Detection validation, source to alert

Detections break silently

Don't be the last to know.

schema driftpipeline changesparser updates
13%
of deployed rules are broken and will never fire
CardinalOps 2025 State of SIEM
50%
of detection failures originate upstream of the rule, not in its logic
Picus Blue Report 2025
57%
first learn of a breach from outside
Mandiant M-Trends 2025

Keep proving they fire

Tracemill continuously validates your real production detection pipelines: what's passing, what's broken, and whether it failed at ingestion or detection.

Explore Tracemill Cloud
tracemill cloudsplunk-prod | scheduled every 24h
RunStateEventsAlertsTime
aws-network-access-control-list-created-with-all-open-ports3dd4481a
Exercises EC2 network ACL rules that expose a subnet to broad inbound access (T1562.007): three attack workloads open all ports, one benign control opens 443, one opens the privileged range 0-1024.
failed
5 / 5
3
12m agotook 6m
scenarios/aws/ec2/create-acl-all-protocols-open
CreateNetworkAclEntry ingress allow, protocol -1, 0.0.0.0/0, all ports open
passed
1 / 1
1
ESCU - AWS Network ACL Created with All Open Ports2026-06-09 11:18
scenarios/aws/ec2/acl-open-tcp-range
CreateNetworkAclEntry TCP ingress allow, port span 0-65000 (> 1024), 0.0.0.0/0
passed
1 / 1
1
ESCU - AWS Network ACL Created with All Open Ports2026-06-09 11:18
scenarios/aws/ec2/create-acl-single-port
Benign control: narrow single-port (443) TCP ingress rule should not fire
passed
1 / 1
0
no alert expected
scenarios/aws/ec2/acl-open-tcp-range
CreateNetworkAclEntry TCP ingress allow, ports 0-1024 (span exactly 1024), evades the > 1024 port-range check
failed
1 / 1
0
✗ alert expected

How it works

Tracemill generates synthetic events with full schema fidelity, indistinguishable from your real telemetry, and delivers them to your ingestion pipeline's entry point. Your pipeline carries them into the SIEM, exactly as it carries your production data.

Tracemill then confirms the events were delivered and verifies the expected alerts fired on them. Finally, it tracks changes across runs and notifies you when a detection breaks or the data stops flowing.

Inject
Pipeline
Parse
Alert
Verify
Track
Tracemill Cloudcontinuous validation

Where the other approaches stop

Every alternative gives up one of three things: the live pipeline, safety, or per-rule proof. Tracemill keeps all three.

Replay a dataset
Checks rule logic against historical captures; never touches your pipeline.
Real-attack tools
Real telemetry, but heavy footprint, can't safely test your most dangerous detections. No per-rule granularity.
Config & coverage analysis
Flags gaps and misconfigs, but proves a rule exists, not that it fires.
Tracemill
Synthetic telemetry through your real pipeline, safe on every detection, verified rule by rule.

Already run a BAS tool? Tracemill pairs with it: BAS tests preventive controls and real execution; Tracemill covers the detections those can't safely reach.

Catch silent failures before an attacker does

Free to run Tracemill Cloud. Live in your SIEM in minutes.

Start freeTalk to us

Prefer the terminal?

The free CLI runs any scenario or job from your shell or CI, no account needed. Deliver to Splunk HEC, S3, or any TCP/HTTP endpoint, then check the result in your SIEM.

Explore the CLI

$ tracemill run jobs/splunk/windows/wineventlog/logon/detect-password-spray-attempts \

--hec-url https://splunk.example:8088 --hec-token *****

=== Tracemill Complete ===

  Events:     50
  Elapsed:    1.2s
  Errors:     0
  Event Types:
    windows.wineventlog@v1: 50