Developer Program for Threat Detection Marketplace
Do research, write and submit rules, earn money while you sleep
The opportunity to generate a steady income by writing threat detection rules. Join the defenders that work together for the better cyber security!
What can I provide?
Content developed by you as a person or by eligible partner companies for the purpose of threat detection, threat hunting and incident response. In SIEM terms we are talking about Sigma Rules, correlation rules, queries, dashboards, parsers. In EDR & Endpoint Protection - Yara rules, Network Based detection - Snort rules. Attack simulation content for open-source instruments is also supported.
Sigma rules
Yara rules
Snort rules
Red tests
(such as Atomic Red Team)
SIEM rule packages
(.ARB, .gzip etc.)
Parsers
(logstash configs, Flex connectors, technology add-ons, DSM’s etc.)
Data enrichers & response actions
(e.g. python, bash, powershell scripts)
Incident Response playbooks

How to make money with SOC Prime Threat Bounty
SOC Prime Threat Bounty Program has transitioned to the rank based rewards. Key unlocks did not work
so we have removed a reward per unlock as per July 1st 2019 and informed all developers in email.
What happened in the backend is that SOC Prime team has reached out to every client we have, shared the
Threat Bounty story, advised which rules would be of high use to clients. Some clients proceeded with
Key unlocks but the majority provided feedback on the difficulty of such system for enterprise. Our
TAMs have further collected feedback from customers to see what we can do better and this is how the
Wanted! list was created. A monthly tradition that we intend to follow.
As our mission is to build and back an active and involved community with fair compensation to the developers. Unlocks were low and initial plan was to provide Payouts only from new sales generated monthly. So to live up to the promise we have provided payouts for June even if some things did not work. You may have had 0 unlocks and still received a payout, as we highly value your effort and want to get things right. Most important news is that SOC Prime Threat Bounty is live and working on both ends, even though there are some initial bumps to overcome. July and onwards rewards will be paid based on the ranking system. Here is how to increase your rank: create requested content, address the latest threats, build detections for latest exploits before patches are available (with or without CVE), create content that correlates with Wanted! list (threats and log sources of interest for paying clients), create resilient rules which are hard to circumvent and remain accurate for long time (a rule based on IP address will have a short lifespan as opposed to behavior rule). All of these actions will impact both monthly reward and long-term reputation. Free and paid rules matter, so it is up to you to decide how to balance it. On our end, SOC Prime equally supports free and paid content.
Developers feedback

Ariel Millahuel Developer
Sigma can change not the way of how organizations build their cyber defense but the entire scenario for blue and red teams

ADAM SWAN Developer
SIGMA enables the sharing of detection logic between organizations with dissimilar architectures but familiar data...

Nate Guagenti Endpoint & NSM & Elastic
The Threat Bounty Program provides similar benefits as to how IDS rulesets are already used in thousands of organizations

Florian Roth Nextron Systems
New rule authors, that haven’t been in the market before, add content to market places like Threat Detection Marketplace and more content...

Lee Archinal Developer
Once I got the main idea and a little bit of experience, I began designing content for my SOC in strictly Sigma...
Read more
Osman Demir Developer
Strong Cyber Security should consist of an active community of people.
Read more
Den Iuzvyk Developer
Threat Bounty Program presents customers' needs and allows deep dive into research
Read more
Emir Erdogan Developer
Sharing intelligence and knowledge between researchers and institutions is very important to prevent cyber attacks
Read more
EXAMPLES OF THREAT DETECTION CONTENT
With Developer program for Threat Detection Marketplace you can get your content in front of 5000+ users from 2700+ organizations from 128 countries. We have created the 1st cross-platform cyber threat detection security marketplace in the world so that defenders can fight the adversaries together. SOC Prime has proven its capabilities many times by sprinting the cutting-edge detection content for threats like WannaCry, NotPetya as well as leveraging MITRE ATT&CK™ since 2016 for threat actor attribution. We know exactly how much hard work it goes into making the good rules, testing them and hunting for the next threat or exploitation technique.
Our mission is to help the security researchers with reaching to global customers and get rewarded for their work on regular basis. While SOC Prime handles the QA and sales, we want you to help us with content! If we talk numbers we get 2000+ content views and 700+ downloads per months. Top authors on Threat Detection Marketplace have 1000+ views and downloads of their content and receive special spotlight at the Leaderboards. Over 95% of the content is tagged with ATT&CK using the marketplace engine so that clients can see both technical and strategic value of the rules. See the most popular rules below.
- You are 16 years of age or older. If you are at least 16 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program; and
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program..
In SIEM terms, we are talking about correlation rules, queries, dashboards, parsers. In terms of EDR & Endpoint Protection – YARA Rules, Network-Based detection – Snort Rules. Attack simulation content for open-source instruments is also supported. Content types examples:
- Sigma Rules
- YARA Rules
- Snort Rules
- RED tests (such as Atomic Red Team)
- SIEM Rule Packages (archives such as .arb, .gzip, etc.)
- Parsers (Logstash configs, Flex connectors, technology add-ons, DSMs, etc.)
- Data Enrichers and response actions (e.g., Python, Bash, PowerShell scripts)
- Incident Response Playbooks
Just like YARA for binaries and Snort for the network. In 2018 Sigma was acknowledged by MISP to be a de-facto standard for SIEM queries. In 2019 SANS has recommended Sigma for threat hunting with MITRE ATT&CK. Read more here:
https://github.com/Yara-Rules/rules
https://github.com/VirusTotal/yara
https://github.com/Cisco-Talos/snort-faq
https://github.com/redcanaryco/atomic-red-team
However, the Wanted List doesn’t set any limits. Good, high-quality tested content that finds cyber threats! Compliance-centric content is highly welcome!
Still have doubts what name to choose for authoring your content? Just follow our best practices – try to choose one name for all your developed content and stick to it whenever you fill in the Author field in Sigma. You may choose your real first name, a full name, or a nickname, whatever, but try to avoid special symbols or characters used in languages other than English. All this will help the Threat Detection Marketplace users to easily find your content when filtering by Authors.
With API access, you can get the list of all Sigma rules:
- Without any specified platform
- With the specified ID without any specified platform
- With both the specified ID and platform
- For all platforms or other specified filtering parameters
- There exists a rule with similar logic at Threat Detection Marketplace https://tdm.socprime.com/ ;
- The rule has syntax errors
- The rule logic is wrong
- The rule logic does not conform with the rule name
- There are no attached screenshots containing the confirmatory data evidence (applicable to the paid rule types)
- The rule has no tags
- There is no link attached to the original source of data (reference)
- The content author is not specified