Writing worth your time. Including the awkward bits.
Practical notes on alert triage, out-of-hours coverage and audit evidence, written for teams already running Microsoft Sentinel, Microsoft Defender or AWS Security Hub. We write what we can defend, including where the tooling, ours included, falls short.
- AI SOC·
We built an AI SOC and deliberately gave it no write access
Nearly every AI SOC vendor sells autonomy. We deliberately built the opposite. Here is the asymmetry that drove the decision, where automation is genuinely safe, and how to pressure-test an autonomy claim before you buy.
Read - Coverage·
Nobody is watching at 3am. Here are the four honest options.
Attackers deliberately work when you do not. If you cannot staff a night shift, you still have four real options. Here is what each one actually costs, and what it genuinely does and does not cover.
Read - Compliance·
Your auditor will sample 25 alerts. Can you show what you checked?
Auditors do not test whether you own a SIEM. They sample individual alerts and ask what you did about each one. Here is what that evidence looks like, the three ways teams fail it, and how to produce it without a SOC team.
Read