Most services are instrumented for happy-path metrics (requests served, latency) but not for the signals that actually catch a compromised process — anomalous CPU/network patterns, unexpected outbound connections, a scheduled job suddenly doing something it never does.
The hard part is signal-to-noise: naive thresholds either miss real incidents or page someone every night for nothing. We want to see how you'd design detection that's both sensitive and trustworthy.