PurposeThe paper seeks to provide a foundational understanding of the socio‐technical system that is computer network intrusion detection, including the nature of the knowledge work, situated expertise, and processes of learning as supported by information technology.Design/methodology/approachThe authors conducted a field study to explore the work of computer network intrusion detection using multiple data collection methods, including semi‐structured interviews, examination of security tools and resources, analysis of information security mailing list posts, and attendance at several domain‐specific user group meetings.FindingsThe work practice of intrusion detection analysts involves both domain expertise of networking and security and a high degree of situated expertise and problem‐solving activities that are not predefined and evolve with the dynamically changing context of the analyst's environment. This paper highlights the learning process needed to acquire these two types of knowledge, contrasting this work practice with that of computer systems administrators.Research limitations/implicationsThe research establishes a baseline for future research into the domain and practice of intrusion detection, and, more broadly, information security.Practical implicationsThe results presented here provide a critical examination of current security practices that will be useful to developers of intrusion detection support tools, information security training programs, information security management, and for practitioners themselves.Originality/valueThere has been no research examining the work or expertise development processes specific to the increasingly important information security practice of intrusion detection. The paper provides a foundation for future research into understanding this highly complex, dynamic work.