System for attack detection (SZA)

1. what is a system for attack detection (SZA)?

An attack detection system (ADS) is a technological and procedural concept for identifying security-relevant events in IT systems and networks. The aim is to detect cyber attacks at an early stage so that suitable countermeasures can be initiated. The term was introduced by the IT Security Act 2.0 and is particularly relevant in the German KRITIS environment (critical infrastructures). An SZA usually comprises several technical components such as intrusion detection systems (IDS), security information and event management (SIEM), network detection and response (NDR) and endpoint detection and response (EDR).

2 What requirements does the BSI place on an attack detection system?

The German Federal Office for Information Security (BSI) defines clear minimum requirements for an SZA as part of its guidance on attack detection. These include:

  • The recording of security-relevant events (e.g. log data, network traffic)
  • Correlating and analyzing this data to identify attack patterns
  • The generation of security messages to alert IT security officers
  • The documentation and traceability of detected attacks

The aim is to implement attack detection as “state of the art”. KRITIS operators in particular are legally obliged to use such a system and to regularly demonstrate its effectiveness.

3. is an IDS or SIEM automatically an SZA within the meaning of the IT Security Act?

No. An intrusion detection system (IDS) or security information and event management (SIEM) is not a fully-fledged SCA on its own. An SCA must be understood as a holistic system that combines technical components, processes and human resources. Simply installing a tool is not enough. Only the targeted combination and integration of several technologies and the establishment of processes for evaluation, reaction and follow-up create an effective system for attack detection in accordance with the law.

4. who is obliged to use an attack detection system?

Operators of critical infrastructures (KRITIS) in accordance with Section 8a BSIG and companies from certain sectors such as energy, healthcare, transportation and telecommunications are particularly obliged to implement this. In addition, companies with increased protection requirements (e.g. due to industry specifications or insurance requirements) may also be affected by the need for a SCA. In practice, however, medium-sized companies are also increasingly relying on attack detection in order to identify cyber risks at an early stage and avoid reputational and financial damage.

5 How does an SZA differ from an intrusion detection system (IDS)?

An intrusion detection system (IDS) is a single technical component for detecting attacks at network or host level. It can be part of an SCA, but is not synonymous with it. An SCA is more comprehensive and, in addition to IDS, also includes systems such as SIEM, EDR, NDR and the organizational embedding of attack detection in existing IT security processes. While an IDS usually acts passively and only sounds the alarm, an SCA also includes active response processes and incident tracking.

6. which technologies can be used in an attack detection system?

An effective attack detection system combines various technologies for comprehensive threat detection:

  • SIEM (Security Information and Event Management): Centralization and correlation of log data for pattern recognition
  • NDR (Network Detection and Response): Analysis of network traffic for suspicious behavior patterns
  • EDR (Endpoint Detection and Response): Detection and response to threats at endpoints
  • IDS/IPS: Detection (and if necessary prevention) of known attack patterns
  • Threat Intelligence Feeds: Integration of information on current threats
  • Machine learning and anomaly detection: detection of new or unknown attack patterns

The choice of technologies should be based on the company’s IT architecture and protection requirements.

7 How can the effectiveness of a SCA be proven?

The effectiveness of an SZA must be verified in accordance with regulatory requirements (e.g. BSI, ISO 27001). This is done by:

  • Documentation of the components and processes used
  • Regular tests and attack simulations (e.g. red teaming, purple teaming)
  • Internal audits and reviews
  • Reporting on detected incidents and response times

The aim is to continuously review and improve attack detection in order to be able to react appropriately to new threats.

8. what advantages does an SCA offer for IT security in the company?

A well-implemented attack detection system offers numerous advantages:

  • Early detection of cyber attacks before major damage occurs
  • Faster response to security incidents thanks to automated alarms
  • Increased transparency of safety-critical processes
  • Support with forensic analyses following incidents
  • Legal certainty through compliance with legal requirements
  • Gaining the trust of customers, partners and insurance companies

An SCA is a key component of modern cyber defense, especially for companies with high protection requirements.

9. how to implement an attack detection system step by step?

The implementation of an SZA takes place in several phases:

  1. Requirements analysis: Identification of regulatory and company-specific requirements
  2. As-is analysis: evaluation of the existing IT and security architecture
  3. Solution selection: Selection of suitable technologies (SIEM, EDR, etc.) and manufacturers
  4. Concept development: definition of use cases, alerting thresholds, processes
  5. Implementation: Technical implementation and integration into the IT landscape
  6. Test operation: validation of detection capability and optimization
  7. Operation and monitoring: Continuous monitoring, maintenance and further development

A structured project approach and the involvement of IT and security specialists are crucial for success.

10. what does an attack detection system cost and how much effort is involved?

The costs for an SZA depend heavily on the scope, complexity and size of the company. They are made up of

  • License costs for software products (e.g. SIEM, EDR)
  • Infrastructure costs (e.g. storage, network)
  • Effort for planning, implementation and operation
  • Training and personnel costs

For medium-sized companies, entry-level solutions can start in the lower five-figure range. For KRITIS environments or complex IT landscapes, significantly higher investments are to be expected. However, the expense is put into perspective by the increased cyber resilience, the avoidance of downtime costs and compliance with legal requirements.

Zurück zur Übersicht des Glossars

Back to the glossary overview
AlleConcepts & regulations

Concepts & regulations

CYBER DEFENSE.

MADE IN GERMANY.

Our portfolio
About SECUINFRA

©2025 SECUINFRA GmbH. All rights reserved.

Cookie Consent with Real Cookie Banner