Catch bad detections before they hit production
RuleSmith runs schema and style checks on every PR and blocks merging broken rules. No CI scripts required.
- Simple install.
- Just authorize the GitHub app then your rules are auto-detected and all future PRs are validated.
- No extra logins.
- You team logs in using their existing GitHub accounts, and reviews happen within the normal PR process.
- Flexible checks.
- Use our sensible defaults or choose exactly which checks you want to enforce. Write your own custom checks
First-class support for the most common rule formats. See our supported formats
Git-native SOC tooling
Why teams use RuleSmith
RuleSmith plugs straight into GitHub to review and validate every alerting rule.
No fiddly build scripts and no false positive storms.
- Prevent misconfigured rules
- Don't let something as simple as a typoed field-name prevent your detection rules from silently failing.
- Standardised metadata
- Enforce that all your rules have metadata like tags, severities, and descriptions.
- Guardrails on LLM-generated rules
- Catch hallucinations from LLM-generated detection rules and ensure they match your team's style.
- Rule quality insights
- (Coming Soon) Built-in telemetry flags chatty or silent rules so you can tune, disable or delete with real evidence.
Pricing
Plans that scale with your SOC
Try out RuleSmith free for personal accounts. For teams, upgrade to a paid plan and pay only based on how many rules you have.
Individual
Free for personal accounts and public repositories.
$0
- 1 ruleset
- Up to 100 rules
- Built-in linters
Validate
Scale-ready
Ensure the quality of your team's detections.
$49 /month
- Validate up to 1,000 rules at a time
- Custom rule validators
- Email support
- $30 per additional 1,000 rules
Custom
Dedicated support and infrastructure.
Custom pricing
- Unlimited rulesets
- Unlimited rules
- On-premise, air-gapped deployments
- Custom integration development
Frequently asked questions
- What types of detection rule do you support?
RuleSmith has first-class support for the most common detection rule formats like Sigma and Elastic. Basic validation is supported on any rule in a standard format like YAML.
We can add First-class support can be added for any custom/internal format you use. Let us know what you need.
- How is RuleSmith deployed?
RuleSmith runs as a cloud or self-hosted GitHub App. It receives webhooks from GitHub whenever changes are made to your detection rules, and then posts validation results back to GitHub.
- Does RuleSmith need write-access to my repository?
No. Just like any other GitHub contributor, you can configure your repo such that RuleSmith can only operate on pull requests and not touch your main branch directly.
- What happens if someone edits a rule directly in the SIEM?
Currently, RuleSmith only validates rules in your GitHub repositories. We're working on adding support for SIEMs too. Get in touch for early access.
- Do you offer on-premise installations?
Yes. Enterprise customers can deploy RuleSmith entirely inside their own VPC or data center.
- What is detection-as-code?
It's the practice of managing security detections in a version-controlled, peer-reviewed workflow—just like application code—so changes are auditable, tested and reproducible.
Ready to stop fighting with CI pipelines?
Install the GitHub App and get inline linting on your next PR.