Module 5: Emulation-Driven Development

Validate detections with atomic tests, build acceptance criteria, and ensure rule changes never silently break coverage.

Tools:Wazuh
3
Lessons
2
Hands-on Labs

Lessons & Labs

Lesson 5.1 — Atomic Red Team and Test Cases

Using atomic tests to validate detections — test libraries, execution frameworks, and expected-output mapping.

Lab 5.1 — Validate with Atomic Tests

Map atomic test IDs to expected Wazuh alerts, execute validation queries, and document pass/fail results for a detection acceptance report.

Advanced

Lesson 5.2 — Detection Acceptance Tests

Linking emulation to expected alerts — pass/fail criteria, test case documentation, and validation workflows.

Lab 5.2 — Build a Regression Suite

Build a regression test suite from existing Wazuh alerts, define baseline expectations, and identify detection drift scenarios.

Advanced

Lesson 5.3 — Regression Testing and Continuous Validation

Ensuring rule changes don't break existing coverage — regression suites, scheduled validation, and drift detection.