Add Threat Detection Engineer specialist

[PamvInf]

Agent Information

Agent Name: Threat Detection Engineer
Category: engineering
Specialty: SIEM detection rule development, MITRE ATT&CK coverage mapping, threat hunting, alert tuning, and detection-as-code pipelines

Motivation

The existing Security Engineer covers AppSec (secure code, OWASP, SAST/DAST). The Incident Response Commander handles incident process coordination. But no agent covers the critical middle layer: detecting threats in the first place.

This agent fills the gap between prevention and response by providing:

• Sigma detection rules with compilation to Splunk SPL, Sentinel KQL, and Elastic EQL
• MITRE ATT&CK coverage assessment and gap prioritization
• Detection-as-code CI/CD pipeline (rules in Git, tested, auto-deployed)
• Threat hunt playbooks that convert findings into automated detections
• Alert tuning methodology to reduce false positives and SOC fatigue
• Detection rule metadata catalog for lifecycle management

Every IT company running a SIEM needs detection engineering. This is the most universally missing cybersecurity capability in the collection.

Testing

• Validated against lint script (0 errors, 0 warnings)
• Structure follows existing engineering agents as reference
• Includes concrete deliverables: Sigma rules, SPL/KQL queries, ATT&CK coverage templates, CI/CD pipeline YAML, hunt playbooks
• All code examples are realistic and production-ready

Checklist

• Follows agent template structure
• Includes personality and voice
• Has concrete code/template examples
• Defines success metrics
• Includes step-by-step workflow
• Proofread and formatted correctly
• Tested in real scenarios