The field of intrusion detection is a complete failure. Vendor products at best address a narrow part of the problem and more typically are completely worthless at detecting sophisticated attacks. This talk discusses the fundamental problems in the field and why the state of the art isn't good enough. We then introduce the concept of the attacker plane and the kill chain how to use them to make a much more sophisticated intrusion detection system. Finally we cover ways of putting them into action. Even veterans of the field will find something new here.