GitLab's Signals Engineering team built WATCH (Weekly Attack Testing for Continuous Health), an automated detection testing framework that continuously validates their security monitoring pipeline. WATCH uses GitLab CI/CD to schedule and execute scripted attack simulations in a staging environment, then verifies that alerts propagate correctly through their SIEM, SOAR, and dashboards. The framework uses a Python BaseSecurityTest abstract class to make writing new tests easy, and integrates with GitLab Duo AI to scaffold tests from natural language prompts. Three CI/CD pipeline stages handle scheduling, test execution, and verification/reporting via GitLab Pages dashboards. The system shifts detection health monitoring from reactive (discovering broken detections during incidents) to proactive (weekly automated validation).
Table of contents
A gap in detection validationHow WATCH worksUsing WATCH with GitLab CI/CDHow we write tests with GitLab DuoImproved visibility through test dashboardsWATCH helps us stay proactiveTry WATCHSort: