Do users often have separate developer / sandbox and production environments for testing Panther Detections?
Generally, we do not see a full dev or prod deployment just for testing detections. To ensure detections are working as expected, many teams rely on the unit testing built into the Panther Console or the
panther_analysis_tool with a CI pipeline that enforces passing unit tests with a minimum number of unit tests per detection (with the
A common way to test new detections is to configure them to send alerts to a specific “dev” destination (e.g., a Slack channel that is muted or a dummy email that no one watches).