The mean time to detect a breach in organizations without deliberate detection controls exceeds 200 days. By the time most SMBs discover an intrusion, the attacker has had months to enumerate systems, exfiltrate data, and establish persistence. The Detect function exists specifically to close that window.
In NIST CSF 2.0, Detect has been streamlined to two categories: continuous monitoring and event analysis. The underlying message is direct — you need to be collecting signals, and you need to be doing something useful with them. Neither half works without the other.
For SMBs, the good news is that enterprise-grade detection is no longer enterprise-priced. Cloud-native SIEM tools, built-in EDR in Windows Defender and similar products, and cloud platform audit logging provide meaningful DE.CM coverage at near-zero marginal cost. The gap is almost always configuration and process, not budget.
The 2 Detect Categories
Common SMB Gaps in the Detect Function
- No log aggregation — cloud workloads, network devices, and endpoints each generate events that never get centralized or reviewed.
- Security alerts disabled or silenced on cloud platforms because they generated too much noise before anyone tuned them.
- No defined baseline of “normal” network or user behavior, making anomaly detection impossible rather than just hard.
- EDR not deployed on all endpoints — contractor laptops, personal devices, and older workstations frequently fall outside coverage.
- Logs collected but not retained long enough — most breaches are discovered weeks or months after initial compromise, requiring historical log data for forensics.
- No assigned owner for reviewing alerts — alerts exist, no one is watching them, so Detect capability exists on paper only.
Detection Without an Enterprise Budget
Microsoft Defender for Business (included in Microsoft 365 Business Premium) provides EDR, automated investigation, and attack surface reduction for SMBs. AWS CloudTrail and Google Cloud Audit Logs are on by default and free. Microsoft Sentinel offers SIEM at consumption pricing that scales down to SMB budgets. You don’t need a M SOC to satisfy DE.CM — you need deliberate configuration of what’s already available.
DE.AE is the harder problem. Analysis capability requires someone who knows what they’re looking at. A fractional CISO or managed detection and response (MDR) provider bridges this gap for organizations that can’t sustain an in-house security analyst. See our guide on fractional CISO costs for the math.