Back to Blog
Industry Insights

Intrusion Detection System: The Honest Guide

Monarch ConnectedJune 7, 202613 min read
intrusion detection system — photo for Intrusion Detection System: The Honest Guide

The Honest Guide to the Intrusion Detection System

My uncle once installed a "state-of-the-art" intrusion detection system in his warehouse and it went off every time a moth had a personal crisis near the loading dock. (True story. The moths were having a great summer.) If your alarm panel has cried wolf so many times your staff now treats it like a smoke detector with low batteries, you're not alone — you just have the wrong setup. So let's fix that.

An intrusion detection system, at its most boring textbook level, is any setup designed to notice unauthorized activity and yell about it. That's it. The trick isn't the yelling — it's the noticing. Most installs fail not because the sensors are bad, but because nobody thought hard about what "unauthorized" actually means for that specific building, network, or sleepy night-shift supervisor.

This guide is going to walk you through the real version. The version that doesn't require you to apologize to your monitoring company every Tuesday.

What an Intrusion Detection System Actually Does

Forget the marketing brochures for a second. An intrusion detection system has three jobs, and only three:

  • Detect a thing happening that shouldn't be happening.
  • Tell a human (or a system) about it fast enough to matter.
  • Leave behind a record so you can argue with insurance later.

Notice what's NOT on that list: stopping the intruder. That's a prevention system's job (we'll get to that — IDS vs IPS is a whole thing). A detection system is, philosophically, a very loud snitch. A very useful snitch.

In the physical security world this usually means a panel, some sensors (door contacts, motion detectors, glass-break sensors, vibration sensors), a communicator that talks to a monitoring station, and a keypad your staff will inevitably forget the code to. In the cyber world it means software watching network traffic or system logs for patterns that look like Bad News. Same philosophy, different medium.

Both worlds are converging fast, by the way. Modern commercial sites want one pane of glass for the cameras, the access control, the alarm, and the network. The era of three different vendors not talking to each other is, mercifully, ending.

The Two Big Families: Network IDS vs Host IDS vs Physical IDS

Verkada AC42 access control panel shown open alongside its printed installation guide.

Okay, three families. I lied. Sue me.

Network-based intrusion detection (NIDS)

A NIDS sits somewhere on your network — usually at a chokepoint like the firewall — and watches packets fly past. It's looking for signatures of known attacks, weird traffic patterns, or stuff that just doesn't belong. Think of it as a bouncer who reads everyone's mail.

It's great at catching the wide stuff: port scans, malware beaconing home, somebody trying every password in the universe against your VPN. It's bad at catching things that happen entirely inside an endpoint, because it never sees them.

Host-based intrusion detection (HIDS)

A HIDS lives on the endpoint itself — a server, a workstation, a point-of-sale terminal. It watches the logs, the file system, the running processes. If a file that should never change suddenly changes at 2:47 a.m., the HIDS notices. The NIDS, busy watching the network, doesn't.

You want both. They cover each other's blind spots. The NIST Computer Security Resource Center has been writing about this combination for literal decades and they're still right.

Physical intrusion detection

This is the stuff most people picture first — the door contacts, the motion sensors, the vibration detectors on the glass, the panel beeping at you when you walk in. It's also the part most likely to be installed badly, because installers love defaults and buildings hate defaults.

A good physical intrusion detection system is engineered to the building. Where do people walk legitimately at night? Where do the cleaners go? Does the HVAC kick on and rattle the windows at 3 a.m.? (If yes, your glass-break sensor is about to become your enemy.) The sensors aren't the hard part. The thinking is the hard part.

Detection Methods: How These Things Actually Decide Something Is Wrong

This is where it gets fun. Or nerdy. Depends on you.

Signature-based detection

The system has a giant list of "things that are bad" and checks every event against the list. Fast, accurate when the threat is known, and completely blind to anything new. It's the antivirus model — works great until it doesn't.

Anomaly-based detection

The system learns what "normal" looks like for your environment, then flags anything weird. Catches new attacks. Also flags every time someone does something legitimate but unusual, like, say, the accountant logging in at midnight to finish year-end.

Behavioral / heuristic detection

A blend. The system doesn't just look at single events, it looks at sequences. Someone badged in, then immediately tried to access a server they've never touched, then plugged in a USB drive? That's a story, not an event. Modern systems are getting genuinely impressive at this.

The best commercial setups stack all three. Signatures catch the known bad. Anomaly catches the weird. Behavioral catches the patient attacker who knows how to look normal one step at a time.

IDS vs IPS — The Question Everyone Asks

Now hold on a second, because people mix these up constantly.

  • IDS (Intrusion Detection System): detects and alerts. Passive. It watches.
  • IPS (Intrusion Prevention System): detects, alerts, and actively blocks. In-line. It interferes.

An IPS sounds objectively better, right? Just block the bad stuff. The catch: if your IPS has a false positive — and they all do — it just blocked legitimate traffic. In a hospital. At 3 a.m. During a code blue.

Most mature environments run an IPS at the perimeter for the obvious automated threats, and IDS deeper inside for the subtle stuff that needs human judgment before anyone hits a kill switch. The right answer is almost never "one or the other." It's "where, exactly, for which traffic, and who gets the alert."

What a Real Commercial Intrusion Detection System Looks Like

Verkada backup battery system unit shown in a product render against a gray background.

Let me describe a setup we'd actually design, instead of the brochure version.

You walk up to a mid-sized commercial building. There's a primary alarm panel in a locked utility closet, communicating to the monitoring station over both cellular and IP — never just one path, because cutting a phone line is a 1990s problem we still see in 2025. Door contacts on every perimeter opening. Motion sensors covering the interior approach paths, not just the open floor (because intruders walk where everyone walks). Glass-break sensors tuned to the actual glass in the building, not factory defaults. Duress codes for the front desk in case someone gets walked in at gunpoint.

Then there's the integration. The alarm talks to the access control. If the system is armed and a valid badge unlocks the door, the alarm disarms automatically for that user — no keypad dance. If the system is armed and a door opens without a badge first, every camera in the area starts recording at full resolution and an alert hits the monitoring station with video attached.

Speaking of cameras: if you want to see how this integration looks done right, Verkada's platform is a clean example of the cameras-and-access-and-alarms-in-one-pane approach. We deploy a lot of it because it actually does what the brochure says, which is rarer than you'd think.

On the cyber side, the same building has a NIDS at the network edge, a HIDS on the servers and any device that handles payment or personal data, and centralized logging that someone — a real human — actually looks at weekly. Logs nobody reads are not security. They're a hard drive expense.

The Most Common Mistakes (Almost Everyone Makes These)

Let me save you some pain.

  • Mistake one: arming the system but never testing the response. You don't have a working intrusion detection system until you've confirmed that an alarm at 2 a.m. actually produces a human at your door in a defined number of minutes. Test it. Quarterly.

  • Mistake two: using one detection method. Signatures only? Anomaly only? You've got a system with a known blind spot. Stack the methods.

  • Mistake three: ignoring false-alarm tuning. Every false alarm trains your staff to ignore the next alarm. By the tenth one, the system might as well not exist. Tune the sensors. Move them. Adjust sensitivity. Update the schedule for the cleaning crew.

  • Mistake four: forgetting the people part. The world's best system fails if the receptionist props the back door open with a fire extinguisher because the badge reader is "annoying." Design around how people actually behave. Then train them.

  • Mistake five: no documented response plan. When the alarm goes off at 3 a.m., who gets called? In what order? Who has authority to dispatch police? Who has authority to NOT dispatch police if it's clearly a false alarm? Write it down before you need it.

  • Mistake six: skipping the network side entirely. A physical-only intrusion strategy in 2025 is like locking the front door of your house and leaving every window open with a "WiFi password" sticky note on the frame.

Standards, Compliance, and the Stuff That Bores You But Matters

If you're in a regulated industry — healthcare, finance, critical infrastructure, government contracts — your intrusion detection requirements aren't optional. They're written down. Usually by people who have been very thoroughly mugged by an auditor.

A few worth knowing:

  • UL 681 and UL 827 cover the installation and monitoring standards for commercial burglar alarm systems. Insurance companies care. A lot.
  • The CISA cybersecurity guidance lays out baseline expectations for network-side detection in critical infrastructure environments.
  • PCI DSS requires intrusion detection (or prevention) at the perimeter of any environment that handles cardholder data. Not optional. Auditors check.
  • HIPAA doesn't say "intrusion detection system" by name but the Security Rule's requirement to detect unauthorized access to ePHI is, functionally, an IDS requirement.

You don't need to memorize the standards. You need to hire someone who has. If your current provider can't tell you which standards apply to your building and how your system meets them, that's a sign.

How to Actually Choose One

Hands using a screwdriver to connect wiring to a Verkada alarm panel.

When clients ask us to spec a system, we walk through roughly this list:

  • What are you protecting, and what does losing it cost? A $40,000 system to protect $15,000 of inventory is a bad trade. A $40,000 system to protect a building full of regulated data is a steal.
  • What's the realistic threat? Smash-and-grab teenagers? Organized retail theft? Industrial espionage? Disgruntled former employees? Different threats want different sensors.
  • Who's monitoring it, and how fast? A self-monitored system that pings your phone is fine for a small office. It's not fine for a warehouse. UL-listed monitoring with documented response times is fine for almost anything.
  • How does it integrate with what you already have? Access control, cameras, lighting, HVAC — the more these systems talk, the better the detection gets.
  • What's the false-alarm story? Ask the installer how they tune. If the answer is "we use the defaults," walk away.
  • Who owns the data, and where does it live? Cloud-based systems are great until your vendor's outage becomes your outage. Ask about offline-fallback behavior.

We go deeper into the full design process across industries on our solutions overview, and if you want to skip the reading and just get someone on site, the contact page is the fastest way.

What Maintenance Actually Looks Like

An intrusion detection system is not a microwave. You don't buy it, install it, and use it for ten years untouched. (Well, you can. People do. They also call us in tears later.)

Real maintenance:

  • Quarterly sensor walk-tests. Somebody physically triggers each sensor and confirms the panel sees it and the monitoring station receives it.
  • Annual battery replacement on wireless sensors and the panel backup battery. Yes, every year. The battery in the panel from 2019 is not okay just because the panel still beeps.
  • Firmware updates on networked equipment. This is where most cyber-side compromises of physical systems happen — old firmware with known holes.
  • User audit every six months. Who has codes? Who has badges? Are any of those people former employees? (You'd be shocked.)
  • False-alarm review monthly. Pull the report. Look for patterns. Fix the cause, not the symptom.

If you'd like a peek at what proactive maintenance looks like when someone else is doing it for you, browse our recent blog posts — we write up real failure modes from real sites (anonymized, obviously) on a regular basis.

Integrating Detection With Cameras and Access Control

This is the part that, honestly, makes modern systems worth the money. A standalone alarm panel from 1998 can tell you a door opened. A modern integrated system can tell you a door opened, show you the 30 seconds of video before and after, identify whether a known badge was used, and route the alert to the right person with all that context attached.

The difference in the middle of the night is enormous. A monitoring operator with video can dismiss the moth-having-a-personal-crisis false alarm in three seconds. Without video, they have to dispatch police. Police dispatches for false alarms are expensive (literally — many cities now fine you), they erode the credibility of your system, and they waste public-safety resources.

If you're shopping new equipment and want to see what integrated kit looks like, our shop carries the pieces we actually deploy on commercial sites. It's a short list on purpose — we don't stock things we wouldn't install ourselves.

A Quick Word on AI (Because You Were Going to Ask)

iPhone screenshot showing a Verkada mailroom package notification SMS conversation.

Yes, AI is changing intrusion detection. The honest version: AI is excellent at pattern recognition across enormous volumes of camera and log data. It's getting genuinely good at distinguishing a person from a shadow, a person carrying a package from a person carrying a crowbar, a normal login from a credential-stuffing attempt.

It's also not magic. AI systems have to be trained, tuned, and audited. They fail in weird ways. They sometimes confidently flag the same broken sprinkler as an intruder every night for a month until somebody intervenes. Treat AI as a force multiplier for human judgment, not a replacement for it. That's it. That's the whole take.

Bringing It All Together

A good intrusion detection system isn't a product. It's a system, in the original sense of the word — sensors, software, monitoring, people, procedures, and the integration glue holding all of them together. Buy a panel and some sensors and you've bought components. Design the whole flow and you've bought security.

If your current setup feels like the moth-trauma warehouse, the problem is almost certainly fixable without ripping everything out. Usually it's tuning, sometimes it's a couple of new sensors in better locations, occasionally it's swapping a panel that's older than the iPhone. We can usually tell you which one in a single site walk.

When you're ready to stop apologizing to your monitoring company, we'd love to take a look.

FAQ

What's the difference between an intrusion detection system and a burglar alarm?

Functionally, very little at the small-business level — "burglar alarm" is the older consumer term and "intrusion detection system" is the broader, more accurate one used in commercial and cyber contexts. The commercial-grade systems we install go well beyond a single siren though, with integrated cameras, access control, monitored response, and detailed event logging that a basic burglar alarm doesn't provide.

How much does a commercial intrusion detection system cost?

Realistically, anywhere from a few thousand dollars for a small office to six figures for a multi-site enterprise rollout with integrated cameras and access control. The biggest cost drivers are the number of sensors, the type of monitoring, and how deeply it integrates with existing systems. We always quote against a documented site walk because guessing from a square-footage number ends badly for everyone.

Can I monitor my own intrusion detection system instead of using a monitoring service?

You can, and for very small sites it's fine. For commercial properties it's a bad idea — you're going to miss the 3 a.m. alert because you're asleep, and even if you don't, you don't have the authority or relationship to dispatch police efficiently

Related Solutions

Explore how Monarch Connected can help with your specific security needs.

Construction SecurityHealthcare & Retail
Explore Our Products

Ready to Upgrade Your Security?

Talk to our experts about Verkada cameras, access control, and sensors — get a free consultation.

Get a Free ConsultationMore Articles