Description

This curriculum spans the design and operation of a modern Security Operations Center with the depth and structure of a multi-workshop program, addressing technical, procedural, and cross-functional challenges encountered in mature SOC environments.

Module 1: SOC Architecture and Operational Design

Selecting between centralized, decentralized, and hybrid SOC models based on organizational footprint and incident response latency requirements.
Designing network segmentation to ensure SOC tools have necessary visibility without introducing lateral movement risks.
Integrating SIEM with existing logging infrastructure while managing data ingestion costs and retention policies.
Establishing secure, role-based access controls for SOC analysts, tiered by clearance and response authority.
Implementing redundant communication paths for SOC coordination during infrastructure outages or active attacks.
Choosing between on-premises, cloud-native, or co-managed SOC tooling based on data sovereignty and compliance needs.

Module 2: Threat Intelligence Integration and Management

Validating the reliability of commercial and open-source threat feeds before operational deployment in detection rules.
Mapping external threat intelligence to MITRE ATT&CK techniques for consistent internal tracking and use-case alignment.
Automating IOC ingestion from STIX/TAXII feeds while filtering false positives and outdated indicators.
Establishing feedback loops to enrich threat intelligence with internally observed TTPs from incident investigations.
Managing legal and privacy constraints when consuming threat data containing PII or jurisdictionally sensitive information.
Deciding which threat actors or campaigns to prioritize based on industry sector, geography, and observed targeting patterns.

Module 3: Detection Engineering and Use Case Development

Writing detection rules in Sigma or YARA-L that balance sensitivity and specificity to reduce alert fatigue.
Validating detection logic using historical logs to measure baseline false positive and false negative rates.
Aligning detection use cases with business-critical assets and attack paths identified in threat modeling.
Version-controlling detection rules and managing deployment across development, staging, and production environments.
Coordinating with network and endpoint teams to confirm required telemetry is available for detection logic.
Rotating and deprecating stale detection rules based on threat relevance and operational efficacy metrics.

Module 4: Incident Triage and Response Workflow

Defining escalation criteria for Level 1 analysts to engage Level 2/3 responders based on impact and confidence thresholds.
Standardizing initial triage checklists to ensure consistent data collection across shift rotations.
Isolating compromised systems without disrupting business operations or destroying forensic evidence.
Coordinating with legal and PR teams when incidents involve data exfiltration or regulatory reporting obligations.
Documenting chain of custody for forensic artifacts when preparing for potential legal proceedings.
Initiating containment actions while preserving logs and memory dumps for root cause analysis.

Module 5: Endpoint and Network Monitoring Strategies

Configuring EDR tools to collect process lineage and network connections without degrading endpoint performance.
Tuning network IDS/IPS rules to detect C2 traffic while minimizing interference with legitimate encrypted traffic.
Deploying network taps or SPAN ports to ensure full packet capture availability for high-risk segments.
Correlating endpoint process execution with firewall egress logs to identify lateral movement attempts.
Managing EDR agent updates and policy distribution across global endpoints with intermittent connectivity.
Responding to encrypted beaconing patterns by analyzing DNS tunneling and TLS metadata anomalies.

Module 6: Forensic Investigation and Root Cause Analysis

Conducting memory forensics on compromised systems to detect in-memory malware and credential dumping.
Reconstructing attack timelines using Windows event logs, prefetch files, and PowerShell script block logging.
Differentiating between opportunistic attacks and targeted intrusions based on tooling and persistence mechanisms.
Using disk imaging tools to preserve volatile and non-volatile data under strict forensic integrity protocols.
Attributing attacker actions to specific accounts or hosts when identity providers have been compromised.
Producing technical reports that link observed artifacts to adversary TTPs without overstating confidence.

Module 7: SOC Performance Measurement and Continuous Improvement

Calculating mean time to detect (MTTD) and mean time to respond (MTTR) using incident lifecycle timestamps.
Conducting tabletop exercises to validate incident response playbooks under realistic conditions.
Reviewing detection rule efficacy quarterly and retiring rules with sustained low signal-to-noise ratios.
Implementing feedback mechanisms from responders to refine alert prioritization and enrichment logic.
Tracking analyst workload and alert volume to adjust staffing or automation investments.
Performing post-incident reviews to update playbooks and prevent recurrence of detection gaps.

Module 8: Compliance, Legal, and Cross-Functional Coordination

Aligning SOC monitoring practices with GDPR, HIPAA, or PCI-DSS requirements for data handling and retention.
Coordinating with internal audit to demonstrate SOC controls meet regulatory examination criteria.
Establishing data sharing agreements with third-party vendors to enable incident collaboration without legal exposure.
Documenting monitoring scope and limitations for executive reporting and board-level risk assessments.
Managing cross-border data transfers of security logs in compliance with local privacy laws.
Integrating SOC findings into enterprise risk registers to inform cyber insurance and risk transfer decisions.