// Comparison

Malware Data Science vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Detection, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52018

Attack Detection and Attribution

Joshua Saxe, Hillary Sanders

Saxe and Sanders apply machine-learning techniques (classification, clustering, deep learning) to malware detection and attribution, with working Python code and real corpora.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Malware analysts and detection engineers who want to scale beyond manual triage. Saxe and Sanders apply classification, clustering, similarity analysis, and deep learning to the malware corpus, with working Python code throughout.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Analysts whose work is one-sample-at-a-time, or readers without basic Python and statistics comfort. The book is for telemetry-rich environments where ML scales matter.

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

Static-feature classifiers can route a triage queue effectively even at scale; the book's chapters on feature engineering pay back the cost.
Similarity analysis (locality-sensitive hashing, ssdeep, imphash, function-level fuzzy hashing) is the analyst's lever for clustering campaigns and tracking actor evolution.
Deep learning is overhyped for malware in many contexts and exactly the right tool in others; the book is honest about the trade-offs in a way most ML/security books aren't.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Malware Data Science). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Malware Data Science is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Malware Data Science and The Practice of Network Security Monitoring both cover Detection, so reading them in sequence reinforces the same material from different angles.

Keep reading

Malware Data Science

→ Alternatives to Malware Data Science → What to read after Malware Data Science