LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

What is the purpose of the Detect function in the NIST CSF, and what are typical outcomes?

Detect defines activities to identify the occurrence of a cybersecurity event in a timely manner.

The key phrase is "in a timely manner" — breaches historically go undetected for months (industry reports regularly cite 200+ days of dwell time). Detection speed directly determines damage.

Example outcomes:

  • Security Continuous Monitoring (DE.CM) — ongoing observation of networks, systems, and user activity (e.g. with a SIEM)
  • Anomalies and Events (DE.AE) — anomalies are detected and their potential impact is understood (an alert nobody triages is not detection)
  • Detection Processes (DE.DP) — detection processes are tested and maintained, which includes verifying the effectiveness of protective measures

Tip: Detect is the bridge between the before functions (Identify, Protect) and the during/after functions (Respond, Recover). Skimping here means your excellent response plan never gets triggered.

From Quiz: ISM / Frameworks — NIST CSF & IKT Minimalstandard | Updated: Jun 04, 2026