Cyber Shelf

// Comparison

Applied Network Security Monitoring vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Detection, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52013
Applied Network Security Monitoring

Collection, Detection, and Analysis

Chris Sanders, Jason Smith

A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.

Intermediate
5/52013
The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

SOC analysts and aspiring detection engineers who want a structured mental model for collection, detection, and analysis rather than a pile of disconnected tooling tutorials.
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Anyone hoping for a current toolkit. Skip this if you want hands-on Zeek/Suricata/Elastic configs you can paste today, the commands here have aged out.
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

  • Collection is a deliberate decision, not a default. Decide what data matters before you drown in everything.
  • The book's split of detection into signature, anomaly, and statistical approaches still maps cleanly onto how modern stacks work.
  • Analysis is a discipline with a workflow, not improvised packet-staring, and that framing is the most durable thing here.
  • Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
  • The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
  • Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Applied Network Security Monitoring). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Applied Network Security Monitoring is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Applied Network Security Monitoring and The Practice of Network Security Monitoring both cover Detection, Networking, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Applied Network Security Monitoring

Alternatives to Applied Network Security MonitoringWhat to read after Applied Network Security Monitoring

The Practice of Network Security Monitoring

Alternatives to The Practice of Network Security MonitoringWhat to read after The Practice of Network Security Monitoring

Related topics

DetectionNetworkingDefensive