Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR

    Protect your Microsoft 365 identities and email environments.

    Managed ITDR

    Protect your Microsoft 365 identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    Huntress Lands on the Microsoft Marketplace
    Huntress Cybersecurity
    Huntress Lands on the Microsoft Marketplace
    Huntress Cybersecurity
    How Huntress & DEFCERT Are Streamlining CMMC Assessment Prep
    Huntress Cybersecurity
    How Huntress & DEFCERT Are Streamlining CMMC Assessment Prep
    Huntress Cybersecurity
    Live Hacking Into Microsoft 365 with Kyle Hanslovan
    Huntress Cybersecurity
    Live Hacking Into Microsoft 365 with Kyle Hanslovan
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportContact
Search
Close search
Get a Demo
Start for Free
HomeBlog
Applying Criminal Justice Principles to Detection Engineering
Published:
May 1, 2025

Applying Criminal Justice Principles to Detection Engineering

By:
Andrew Schwartz
Share icon
Glitch effectGlitch effectGlitch effect

In detection engineering (DE), distinguishing between true and false positives is a critical challenge. Much like how American criminal law relies on the concepts of mens rea (intent) and actus reus (action) to determine criminal liability, detection engineers must not only identify suspicious actions but also assess the intent behind those actions. It's not enough to detect unusual behavior; we must understand why it's happening to classify and respond to potential threats accurately. By drawing on principles from criminal law, detection engineers can refine their strategies, prioritize risks, and improve the overall effectiveness of their detection alerts. 

This blog delves into how legal concepts can inspire new approaches to the DE process, ultimately improving the accuracy and precision of cybersecurity defense strategies.


Burden of proof in detection engineering

In criminal justice, the concept of "burden of proof" isn’t only fundamental, but also essential in determining the level of evidence needed to establish guilt. Similarly, in DE, the burden of proof refers to the level of confidence we have in the detection outcomes, specifically whether we can confidently classify an alert as malicious based on the observed action and the inferred intent.

Just as mens rea (the guilty mind or intent) and actus reus (the physical action or conduct) must be proven in a criminal case, DE must evaluate both the action and the intent behind that action to determine if it’s a legitimate threat.

In DE, different levels of proof can be applied to evaluate the risk of an alert, guiding the decision-making process:

  • Preponderance of the evidence: This standard is often used in civil cases and means that something is more likely than not. In DE, this level of proof might be applied when an alert meets a threshold of risk based on multiple data points, such as correlation across various logs.

    • Example: A login from an unusual location combined with a failed attempt to access restricted files might meet the preponderance of evidence threshold, suggesting a higher likelihood of malicious intent.

  • Clear and convincing evidence: This is a higher standard that requires a high degree of certainty. For DE, an alert may meet this level of proof when there’s strong evidence of malicious behavior, such as successful lateral movement or privilege escalation.

    • Example: If an attacker gains administrative access and uses that access to disable security controls, this behavior represents clear and convincing evidence of malicious activity.

  • Beyond a reasonable doubt: This is the highest standard of proof used in criminal cases. In DE, this level of confidence might be required before taking drastic actions like disabling an account or blocking network traffic. It requires near certainty that the activity is malicious, supported by extensive evidence and contextual analysis.

    • Example: A combination of compromised credentials, data exfiltration, and communication with a known malicious IP address can constitute proof beyond a reasonable doubt, justifying a strong defensive response.

The detection engineer’s responsibility is to evaluate alerts through these varying levels of proof, using correlation, cardinality, and other risk-based alerting techniques to establish confidence in the detection's outcome.

  • Correlation: By linking related events across multiple data sources, detection engineers can strengthen the burden of proof. For example, a login from a suspicious IP combined with unusual file access patterns provides stronger evidence of malicious activity.

  • Cardinality: Understanding how often a specific behavior occurs across different contexts helps establish whether an action is abnormal. Rare or highly unusual actions may warrant higher levels of scrutiny.

  • Risk-based alerting: By prioritizing alerts based on the potential impact and likelihood of malicious intent, detection engineers can apply the appropriate burden of proof before taking action. Higher-risk alerts require stronger evidence to justify a response.

This triad of evaluation mirrors investigative processes in criminal justice, helping detection engineers enhance their strategies and improve both detection accuracy and response effectiveness. 

Now that we understand how the burden of proof helps establish confidence in detecting potential threats, it’s essential to explore the core legal principles—mens rea and actus reus—that form the foundation for evaluating and classifying these threats in DE.

Why connect burden of proof to mens rea and actus reus?

In criminal law, prosecutors need to prove both mens rea (the mental state) and actus reus (the physical act) to secure a conviction for most crimes. Similarly, in DE, we need to prove both the action (e.g., privilege escalation, data exfiltration) and intent (e.g., malicious insider, attacker) in order to classify an alert accurately. The burden of proof concept in DE helps determine how strong the evidence is for the action and intent to confirm that the alert represents a true security threat.


Understanding malicious intent through mens rea and actus reus

In American criminal law, a case is typically constructed by demonstrating that both mens rea and actus reus were present during the commission of a crime. Mens rea refers to the intention behind committing a crime, while actus reus involves the physical act that constitutes the offense. To secure a conviction, prosecutors must prove both elements beyond a reasonable doubt, showing that the defendant intended to commit the crime and carried out the unlawful act.

Similarly, in DE, determining whether an alert signifies a real threat involves more than just identifying a suspicious action—it requires evaluating the intent behind that action.

For example, consider two users executing the same command on a system. One may be a legitimate administrator performing a routine task, while the other may be an attacker attempting lateral movement. The difference lies in the intent. By analyzing patterns of behavior and contextualizing the actions within a broader framework, we can better determine malicious intent and refine our detection processes.

Applying mens rea and actus reus to DE

Building on this foundational understanding, let’s explore how we can apply mens rea and actus reus principles specifically within DE. In this context, we need to evaluate both the action and the intent behind it to determine whether the activity is malicious. Applying mens rea and actus reus principles to DE involves evaluating both the action taken and the underlying intent:

  • Mens rea focus: Understanding the motivation behind an action helps to classify alerts more accurately. For example, if an employee downloads large volumes of data before leaving the company, their intent may indicate potential insider-threat behavior.

  • Actus reus focus: Identifying concrete actions, such as unauthorized access attempts or privilege escalation, helps detect potential security breaches based on observable evidence.

When both mens rea and actus reus are present, there's a stronger case for classifying an alert as malicious. This dual evaluation mirrors how criminal investigations build cases based on both action and intent to determine guilt.

Why intent matters in detection classification

Now that we understand the role of mens rea and actus reus, let’s focus on how intent plays a critical role in alert classification. While an action such as a mass file transfer or privilege escalation can be easily identified, determining intent is far more challenging. A single action may not be enough to distinguish between legitimate and malicious behavior. This often requires correlating multiple actions over time and making a judgment call based on context.

Accurate categorization of alerts is essential for an effective threat response, as misclassification can lead to wasted resources or, worse, missed threats. In DE, intent plays a central role in classifying alerts into categories like benign true positive, false positive, true positive, and false negative. However, because intent is harder to determine than action, security teams often rely on behavioral patterns, historical data, and contextual signals to make informed decisions.

  • Benign true positive: When an alert indicates an action that matches detection logic but is ultimately harmless, understanding the actor’s intent is key. Since intent is difficult to assess from a single action, corroborating signals—such as prior behavior, user role, and business context—help differentiate legitimate from malicious activity. For example, if a user performs a mass file transfer, cross-referencing their typical behavior or checking for business justification can clarify intent.

  • False positive: An alert that indicates suspicious activity but is ultimately benign often arises from misunderstood intent. Multiple suspicious actions might be necessary before intent can be determined. If an alert is triggered due to unusual login activity, but subsequent behavior aligns with legitimate use, the initial suspicion may be unwarranted.

  • True positive: An alert that correctly identifies malicious activity. Here, intent must be inferred from a combination of actions. For example, a user encrypting files may not immediately indicate ransomware, but if combined with attempts to disable security tools, this confirms malicious intent.

  • False negative: When a true threat goes undetected, analyzing intent retrospectively can reveal gaps in detection logic. Intent is often hidden in subtle behaviors, requiring security teams to look for patterns over time rather than single events. A user escalating privileges once may not be inherently malicious, but if they then access sensitive systems and create persistence mechanisms, the intent becomes more apparent.

Since intent is difficult to quantify directly, DE relies on aggregating multiple signals, behavioral analysis, and threat intelligence. By prioritizing intent as a critical factor in detection classification, SOC teams improve the accuracy of assessing true positives while reducing benign true positives and false positives, as well as minimizing the risk of missing false negatives. This layered approach helps ensure that true threats are detected while avoiding unnecessary noise.

Elements of crime in DE

In criminal justice, a crime is established by proving several key elements:

  1. Action (actus reus): The physical act of committing the crime.

  2. Intent (mens rea): The mental intent to commit the crime.

  3. Concurrence: The requirement that both the intent and the action occur together.

  4. Causation: Demonstrating that the act directly caused the harm.

  5. Harm: Showing that the act resulted in damage or injury.

These elements mirror how threats are identified, classified, and addressed in DE.

  • Action (actus reus): Observing a concrete suspicious action is the first step in detection, such as unauthorized access or privilege escalation. If this action is unauthorized, it signals potential malicious behavior.

    • Example: A user executing a script that encrypts files on a corporate network represents a concrete suspicious action.

  • Intent (mens rea): Next, we determine whether the action was performed with malicious intent. Without intent, even a suspicious action might be interpreted as an error or legitimate access.

    • Example: The same user attempting to disable endpoint security tools before running the encryption script suggests a clear intent to bypass defenses and cause harm.

  • Concurrence: Both the action and intent must be present to classify an alert as malicious.

    • Example: The execution of an encryption script, combined with the deliberate disabling of security tools, signals concurrent malicious behavior.

  • Causation and harm: If the detected action directly results in harm or impact, such as a data breach or service disruption, the alert is treated as critical.

    • Example: Encrypting critical business files and then posting a ransom note demanding payment for decryption demonstrates clear causation and harm.

By taking these various legal elements into account, DE can more effectively prioritize alerts, enhance classification accuracy, and implement appropriate responses tailored to the potential threat and its impact.

Intent and attribution in DE

While intent focuses on understanding the motive behind actions, attribution is about identifying who performed those actions. Although they’re different, intent and attribution are often interconnected:

  • Motivation and identity: Understanding the intent behind an action can help narrow down potential actors. For instance, a pattern of financial gain could indicate the involvement of criminal groups, while espionage-related intent might point to nation-state actors.

  • Contextual clues: The context in which an action occurs (such as timing, target, or method) can provide clues about the actor’s identity. If the intent aligns with known tactics, techniques, and procedures (TTPs) of specific threat groups, it aids in attribution.

  • Purpose and response: While attribution answers who performed an action, intent answers why. Both are important in determining the appropriate response, whether it's legal action, further investigation, or security mitigation.

By combining intent analysis with attribution efforts, DE teams can develop a more complete understanding of threats, which helps SOC teams take proportionate, targeted actions.



Applying legal classification to alert categorization

A crucial aspect of DE is to design systems that classify alerts based on their likelihood of malicious intent. Just like how a prosecutor categorizes crimes based on severity and intent, a tiered system can be applied to alert classification:

  • Negligence-based alerts: Low-risk anomalies that may indicate misconfigurations or user errors. These alerts can typically be resolved with minimal intervention.

  • Reckless behavior alerts: Indicators of potential security risks, such as repeated failed login attempts that could suggest brute force activity. While these alerts may not immediately indicate an active attack, they warrant closer scrutiny.

  • Intentional malicious activity: High-confidence alerts where multiple signals (e.g., privilege escalation, data exfiltration) confirm an active attack. These should be prioritized for immediate response.

By structuring alert classification through a legal lens, DE helps SOC teams reduce noise and prioritize threats that exhibit clear intent and harmful potential.



Enhancing true positive identification

One of the most challenging aspects of DE is having to rely on others (i.e., SOC) to distinguish true positives from false positives. Many detection systems err on the side of caution, resulting in alert fatigue and inefficient security operations. By leveraging the principles of criminal justice—examining means, motive, and opportunity—we can refine detection models to improve true positive rates.

For example, in assessing whether a suspicious login attempt is genuinely malicious, let’s consider:

  • Means: Does the user have the capability to execute an attack? (e.g., are they using compromised credentials from the dark web?)

  • Motive: Is there a reason for this action? (e.g., is there an insider threat scenario?)

  • Opportunity: Are conditions favorable for an attack? (e.g., is this occurring outside normal business hours?)

This triad of evaluation mirrors investigative processes in criminal justice, leading to more accurate detection and response strategies.


Conclusion

Viewing DE through a legal investigative lens opens up new avenues that could significantly enhance our ability to detect, classify, and mitigate threats with greater precision and effectiveness. The concept of burden of proof provides a structured way to analyze confidence in detection outcomes, while legal classification frameworks help prioritize alerts with greater accuracy. 

In DE, accurately assessing both the action and intent behind security events is key to improving the effectiveness of our response. Just as criminal law requires the analysis of both mens rea and actus reus to determine the seriousness of a crime, detection engineers must evaluate not just suspicious activity but also the underlying motivations. By integrating these legal principles into our alert classification process, we can better prioritize high-risk threats, reduce false positives, and respond more efficiently to real incidents.

As DE continues to evolve, applying frameworks that help us better understand the why behind actions will be crucial to building more accurate, reliable, and actionable detection models.


Thanks to Jonathan Johnson (@jsecurity101) and Chris Hecker for their help in reviewing this blog post.




Categories
Cybersecurity Education
Summarize this postClose Speech Bubble
ChatGPTClaudePerplexityGoogle AI

See Huntress in action

Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC).

Book a Demo
Share
Facebook iconTwitter X iconLinkedin iconDownload icon
Glitch effect

You Might Also Like

  • Where Do You Think You're Going? How Huntress Addresses Lateral Movement

    Huntress Managed EDR tackles lateral movement, a common attack tactic, with a layered approach to telemetry collection and detection. Read on to learn how we identify malicious activity while minimizing false positives.

  • From Code to Coverage (Part 1): The OID Transformation That Hinders LDAP Detection

    Learn why your LDAP detection rules never fire and how to fix them. Hint: it's the OID-to-bitwise transformation.

  • How to Deal with Alert Fatigue Like a Security Pro

    Deal with alert fatigue like a pro. Learn practical tips from Huntress' SOC on managing overwhelming alerts, preventing burnout, and focusing on real threats.

  • The Methods Behind a Huntress Managed Antivirus Investigation

    In this blog, we’ll go on a short journey of how we dissected a vague Managed Antivirus alert and offer some ideas and methods for security analysts.

  • What Is Managed Detection and Response?

    What is managed detection and response (MDR) and why is it so important? Dive into the benefits of MDR services and how it can address critical security gaps.

  • Behind the Scenes: Crushing Cybercriminals with MAV

    This blog is a follow-up on our How to Crush Cybercriminals with Managed Antivirus webinar. We'll dive deeper through a threat analysis lens.

  • What Is Endpoint Detection and Response?

    What is endpoint detection and response (EDR) and why is it important? Dive into what EDR is, its history and what to look for in EDR solutions today.

  • Time Travelers Busted: How to Detect Impossible Travel

    Impossible Travel is one of the earliest indicators of user compromise, and it works against any user-centric event that can be tied back to a location. Huntress goes in-depth on this problem, explaining how it works, revealing challenges surrounding it, and offering real-world examples occurring within Microsoft 365.

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
Privacy • Terms
By submitting this form, you accept our Terms of Service & Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 215k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy