Close your eyes for a second and think: How does my SOC actually operate?

Are analysts cherry-picking alerts? Sitting around waiting for tickets to roll in, only to close them with a lazy two-word update like “False Positive” or “Expected Activity”? Are they more focused on hitting a ticket quota than actually improving your security posture? Desensitized to threats because of fatigue?

If any of that triggered you in any way, then I hate to break it to you: Your SOC is functioning like an IT Helpdesk.

And look, no shade to IT. They’re often the unsung heroes keeping the org running. But your Security Operations Center has a different mission: detect and respond to threats, not to just clear a queue.

Modern threats demand a modern SOC. One that runs on curiosity, context, and critical thinking. Not one that measures success in ticket count per analyst.

To get there, you need to build a culture of proactivity. That means giving analysts space to grow and share their environmental knowledge, to threat hunt, to explore the unusual, and to dig deeper into high-fidelity signals.

But shifting from a culture of ticket-closing and towards one of threat hunting takes more than a pump-up speech and a good night’s sleep.

It requires leaving the helpdesk mindset behind and building systems that enable your team to become the proactive, threat-focused machine you’ve been dreaming of.

Remove Friction

In order for your team to shift towards a proactive methodology, the first thing you need to do is remove friction throughout your operation.

A frictionless SOC doesn’t mean alerts top flowing or incidents never happen. It means your analysts don’t feel stuck, confused, or overwhelmed during the process of completing their tasks.

It’s about clearing the path so your team can focus on what matters, rather than focus on moving through rugged processes.

Here’s how you start:

Build a DLC that Encourages Value, not Volume

Your Detection Lifecycle (DLC) is one of the most powerful tools in your fight against alert fatigue.

And let’s be honest - alert fatigue is the number one killer of proactivity.

If your team is drowning in low-quality alerts, they won’t have the time or energy to dig deeper into emerging threats.

That’s why your DLC should be designed to prioritize value over volume - and that’s a cultural shift that needs buy in at every level:

• Analysts should feel empowered to flag noisy or useless alerts.

• Engineers should be encouraged to propose detection creation and tuning ideas.

• Everyone should contribute environmental knowledge to improve coverage.

Make this a regular cadence - biweekly, monthly, whatever works. But make detection quality a recurring conversation.

When you build space for these conversations, you invest in long-term efficiency, trust, and better threat coverage.

Engineer Your Alerts to be Actionable

Too many SOCs suffer not from a lack of alerts - but an influx of bad alerts.

There’s nothing more deflating than opening a ticket that says: “A user performed this sensitive action.”

Okay, cool. But… What user? In what system? What’s the potential impact? Why should I care?

I have a theory when it comes to designing alerts: Every click matters.

If analysts have to dig through raw logs, dashboards, and runbooks just to figure out what happened and what to do - that’s the definition of friction. Time wasted. And that’s entirely avoidable.

The solution? Take the extra time to design alerts that actually make sense from a glance. Include:

• The impacted user/system

• Contextual enrichment

• Potential impact

• Suggested next steps with applicable links

And if you’re using a SIEM that ships with garbage default alerts (there’s a few of you out there I’m looking at), don’t be afraid to repurpose them into custom ones yourself.

Thoughtful alert design is the first kindness you can give your analysts.

Make Escalation Paths Accessible

Escalation should never be a guessing game.

When something serious pops up, the last thing your team needs is to ask: Who’s on call? Is this IR-worthy? Who do I tag in which Slack channel? Do I need to page someone?

Make sure escalation paths are clear, documented, and easily accessible:

• Maintain and share on-call schedules

• Define IR triggers and response thresholds

• Clarify responsibilities - who owns what, and when.

Not only does this reduce response time and stress, it helps ensure your high-severity incidents get the right eyes on them fast, without burdening the wrong people.

Whether it’s Detection Engineering, Incident Response, or Threat Huting - Security Operations is built on data. And as a Security Engineer, you need to make that data work for you. Selecty is a database-agnostic, sidecar query assistant built to do just that. Generate queries based on your table schehmas, optimize them to your use case, iterate on them quickly, and debug faster than ever - all in one sleek interface. Check it out!

Learn More

Automations are the Unsung Hero of the SOC

Every SOC knows that SOAR is part of the equation when it comes to designing a modern security function.

What’s unfortunate is that a majority of teams never actually make it there. But the impact of having a well thought out solution is difficult to overstate.

Have you ever triaged an alert from your phone just by looking at a Slack channel? I have. And let me tell you, it’s as glorious as it sounds.

Spotting automation opportunities isn’t always intuitive. But one of the highest-impact lowest-effort places to start is with automating the initial triage process - where analysts spend the bulk of their time just trying to understand the context around an alert.

When you’re deep in the triage trenches, you’re often pulling the same queries, checking the same dashboards, and referencing the same OSINT tools over and over.

Start broad. Begin at the source level, then move to the service-level, and finally down to the detection level.

It’s all about iteration over time, not getting it perfect out the gate. Over time, you’ll layer in these automations until the entire initial triage process runs without human input, and you’ll be able to triage a ticket from a quick glance.

This is one of the most effective ways to reduce alert fatigue. It frees analysts from the noise and lets them focus on alerts that are actually suspicious with real context, not just a vague title and arbitrary severity score.

Constantly Expand your Knowledgebase

Documentation is the king of “we know we should, but we don’t.”

And yet, it’s the single biggest contributor to consistency across your SOC.

Everyone on the team shares responsibility for maintaining internal knowledge. That means keeping resources up to date and ensuring critical information is just a quick search away when needed most.

At minimum, you should have:

• An org chart

• An architecture overview of your environment

• A master list of applications and their owners

• An on-call schedule

• Escalation procedures and your incident response guide

And at the heart of it all: Runbooks.

Runbooks are the main character in operational consistency. They need to be:

• Actionable, with correct queries and clear next steps.

• Concise, with no fluff and no ambiguity.

• Contextual, with links to relevant tools and dashboards.

• Flexible, with branching logic to account for different outcomes.

• Escalation-ready, with explicit instructions when help is needed.

Don’t expect perfection from the start., Think of your runbooks as living documents that are iterated on with every shift, incident, or handoff.

Because when people leave, and they will, your knowledge base is what keeps the SOC humming.

Make Threat Hunting a Recurring Meeting

We’ve all sat through that one meeting that everyone knows is a waste of time, and yet we still prioritize attending them.

So why don’t we apply that same consistency to threat hunting?

Threat hunting is the definition of proactively searching for threats, and the clearest way to shift your team from reactive defense toward proactive detection.

Whether done as a full team, in small groups, or solo deep dives, setting a regular cadence for threat hunting starts by acknowledging a simple truth: Your detection stack isn’t perfect. No stack is.

Threats slip through, and that’s just part of the game.

And while threat hunting often gets treated as a “nice to have,” if you’re serious about improving your security posture, it will quickly become clear that it’s a necessity.

The Cybersec Café Discord is officially live! Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. From live events to real-world security discussions — this is where the next generation of defenders connects. Join for free below.

Join Now!

Analytics Run the SOC

If you’ve been hanging around the Cybersec Café for a while, you’ve heard me say this before - probably more times than you can count. (Anyone up for counting how many times I’ve actually alluded to this?)

But I’ll say it again: Analytics are a must.

Sure, anecdotal experiences have their place. It can help shape your detection strategy in the early days. But as your SOC matures, it’s the data that will show you what’s working and what isn’t.

That's why it’s critical to methodically build metrics into every step of your operations. If you’re not measuring it, you’re not managing it.

Here are a few low-effort, high-impact ways to start embedding metrics today:

• Detections: Track alert classification (True Positive, Confirmed Activity, False Positive, etc.) when closing tickets. These metrics reveal detection quality and help highlight candidates for tuning or automation.

• Alert Triage: Measure Mean Time to Triage (MTTT) and Mean Time to Remediation (MTTR). This will tell you which alerts are burning the most hours on your team and what should be first in line for automation.

• Incident Response: This is a gold mine for tracking improvements. A great starting point is mapping MITRE ATT&CK techniques to affected platforms during incidents. It’s a quick win that reveals blind spots in your coverage.

• Post Mortem Improvement Items: Track your team’s ability to follow up on action items. What’s complete? What’s in progress? What’s been sitting on the backlog for too long?

• Day to Day: How much of the team is completing assigned project work each sprint? If deliverables keep slipping, is alert fatigue the culprit?

Metrics don’t necessarily paint the entire picture. But they’re a reliable way to track progress and spot bottlenecks before they become systematic issues.

And remember, the goal isn’t to micromanage. The goal is to run an efficient, proactive, high-performing SOC. Metrics just help you figure out where to look.

Remember: Proactive is the Goal

Your SOC doesn’t rise to the level of the talent you have. Rather, it falls to the level of the systems that you build around it.

If you structure your team like a Security Helpdesk, that’s exactly what it will become.

But if you invest in strategy, build scalable systems, foster a culture of continuous improvement, and fiercely protect your team’s time - you’ll unlock the full potential of your analysts and engineers.

Give your team the space and structure to hunt threats and embed security deep into your organization - not reactively, but intentionally.

It’s no easy task.

As an engineer, your job isn’t just to execute. It’s also to pause, reflect, and architect the systems that make long-term success possible. Anyone can build things, but few build with intent.

Securely Yours,

Ryan G. Cox

P.S. The Cybersec Cafe follows a weekly cadence.

Each week, I deliver a Deep Dive on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.

. . .

For more insights and updates between issues, you can always find me on Twitter/X or my Website. Let’s keep learning, sharing, and leveling up together.