SecOps related articles. Read on to become familiar with concepts related to Security Operations and Incident Response.
The Good Metrics: Thoughts On Measuring SOC Effectiveness
I’ve worked in or around SOCs my entire career, from analyst to director. In every role I held, I was either measured by metrics or responsible for producing them. Yet it always felt like those metrics gave no valuable insights into how our SOCs actually operated. In my hands-on-keyboard years, I would collect metrics and…
Book review: Identity-Native Infrastructure Access Management
In today’s rapidly evolvi… just kidding. I keep hearing that in 2025 identity is the new perimeter. With cloud being as prevalent as it is, employees working remotely, code being written faster than ever, and AI agents gaining traction, it is not surprising that this keeps coming up. In my experience, identity is often the…
Top 3 SIEM deployment anti-patterns
SIEMs serve as central points for visibility across an organization’s security data. The concept behind a SIEM is simple: data goes in, security value comes out. Still, many organizations are dissatisfied with how their SIEM operates. Over the years of working with these systems, I’ve often heard the same complaints: SIEMs are expensive, hard to…
Bribery: The Attack Vector We’re Not Ready For
In most forms of corruption, the easiest targets are not senior decision-makers but the lowest-paid employees who quietly keep operations running. The same pattern holds true in cybersecurity. Routine, low-visibility roles such as outsourced support technicians, help-desk operators, or vendor engineers with privileged access can become the simplest, cheapest and most effective entry points into…
MSSP’s guide to SIEM onboarding
I’m a former security architect who spent years deep in the world of SIEM deployments and migrations. Over the course of my career, I’ve led more than 20 large-scale projects (and more than 40 individual SIEM implementations if we count them all). Much of my experience comes from working with Microsoft Sentinel, but the principles…
Join the SLA police: learn how MSSPs skew SOC metrics in their favor
I’m not a fan of obsessing over SOC metrics. If I get a call within 30 minutes after a confirmed True Positive I’m good. But in the world of MSSPs (and sometimes even internal SOCs), metrics become the primary way to demonstrate effectiveness, especially to non-technical stakeholders. The more pressure there is to hit Service…
Building a Threat-Driven SIEM: From TTPs to Detection Priorities
I once worked on two SIEM onboarding projects at the same time for two companies that were almost identical. Same industry, same region, and nearly identical IT and security stacks. You’d expect their SIEM implementations to look alike. But they didn’t. One prioritized network monitoring. The other focused on endpoints and Active Directory. The difference?…
SecOps at home 