Talk by Oksana Safronova at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/AXCDXU/ Before the real incident happens, security team must test their detection capabilities in different ways. An overview of MITRE ATT&CK Matrix, test environments and other friends of Blue Team. Obstacles, unexpected discoveries, lack of information, a flood of logs, new technologies - you will meet them all if you want to build an effective defense team. The talk will expend the next topics based on the experience we have: How to test the security team's detection and incident response processes Best practices for endpoint monitoring tools configuration Some problems, that defense team can encounter Additional resources that can help you detect threats