding about 25 tripwire alerts every day.”

The results were swift and impressive. In just a few months, the team improved the Clinic’s maturity score from 3.5 to 3.9. While that may seem insignificant, in cybersecurity terms, it’s a major achievement.

DeFrancesco explains, “Moving the needle even slightly on a maturity score can take years. It shows more than technical improvements, and it reflects cultural and procedural shifts across the organization.”

Constantly improving

Key to their success has been a focus on collaboration and clarity. The team works closely with other cybersecurity areas, Information Technology caregivers and clinical departments to ensure that detection rules are both effective and minimally disruptive. They’ve also invested in training and documentation to help others understand how detection engineering fits into the broader security ecosystem by presenting and supporting internal and external teams throughout the healthcare industry.

“We’re not just writing code — we’re building trust,” says DeFrancesco. “Every rule we deploy must be tested, explained and accepted by the affected teams. That takes time, but it’s worth it.”

Looking ahead, the team is advancing its detection strategy by integrating AI tools to make tripwires smarter. Earlier this year, they adopted Model Context Protocols (MCP), enabling large language models (LLM) and automated agentic workflows. Embracing AI allows this small but agile team to identify security issues faster—without compromising the rigor essential to cyber operations.

“We’re just getting started,” says DeFrancesco. “Detection engineering is an iterative process. As threats evolve, so will our defenses.”

For Cleveland Clinic, the initiative’s early success is a powerful reminder that with the right strategy and support, even complex institutions like healthcare systems can make meaningful strides in cybersecurity.