Quiz Entry - updated: 2026.06.04
What is the purpose of the Detect function in the NIST CSF, and what are typical outcomes?
Detect defines activities to identify the occurrence of a cybersecurity event in a timely manner.
The key phrase is "in a timely manner" — breaches historically go undetected for months (industry reports regularly cite 200+ days of dwell time). Detection speed directly determines damage.
Example outcomes:
- Security Continuous Monitoring (DE.CM) — ongoing observation of networks, systems, and user activity (e.g. with a SIEM)
- Anomalies and Events (DE.AE) — anomalies are detected and their potential impact is understood (an alert nobody triages is not detection)
- Detection Processes (DE.DP) — detection processes are tested and maintained, which includes verifying the effectiveness of protective measures
Tip: Detect is the bridge between the before functions (Identify, Protect) and the during/after functions (Respond, Recover). Skimping here means your excellent response plan never gets triggered.