Learn Ethical Hacking (#82) - Building a Security Operations Center (SOC)
Learn Ethical Hacking (#82) - Building a Security Operations Center (SOC)

What will I learn
- What a SOC is and the different models (in-house, outsourced, hybrid);
- SOC roles and responsibilities -- analysts (L1/L2/L3), engineers, hunters, and the SOC manager;
- The SOC technology stack -- SIEM, EDR, SOAR, TI platform, and ticketing integration;
- SOC processes -- alert triage, escalation, incident handling, and shift handoff;
- SOC metrics -- MTTD, MTTR, false positive rate, and how to measure effectiveness;
- Building a SOC from scratch -- the minimum viable SOC for small and medium organizations;
- SOC challenges -- alert fatigue, analyst burnout, skill gaps, and retention;
- Defense: the SOC as the operational center of your security program.
Requirements
- A working modern computer running macOS, Windows or Ubuntu;
- Understanding of SIEM, threat hunting, and automation from episodes 74-75, 80;
- Understanding of incident response from Episode 51;
- The ambition to learn ethical hacking and security research.
Difficulty
- Intermediate
Curriculum (of the Learn Ethical Hacking Series):
- Learn Ethical Hacking (#1) - Why Hackers Win
- Learn Ethical Hacking (#2) - Your Hacking Lab
- Learn Ethical Hacking (#3) - How the Internet Actually Works - For Attackers
- Learn Ethical Hacking (#4) - Reconnaissance - The Art of Not Being Noticed
- Learn Ethical Hacking (#5) - Active Scanning - Mapping the Attack Surface
- Learn Ethical Hacking (#6) - The AI Slop Epidemic - Why AI-Generated Code Is a Security Disaster
- Learn Ethical Hacking (#7) - Passwords - Why Humans Are the Weakest Cipher
- Learn Ethical Hacking (#8) - Social Engineering - Hacking the Human
- Learn Ethical Hacking (#9) - Cryptography for Hackers - What Protects Data (and What Doesn't)
- Learn Ethical Hacking (#10) - The Vulnerability Lifecycle - From Discovery to Patch to Exploit
- Learn Ethical Hacking (#11) - HTTP Deep Dive - Request Smuggling and Header Injection
- Learn Ethical Hacking (#12) - SQL Injection - The Bug That Won't Die
- Learn Ethical Hacking (#13) - SQL Injection Advanced - Extracting Entire Databases
- Learn Ethical Hacking (#14) - Cross-Site Scripting (XSS) - Injecting Code Into Browsers
- Learn Ethical Hacking (#15) - XSS Advanced - Bypassing Filters and CSP
- Learn Ethical Hacking (#16) - Cross-Site Request Forgery - Making Users Attack Themselves
- Learn Ethical Hacking (#17) - Authentication Bypass - Getting In Without a Password
- Learn Ethical Hacking (#18) - Server-Side Request Forgery - Making Servers Betray Themselves
- Learn Ethical Hacking (#19) - Insecure Deserialization - Code Execution via Data
- Learn Ethical Hacking (#20) - File Upload Vulnerabilities - When Users Upload Weapons
- Learn Ethical Hacking (#21) - API Security - The New Attack Surface
- Learn Ethical Hacking (#22) - Business Logic Flaws - When the Code Works But the Logic Doesn't
- Learn Ethical Hacking (#23) - Client-Side Attacks - Beyond XSS
- Learn Ethical Hacking (#24) - Content Management Systems - Hacking WordPress and Friends
- Learn Ethical Hacking (#25) - Web Application Firewalls - Bypassing the Guards
- Learn Ethical Hacking (#26) - The Full Web Pentest - Methodology and Reporting
- Learn Ethical Hacking (#27) - Bug Bounty Hunting - Getting Paid to Hack the Web
- Learn Ethical Hacking (#28) - The AI Web Attack Surface - AI Features as Vulnerabilities
- Learn Ethical Hacking (#29) - Network Sniffing - Seeing Everything on the Wire
- Learn Ethical Hacking (#30) - Wireless Network Attacks - Breaking Wi-Fi
- Learn Ethical Hacking (#31) - Privilege Escalation - Linux
- Learn Ethical Hacking (#32) - Privilege Escalation - Windows
- Learn Ethical Hacking (#33) - Active Directory Attacks - The Crown Jewels
- Learn Ethical Hacking (#34) - Pivoting and Lateral Movement - Spreading Through Networks
- Learn Ethical Hacking (#35) - Cloud Security - AWS Attack and Defense
- Learn Ethical Hacking (#36) - Cloud Security - Azure and GCP
- Learn Ethical Hacking (#37) - Container Security - Docker and Kubernetes Attacks
- Learn Ethical Hacking (#38) - Infrastructure as Code - Securing the Automation
- Learn Ethical Hacking (#39) - Email Security - Phishing Infrastructure and Defense
- Learn Ethical Hacking (#40) - DNS Attacks - Exploiting the Internet's Foundation
- Learn Ethical Hacking (#41) - Exploitation Frameworks - Metasploit and Cobalt Strike
- Learn Ethical Hacking (#42) - Custom Exploit Development - Writing Your Own
- Learn Ethical Hacking (#43) - Exploit Development Advanced - Modern Mitigations and Bypasses
- Learn Ethical Hacking (#44) - Reverse Engineering - Understanding Binaries
- Learn Ethical Hacking (#45) - Supply Chain Attacks - Poisoning the Source
- Learn Ethical Hacking (#46) - The Human Factor - Why Security Training Fails
- Learn Ethical Hacking (#47) - Physical Security and OSINT - The Forgotten Attack Vectors
- Learn Ethical Hacking (#48) - Insider Threats - When the Call Is Coming from Inside the House
- Learn Ethical Hacking (#49) - Deepfakes and AI Deception - The New Social Engineering
- Learn Ethical Hacking (#50) - Red Team Operations - Simulating Real Attacks
- Learn Ethical Hacking (#51) - Incident Response - When Things Go Wrong
- Learn Ethical Hacking (#52) - Threat Intelligence - Knowing Your Enemy
- Learn Ethical Hacking (#53) - Security Architecture - Designing Systems That Resist Attack
- Learn Ethical Hacking (#54) - Compliance and Governance - The Business of Security
- Learn Ethical Hacking (#55) - Privacy and Data Protection - GDPR, CCPA, and Beyond
- Learn Ethical Hacking (#56) - Cryptocurrency Security - Attacking and Defending Digital Assets
- Learn Ethical Hacking (#57) - IoT and Embedded Security - Hacking the Physical World
- Learn Ethical Hacking (#58) - The AI Security Landscape - Attacking and Defending AI Systems
- Learn Ethical Hacking (#59) - Python for Pentesters - Automating Everything
- Learn Ethical Hacking (#60) - Zig for Security Tools - When Speed and Memory Matter
- Learn Ethical Hacking (#61) - Writing Custom Scanners - Beyond Off-the-Shelf
- Learn Ethical Hacking (#62) - C2 Frameworks - Building Command and Control
- Learn Ethical Hacking (#63) - Payload Generation and Evasion - Defeating Antivirus
- Learn Ethical Hacking (#64) - Fuzzing - Finding Bugs at Machine Speed
- Learn Ethical Hacking (#65) - OSINT Automation - Large-Scale Intelligence Gathering
- Learn Ethical Hacking (#66) - Reporting and Documentation - The Professional Difference
- Learn Ethical Hacking (#67) - Continuous Security - DevSecOps and Pipeline Security
- Learn Ethical Hacking (#68) - Wireless and Bluetooth Exploitation Deep Dive
- Learn Ethical Hacking (#69) - Mobile Application Security - Android and iOS
- Learn Ethical Hacking (#70) - Building a Pentesting Practice - Going Professional
- Learn Ethical Hacking (#71) - Hardening Linux - From Default to Fortress
- Learn Ethical Hacking (#72) - Hardening Windows and Active Directory
- Learn Ethical Hacking (#73) - Network Security Architecture - Defending the Wire
- Learn Ethical Hacking (#74) - Security Monitoring and SIEM - Seeing Everything
- Learn Ethical Hacking (#75) - Threat Hunting - Proactive Detection
- Learn Ethical Hacking (#76) - Digital Forensics Deep Dive - Evidence That Holds Up
- Learn Ethical Hacking (#77) - Malware Analysis - Understanding the Threat
- Learn Ethical Hacking (#78) - Secure Development - Writing Code That Doesn't Get Hacked
- Learn Ethical Hacking (#79) - Securing AI Systems in Production
- Learn Ethical Hacking (#80) - Security Automation - Orchestrating Defense
- Learn Ethical Hacking (#81) - Zero Trust Implementation - Beyond the Buzzword
- Learn Ethical Hacking (#82) - Building a Security Operations Center (SOC) (this post)
Learn Ethical Hacking (#82) - Building a Security Operations Center (SOC)
Solutions to Episode 81 Exercises
Exercise 1: Zero trust maturity assessment (abbreviated).
Pillar | Current State | Gap to Next Level
Identity | Initial | MFA deployed but not phishing-resistant.
| | Need: FIDO2 keys for admins + Conditional Access.
Device | Traditional | No MDM. No compliance checking.
| | Need: Intune/Jamf enrollment + compliance policies.
Network | Initial | VLANs exist but flat within each VLAN.
| | Need: micro-segmentation + east-west IDS.
Application | Traditional | VPN provides network access, not app access.
| | Need: identity-based application proxy.
Data | Traditional | No classification. Encryption only in transit.
| | Need: data classification + encryption at rest.
Priority: Identity (FIDO2 + Conditional Access) -> Device (MDM) ->
Application (access proxy) -> Network (micro-seg) -> Data (classification)
The prioritization is everything here. Identity comes first because it delivers the highest security value for the lowest disruption -- deploying FIDO2 keys and Conditional Access does not change how the network works, it adds a verification layer on top. Device comes second because MDM enrollment is a prerequisite for device compliance checks (the compliance checking code from episode 81 only works if the MDM agent is reporting device state). Application, network, and data each build on the previous pillar. Trying to implement micro-segmentation (network) before you have device compliance (device) creates a frustrating situation where you are blocking traffic based on network position instead of identity and posture -- which is just a more granular version of the castle-and-moat model you are trying to replace.
Exercise 2: Identity proxy implementation (abbreviated).
Tool: Tailscale (free personal plan)
Setup: installed on lab web server + personal device
Result: web application only accessible through Tailscale mesh network
- Direct IP access: connection refused (port not exposed)
- Tailscale access: authenticated, logged with user identity
- Access log shows: user, device, timestamp, duration
vs VPN: Tailscale provides per-application access (not full network),
uses WireGuard (faster), and identifies users (not just IPs).
The comparison against a traditional VPN is where the zero trust principle becomes tangible. With a VPN, you connect and your machine is "on the network" -- every service on that network is reachable, and the VPN concentrator sees an IP address, not a user identity. With Tailscale, the mesh network only exposes the specific services you are authorized to reach, and every connection is tagged with the authenticated user identity from the Tailscale control plane. The practical result: an attacker who compromises your machine while you are Tailscale-connected can only reach the services your account is authorized for (and Tailscale ACLs can restrict that to specific ports on specific hosts). An attacker who compromises your machine while you are VPN-connected can scan and reach everything on the corporate network -- the same lateral movement opportunity we demonstrated in episode 34.
Exercise 3: Conditional Access policy matrix (abbreviated).
| Managed Device | Personal Device | New Location
Regular user | MFA: push | MFA: push | MFA: FIDO2
| Apps: all | Apps: web only | Apps: web only
| Timeout: 12h | Timeout: 4h | Timeout: 1h
Administrator | MFA: FIDO2 | BLOCKED | MFA: FIDO2
| Apps: all | | Apps: all
| Timeout: 4h | | Timeout: 1h
Contractor | MFA: push | MFA: push | BLOCKED
| Apps: assigned | Apps: assigned |
| Timeout: 8h | Timeout: 4h |
Service account | Cert auth | N/A | BLOCKED
| IP allowlist | |
Two design decisions stand out. First, administrators are BLOCKED on personal devices -- not restricted, not warned, blocked entirely. This is aggressive but correct. Admin credentials on an unmanaged device are an unacceptable risk because you have no visibility into the device's security posture (the device compliance engine from episode 81 cannot inspect what it cannot see). An admin's personal laptop with outdated Windows, no disk encryption, and three browser extensions from unknown developers is a highway to domain compromise. Second, contractors are BLOCKED from new locations entirely. Contractors have access to your systems but are NOT your employees -- you do not control their travel schedules, their home network security, or their device hygiene. Restricting them to known locations (office + pre-registered home IP) reduces the attack surface to places where you have at least some baseline expectation of security. The service account row is often forgotten in Conditional Access deployments, and that is a significant gap -- service accounts with static credentials and no location restriction are exactly the credentials that attackers steal from config files and environment variables.
Episode 81 covered zero trust implementation -- the architectural philosophy of "never trust, always verify" applied across five pillars: identity, device, network, application, and data. We looked at Conditional Access engines, device compliance checking, micro-segmentation, Software Defined Perimeters, and the migration strategy for moving an organization from castle-and-moat to zero trust incrementally. That episode (and the entire arc from episode 71 onward) answered the question "how do we build defenses that actually resist modern attacks?"
Today we answer the question that logically follows: who operates all of this? We have hardened our Linux systems (episode 71) and Windows/AD environments (episode 72), built network security architecture (episode 73), deployed SIEM monitoring (episode 74), established threat hunting (episode 75), learned digital forensics (episode 76) and malware analysis (episode 77), secured our development pipeline (episode 78) and AI systems (episode 79), automated our security operations (episode 80), and implemented zero trust (episode 81). That is an enormous amount of capability. And every single piece of it needs people to run it, processes to govern it, and coordination to make it effective. The Security Operations Center is where all of that comes together.
What a SOC Actually Does
Here we go. The SOC is the operational center of an organization's security program. It is where monitoring happens, where alerts are investigated, where incidents are detected and responded to, and where the security posture of the organization is maintained around the clock. Think of it as mission control -- every sensor, every detection rule, every automated playbook, every threat intelligence feed that we have built throughout this series needs a team of people watching the output, making decisions, and taking action when something goes wrong.
I argue that the SOC is the most important function in any security organization, and also the most misunderstood. Leadership often thinks of the SOC as "the team that watches screens" -- a cost center that sits there until something bad happens. The reality is that a well-run SOC is an active intelligence and response operation. SOC analysts are not staring at dashboards waiting for red lights (although bad SOCs do look like that). They are investigating anomalies that automated detection flagged, hunting for threats that the rules have not caught yet (episode 75), correlating events across multiple data sources to identify attack campaigns, and continuously improving the detection coverage by writing new rules and tuning existing ones. The SOC is where the defensive theory from episodes 71-81 becomes operational practice.
SOC Models
Not every organization can afford (or needs) a full in-house SOC. The model you choose depends on your size, your budget, your regulatory requirements, and the maturity of your security program:
In-house SOC:
Staff: your employees, your building, your tools
Cost: high ($2-5M/year for 24/7 coverage with 8-12 analysts)
Control: full control over tools, processes, and priorities
Knowledge: deep understanding of your environment
Challenge: hiring and retaining talent
Best for: large organizations (1000+ employees) with regulatory
requirements for internal security operations
Managed SOC (MSSP):
Staff: outsourced to a Managed Security Service Provider
Cost: moderate ($200K-1M/year depending on scope)
Control: limited (you follow their processes)
Knowledge: generic -- they monitor hundreds of clients
Challenge: they don't know YOUR environment as well as you do
Best for: small-medium organizations that cannot staff 24/7
Hybrid SOC:
Internal team handles business-hours monitoring and escalation.
MSSP handles after-hours, weekends, and holidays.
Internal team handles investigations and incident response.
MSSP handles alert triage and initial response.
Best of both: domain knowledge + 24/7 coverage
Best for: medium organizations growing their security function
The hybrid model deserves quit some attention because it is where most growing organizations land. The logic is sound: your internal team knows the environment, understands the business context, and can make nuanced decisions about what constitutes a real threat versus normal operations. But they cannot work 24/7 -- human beings need sleep, weekends, and holidays. The MSSP fills the coverage gap. They handle the volume of alerts during off-hours, escalate anything that looks suspicious to your internal team's on-call rotation, and manage the routine triage that would otherwise wait until Monday morning. The critical mistake organizations make with hybrid SOCs is not defining the escalation boundary clearly. If the MSSP sees a Cobalt Strike beacon callback at 2 AM on a Saturday, do they escalate immediately? Do they wait until 8 AM Monday? Do they attempt containment themselves? These decisions must be documented, agreed upon, and tested BEFORE the 2 AM incident happens -- not during it.
SOC Roles
L1 Analyst (SOC Analyst / Monitor)
What they do: triage alerts, initial investigation, escalation
Skills: SIEM queries, alert triage, basic forensics
Decision: is this a true positive? If yes, escalate to L2.
Volume: handles 50-100 alerts per shift
Experience: 0-2 years
Risk: alert fatigue, burnout from repetitive work
L2 Analyst (Incident Responder)
What they do: deep investigation, incident handling, containment
Skills: forensics, malware analysis, log analysis, network analysis
Decision: what is the scope? How do we contain it?
Volume: handles 5-10 investigations per shift
Experience: 2-5 years
L3 Analyst (Threat Hunter / Senior Analyst)
What they do: proactive threat hunting, complex investigations,
detection engineering, adversary research
Skills: reverse engineering, advanced forensics, scripting,
threat intelligence analysis
Decision: what are we NOT detecting? How do we improve?
Volume: 1-3 hunts or deep investigations per week
Experience: 5+ years
SOC Engineer
What they do: build and maintain the tooling
Skills: SIEM administration, detection rule development,
automation scripting, integration engineering
Focus: making the analysts' tools better, faster, and more accurate
SOC Manager
What they do: strategic direction, staffing, metrics, reporting
Skills: leadership, communication, risk management, budgeting
Focus: is the SOC effective? Are we detecting what matters?
The L1 to L3 progression is not just an experience ladder -- it represents a fundamental shift in what the analyst's brain is doing. An L1 analyst answers the question "is this alert real or fake?" That is a classification task: take the alert, enrich it with context, compare against known patterns, decide true positive or false positive. An L2 analyst answers "what happened and how do we stop it?" That is an investigation task: follow the evidence, determine scope, make containment decisions under time pressure. An L3 analyst answers "what are we NOT seeing?" That is an adversarial thinking task: assume the attacker is already inside, figure out what techniques they would use, search for evidence of those techniques in the logs, and build detections for the gaps. Each level requires a fundamentally different mindset, and the best SOCs build career paths that let analysts develop through all three levels rather than getting stuck at L1 doing repetitive triage until they burn out and leave (which is, unfortunately, what most SOCs look like in practice).
The SOC Engineer role is one that I think does not get enough recognition. The engineers are the people who make the SIEM actually work -- they write the detection rules (the Sigma rules and YARA rules from episodes 74-75), build the automation playbooks (the SOAR workflows from episode 80), integrate the data sources (making sure firewall logs, EDR telemetry, DNS logs, and cloud audit trails all flow into the SIEM correctly), and tune the alert thresholds so that the analysts are not drowning in false positives. A SOC without good engineers is a SOC where the analysts are fighting the tooling instead of fighting the adversary ;-)
The Technology Stack
Core (minimum viable SOC):
1. SIEM -- centralized log management and correlation
(Splunk, Elastic, Wazuh, Microsoft Sentinel)
2. EDR -- endpoint detection and response
(CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
3. Ticketing -- incident tracking and workflow
(Jira, ServiceNow, TheHive)
Enhanced:
4. SOAR -- automation and orchestration (episode 80)
(Splunk SOAR, Tines, Shuffle)
5. TI Platform -- threat intelligence management (episode 52)
(MISP, OpenCTI, Recorded Future)
6. NDR -- network detection and response
(Zeek + RITA, Darktrace, ExtraHop)
Advanced:
7. UEBA -- user and entity behavior analytics (episode 48)
8. Deception -- honeypots and honeytokens
9. Vulnerability management -- continuous scanning + prioritization
10. Attack surface management -- external exposure monitoring
Integration is more important than any single tool. I cannot stress this enough. The SIEM must receive logs from the EDR, the firewall, the proxy, the DNS server, and Active Directory. The SOAR must connect to the SIEM, the EDR, the firewall, and the ticketing system. The TI platform must feed IOCs into the SIEM detection rules and the firewall blocklists. A disconnected tool is a blind spot -- and blind spots are exactly where attackers operate. An organization with a well-integrated Wazuh (free, open-source) + CrowdStrike Falcon Go + TheHive (free, open-source) stack will detect and respond to more threats than an organization with Splunk Enterprise + CrowdStrike Falcon Insight + Recorded Future that are poorly integrated and siloed in different teams. The tool does not matter nearly as much as whether the tools talk to each other.
Building the Alert Pipeline
The alert pipeline is the central nervous system of the SOC. Every detection source feeds into the SIEM, the SIEM produces alerts, the alerts enter the triage queue, and analysts process them. Here is what an automated alert enrichment pipeline looks like -- the kind of thing a SOC engineer builds to reduce L1 analyst workload:
#!/usr/bin/env python3
"""soc_alert_enrichment.py -- enrich incoming SIEM alerts
with context before they reach the analyst queue."""
import json
import hashlib
from datetime import datetime, timedelta
def enrich_alert(alert):
"""Take a raw SIEM alert and add context from multiple
sources. Returns enriched alert dict."""
enriched = dict(alert)
src_ip = alert.get('source_ip', '')
dst_ip = alert.get('dest_ip', '')
user = alert.get('username', '')
# 1. Asset context -- is this a known server or workstation?
asset = lookup_cmdb(dst_ip)
if asset:
enriched['asset_type'] = asset['type']
enriched['asset_owner'] = asset['owner']
enriched['asset_criticality'] = asset['criticality']
# 2. User context -- is this a normal user or admin?
if user:
user_info = lookup_directory(user)
enriched['user_role'] = user_info.get('role', 'unknown')
enriched['user_department'] = user_info.get('dept', '')
enriched['is_admin'] = user_info.get('admin', False)
# 3. Threat intel -- is the source IP known malicious?
ti_result = check_threat_intel(src_ip)
enriched['ti_match'] = ti_result.get('match', False)
enriched['ti_category'] = ti_result.get('category', 'none')
# 4. Historical context -- have we seen this before?
history = get_alert_history(
src_ip=src_ip, rule=alert.get('rule_name'),
window_hours=72
)
enriched['similar_alerts_72h'] = len(history)
enriched['previously_investigated'] = any(
h.get('verdict') == 'false_positive' for h in history
)
# 5. Priority scoring
enriched['priority'] = calculate_priority(enriched)
return enriched
def calculate_priority(enriched):
"""Score alert priority based on enrichment data.
Higher = more urgent."""
score = enriched.get('base_severity', 5)
# Admin account targeted? +3
if enriched.get('is_admin'):
score += 3
# Critical asset? +2
if enriched.get('asset_criticality') == 'critical':
score += 2
# Known malicious source? +3
if enriched.get('ti_match'):
score += 3
# Seen before and confirmed FP? -4
if enriched.get('previously_investigated'):
score -= 4
# High volume of similar alerts? likely noisy, -2
if enriched.get('similar_alerts_72h', 0) > 50:
score -= 2
return max(1, min(score, 10))
The priority scoring function is doing something subtle that saves quite some analyst time. By checking whether the same source IP + rule combination has been investigated and marked as a false positive in the last 72 hours, the enrichment pipeline automatically deprioritizes recurring noise. An L1 analyst who sees a priority-2 alert with the tag "previously investigated: false positive" can close it in seconds instead of spending 10 minutes re-investigating the same firewall misconfiguration for the third time this week. The flip side is that an attacker who triggers the same rule as a known false positive gets a lower priority score -- this is a calculated tradeoff. The SIEM detection rules should be tuned so that truly malicious activity triggers DIFFERENT rules than the known false positive patterns, but in practice, there is always overlap.
Having said that, the enrichment pipeline only works if the data sources are accurate. If the CMDB (Configuration Management Database) is outdated -- and it almost always is -- the asset context will be wrong. If the threat intelligence feeds have stale data, known-malicious IPs that have been reassigned to legitimate services will still trigger false positive TI matches. The SOC engineer's job includes maintaining these data sources, not just building the pipeline. A pipeline built on bad data produces enriched garbage, which is worse than no enrichment at all because analysts start trusting the enrichment and skipping their own verification.
SOC Processes
The core process loop of a SOC is straightforward: detect, triage, investigate, respond, learn. Every SOC workflow is a variation of this loop:
Alert triage workflow:
1. ALERT fires in SIEM
2. L1 analyst receives alert in queue
3. Initial triage (5-10 minutes):
- Is this a known false positive? -> close with note
- Can I determine true/false positive quickly? -> investigate
- Is this clearly malicious? -> escalate to L2 immediately
4. Investigation (15-30 minutes):
- Enrich alert with context (TI, asset info, user info)
- Check related events in SIEM (same source, same target)
- Determine: true positive, false positive, or needs escalation
5. Decision:
- False positive -> document, close, consider tuning the rule
- True positive, low severity -> create ticket, monitor
- True positive, high severity -> escalate to L2 for IR
The shift handoff is one of those processes that separates functional SOCs from dysfunctional ones. Every time one shift ends and another begins, there is a 15-minute window where critical information can be lost. Active incidents, alerts under investigation, new detection rules deployed since the last shift, threat intelligence updates, tool outages -- all of this needs to be communicated. The best SOCs build structured handoff reports:
#!/usr/bin/env python3
"""shift_handoff.py -- generate structured handoff report
for SOC shift transitions."""
def generate_handoff(shift_end, siem_client, ticket_client):
"""Build a handoff report for the incoming shift."""
report = {
'shift_ending': shift_end.isoformat(),
'generated_by': 'automated',
}
# Active incidents (not yet resolved)
open_incidents = ticket_client.search(
status=['open', 'investigating', 'contained'],
updated_after=shift_end - timedelta(hours=12)
)
report['active_incidents'] = [
{
'id': inc['id'],
'title': inc['title'],
'severity': inc['severity'],
'status': inc['status'],
'assignee': inc['assignee'],
'last_update': inc['updated_at'],
'next_action': inc.get('next_action', 'pending'),
}
for inc in open_incidents
]
# Alerts still being investigated
in_progress = siem_client.get_alerts(
status='in_progress',
assigned_shift=shift_end.strftime('%Y-%m-%d-%H')
)
report['open_alerts'] = len(in_progress)
report['alert_details'] = [
{'rule': a['rule_name'], 'src': a['source_ip'],
'analyst_notes': a.get('notes', 'none')}
for a in in_progress[:10]
]
# Shift statistics
all_alerts = siem_client.get_alerts(
created_after=shift_end - timedelta(hours=8)
)
report['stats'] = {
'total_alerts': len(all_alerts),
'true_positives': sum(
1 for a in all_alerts if a['verdict'] == 'tp'
),
'false_positives': sum(
1 for a in all_alerts if a['verdict'] == 'fp'
),
'escalated': sum(
1 for a in all_alerts if a.get('escalated')
),
'pending': sum(
1 for a in all_alerts if a['verdict'] == 'pending'
),
}
return report
The automated handoff report solves a problem that every SOC manager knows: verbal handoffs are unreliable. When the outgoing shift tells the incoming shift "there was a weird alert from the CFO's laptop but it was probably nothing," critical details get lost. When the handoff report shows "alert ID 4827: Cobalt Strike beacon detected, source: CFO-LAPTOP-01, status: in_progress, analyst_notes: initial triage suggests false positive from CrowdStrike update, next_action: verify with EDR team Monday AM" -- the incoming shift has everything they need to pick up where the previous shift left off. The statistics section also provides the SOC manager with per-shift performance data that feeds into the metrics we will discuss next.
SOC Metrics
You cannot improve what you do not measure. SOC metrics tell you whether your detection and response capability is getting better, staying flat, or degrading. The wrong metrics reward activity (we closed 10,000 alerts this month!). The right metrics reward outcomes (we detected a breach within 2 hours and contained it within 4).
Operational metrics (measure daily):
MTTD (Mean Time to Detect):
How long from initial compromise to detection?
Industry average: 197 days (IBM 2024)
Good SOC target: <24 hours for known attack types
Excellent: <1 hour (with automated detection)
MTTR (Mean Time to Respond):
How long from detection to containment?
Good target: <4 hours for high-severity incidents
Excellent: <30 minutes (with SOAR automation)
MTTC (Mean Time to Contain):
How long from detection to full containment?
Good target: <24 hours
This includes scoping (finding ALL compromised systems)
False positive rate:
Percentage of alerts that are not real threats
Target: <30% (untuned SIEMs can be 90%+)
If >50%: analysts ignore alerts -> real attacks are missed
Alert volume per analyst:
Target: <50 alerts per analyst per shift
>100: alert fatigue sets in, quality drops
<20: analyst may be underutilized (or SIEM is under-instrumented)
Detection coverage:
Percentage of MITRE ATT&CK techniques with detection rules
Measure with ATT&CK Navigator (episode 50)
Target: >60% coverage of techniques used by your threat actors
The 197-day industry average for MTTD is the number that should terrify you. That means the average organization takes over six months to discover that an attacker is inside their network. Six months of an attacker reading emails, exfiltrating data, moving laterally through systems, and establishing persistence (the C2 techniques from episode 62). A SOC that brings that number down to 24 hours -- or better, to under 1 hour with automated detection -- is providing an enormous reduction in the blast radius of any breach. The aforementioned automation from episode 80 plays a direct role here: a SOAR playbook that automatically isolates a host when a high-confidence malware detection fires reduces MTTR from "wait for analyst to see the alert, investigate, make a decision, log into the EDR console, click isolate" (potentially hours during off-peak shifts) to seconds.
Here is what a SOC metrics tracker looks like in code -- the kind of tool that feeds into the manager's monthly report:
#!/usr/bin/env python3
"""soc_metrics.py -- calculate SOC performance metrics
from incident and alert data."""
from datetime import datetime, timedelta
from statistics import mean, median
def calculate_metrics(incidents, alerts, period_days=30):
"""Calculate SOC performance metrics for a given period."""
metrics = {}
# MTTD -- time from compromise to detection
detect_times = []
for inc in incidents:
if inc.get('compromise_time') and inc.get('detect_time'):
delta = (inc['detect_time'] -
inc['compromise_time']).total_seconds()
detect_times.append(delta / 3600) # hours
if detect_times:
metrics['mttd_mean_hours'] = round(mean(detect_times), 1)
metrics['mttd_median_hours'] = round(
median(detect_times), 1
)
# MTTR -- time from detection to containment
respond_times = []
for inc in incidents:
if inc.get('detect_time') and inc.get('contain_time'):
delta = (inc['contain_time'] -
inc['detect_time']).total_seconds()
respond_times.append(delta / 3600)
if respond_times:
metrics['mttr_mean_hours'] = round(mean(respond_times), 1)
metrics['mttr_median_hours'] = round(
median(respond_times), 1
)
# False positive rate
total = len(alerts)
fp = sum(1 for a in alerts if a['verdict'] == 'false_positive')
tp = sum(1 for a in alerts if a['verdict'] == 'true_positive')
if total > 0:
metrics['false_positive_rate'] = round(fp / total * 100, 1)
metrics['true_positive_rate'] = round(tp / total * 100, 1)
# Alert volume per analyst per shift
shifts = period_days * 3 # assuming 3 shifts/day
analysts_per_shift = 4 # adjust to actual staffing
if shifts > 0 and analysts_per_shift > 0:
metrics['alerts_per_analyst_per_shift'] = round(
total / shifts / analysts_per_shift, 1
)
# Detection coverage (requires ATT&CK mapping)
metrics['period_days'] = period_days
metrics['total_incidents'] = len(incidents)
metrics['total_alerts'] = total
return metrics
The distinction between mean and median for MTTD and MTTR is important and easily overlooked. A single outlier incident (an APT that went undetected for 90 days before a red team exercise revealed it) will dramatically skew the mean, making your SOC look worse than it actually is for routine incidents. The median gives a more representative picture of typical performance. Report both: the mean shows worst-case impact, the median shows typical operations. When presenting to leadership, lead with the median (it shows operational health) but include the mean with context ("the mean is elevated because of the Incident-2024-047 APT case, which we have since addressed by deploying additional detection rules for lateral movement via WMI").
The Minimum Viable SOC
Not every organization needs (or can afford) a full SOC. For smaller organizations, a minimum viable SOC provides the essential capabilities without the $2-5M annual budget:
For organizations that cannot afford a full SOC:
Staff: 2 analysts (business hours only), 1 engineer (part-time)
Tools:
- Wazuh (free, open-source SIEM + HIDS)
- Microsoft Defender for Endpoint (or CrowdStrike Falcon Go)
- TheHive (free, open-source incident management)
- Slack channel for alerts and communication
Coverage: business hours (8x5), MSSP for after-hours
Budget: ~$150K-300K/year (staff + tools + MSSP)
This gives you:
- Centralized logging and alerting
- Endpoint detection and response
- Incident tracking and documentation
- 24/7 monitoring (via MSSP after hours)
This does NOT give you:
- Proactive threat hunting (need L3 analyst)
- Advanced automation (need SOAR engineer)
- Deep forensics capability (need specialized tools + training)
- 24/7 internal coverage (MSSP handles off-hours)
For these gaps: engage IR retainer firms for incidents that
exceed internal capability. Budget $50-100K/year for retainer.
The IR retainer is the secret weapon of the minimum viable SOC. An incident response retainer is a pre-negotiated agreement with a specialized security firm (CrowdStrike Services, Mandiant, Secureworks, etc.) that guarantees you a response team within a defined SLA (typically 4-8 hours) when you have a major incident. Without a retainer, calling one of these firms during an active breach means getting in the queue behind their existing clients, negotiating pricing under extreme time pressure, and potentially waiting days for a team to become available. With a retainer, you make one phone call and a team of experienced incident responders shows up (physically or remotely) within hours. For a 200-person company, this is dramatically more cost-effective than building deep forensics capability in-house. The retainer costs $50-100K per year whether you use it or not -- but the year you DO need it, it saves you from the $4M average cost of a data breach (IBM 2024).
SOC Challenges
1. Alert fatigue
Too many alerts, not enough analysts. Addressed in episodes 74, 80.
Fix: tune rules, automate triage, prioritize by risk.
2. Analyst burnout
L1 work is repetitive. High turnover (18-24 month average tenure).
Fix: rotation between L1/L2, skill development time (20% for
training/hunting), career path to L2/L3, competitive compensation.
3. Skill gaps
Security talent is scarce and expensive.
Fix: hire for aptitude and curiosity, not certifications.
Train internally. Promote from within. Partner with universities.
4. Tool sprawl
Too many tools, poorly integrated, each with its own console.
Fix: consolidate where possible. Integration > best-of-breed.
An integrated "good enough" stack beats 10 disconnected "best" tools.
5. Visibility gaps
Logs not collected from critical systems. Cloud services unmonitored.
Fix: comprehensive log source inventory. If it generates security
events, it feeds the SIEM. No exceptions.
6. Measuring the wrong things
"We investigated 10,000 alerts this month" is not a success metric.
"We detected a breach within 2 hours and contained it within 4"
IS a success metric. Measure outcomes, not activities.
Alert fatigue is the number one killer of SOC effectiveness, and it is entirely self-inflicted. An untuned SIEM can produce thousands of alerts per day, of which 90% or more are false positives. After a week of investigating alerts that turn out to be nothing, analysts start skimming instead of investigating. After a month, they start closing alerts without looking at them. And THAT is when the real attack gets through -- buried in a pile of false positive noise, indistinguishable from the 500 other alerts that were nothing. The fix is not "hire more analysts" (that is just throwing bodies at a broken process). The fix is to reduce the false positive rate by tuning detection rules -- the detection engineering work from episodes 74 and 75 applied rigorously and continuously. Every false positive alert that an analyst closes should trigger a review: can we tune this rule to not fire on this benign pattern? Can we add an exclusion? Can we raise the threshold? This is unglamorous, tedious, essential work.
Analyst burnout deserves particuarly careful attention because the human cost is real. The average tenure for an L1 SOC analyst is 18-24 months. That means most SOCs are constantly losing experienced people and replacing them with newcomers who need months of onboarding before they are effective. The result is a SOC that never reaches full operational capability because half the team is always in the "learning the environment" phase. The organizations that retain analysts do three things: they provide genuine career progression (L1 to L2 to L3 to engineer to manager), they allocate protected time for skill development (the 20% rule: one day per week for training, certification study, or proactive hunting), and they pay competitively. Security analysts who can investigate incidents and hunt threats are in high demand -- if you pay below market, they will leave for an organization that values their skills appropriately.
The AI Slop Connection
AI is reshaping SOC operations in ways that are both promising and dangerous. AI-powered alert triage can reduce L1 analyst workload by 60-80% by automatically classifying and enriching alerts. AI can write detection rules from natural language descriptions. AI can summarize incident timelines from raw log data. These are real, proven capabilities that the best SOCs are already deploying.
The risk: replacing SOC analysts with AI entirely. An AI-only SOC misses novel attacks (attacks the AI was not trained on), cannot make business-context decisions ("this server is being decommissioned next week so the unusual activity is expected"), and fails silently when encountering techniques outside its training data. The optimal SOC is AI-assisted, not AI-operated. AI handles volume. Humans handle judgment. The AI processes 10,000 alerts, filters out the 9,500 that are obviously benign based on historical patterns, enriches the remaining 500 with context, and presents the top 50 (ranked by risk score and novelty) to the human analysts for investigation. The humans make the containment decisions, the escalation calls, and the "is this actually a problem given our specific business context" judgments that AI cannot make.
The career implication for aspiring SOC analysts is significant: AI will eliminate most L1 triage work within 5 years. The analysts who survive this transition will be those who can hunt proactively (episode 75), investigate complex incidents (episode 51), engineer detections (episode 74), and make decisions under pressure. Those are L2/L3 skills. If you are entering the security field today, start developing those skills now. Do not plan a career around manual alert triage -- that work is being automated as we speak, and the organizations that are doing it well are already seeing dramatic reductions in L1 headcount.
And once you have the SOC operational -- staffed, tooled, processes defined, metrics tracked -- you need to test it. Not with synthetic data, not with tabletop exercises (although those are valuable), but with real adversary simulations. A red team engagement that starts from the outside and attempts to reach domain admin while the SOC tries to detect and stop them is the ultimate test of your defensive capability. Every detection gap the red team exploits, every lateral movement technique the SOC misses, every escalation that takes too long -- those become the improvement targets for the next quarter. That is where this series goes next.
Exercises
Exercise 1: Design a minimum viable SOC for a 200-person company. Specify: (a) staffing model (roles, number of analysts, shift coverage), (b) technology stack (specific products, open-source where possible), (c) key processes (alert triage, escalation, shift handoff), (d) metrics you would track, (e) budget estimate. Present as a 2-page proposal to a fictional CISO.
Exercise 2: Build a SOC dashboard in Kibana (or Grafana connected to your SIEM). Include panels for: (a) alerts per hour by severity (time series), (b) top 10 alerting hosts (bar chart), (c) alerts by MITRE ATT&CK technique (pie chart), (d) mean time from alert to ticket creation (single stat), (e) open incidents by status (table). Populate with real data from your lab SIEM.
Exercise 3: Conduct a SOC tabletop exercise. Scenario: at 14:00 on a Tuesday, your SIEM alerts on a Cobalt Strike Beacon callback from the CFO's laptop. Walk through the full SOC response: (a) L1 triage and escalation decision, (b) L2 investigation steps (what logs to check, what to look for), (c) containment decision and actions, (d) communication plan (who is notified, when), (e) handoff to incident response team. Document the entire exercise timeline.
Thanks for your contribution to the STEMsocial community. Feel free to join us on discord to get to know the rest of us!
Please consider delegating to the @stemsocial account (85% of the curation rewards are returned).
Consider setting @stemsocial as a beneficiary of this post's rewards if you would like to support the community and contribute to its mission of promoting science and education on Hive.