Detections are raw, individual events — every single interaction with a decoy. One SSH login attempt, one port scan, one file access = one detection. They are immutable facts from collectors. Multiple detections with the same source IP + canary + alert type are grouped into a single
incident for triage.