Description

This curriculum spans the full incident lifecycle in a mature SOC, equivalent to the structured response protocols and cross-team coordination seen in multi-phase cyber incident engagements within large enterprises.

Module 1: Incident Detection and Triage Procedures

Configure SIEM correlation rules to reduce false positives from legitimate administrative activity while maintaining sensitivity to lateral movement indicators.
Implement automated enrichment of security alerts using threat intelligence feeds, ensuring timely updates without overloading processing pipelines.
Establish escalation thresholds for Level 1 analysts based on IoC severity, asset criticality, and user role context.
Integrate EDR telemetry with ticketing systems to ensure alert context is preserved during handoff to investigation teams.
Design triage workflows that differentiate between policy violations, misconfigurations, and confirmed malicious activity.
Enforce time-based SLAs for initial alert assessment to prevent backlog accumulation during high-volume events.

Module 2: Threat Intelligence Integration and Application

Select and normalize threat feeds based on relevance to industry vertical, geographic footprint, and infrastructure exposure.
Map external threat actor TTPs to MITRE ATT&CK framework for consistent internal reporting and detection logic development.
Automate IOC ingestion from STIX/TAXII sources while validating source credibility and expiration timelines.
Balance automated blocking of malicious IPs with business continuity requirements for third-party service dependencies.
Develop internal threat bulletins based on observed adversary behavior, tailored to SOC analyst consumption and response playbooks.
Conduct quarterly reviews of threat feed efficacy, removing underperforming sources to reduce noise and licensing costs.

Module 3: Forensic Data Collection and Preservation

Define disk and memory acquisition procedures for cloud-hosted virtual machines where physical access is not available.
Implement legal hold protocols for log data retention when breach investigations intersect with regulatory or litigation requirements.
Use write-blockers and cryptographic hashing during evidence collection to maintain chain of custody for potential legal proceedings.
Configure endpoint agents to capture process trees, network connections, and file modifications during incident response.
Establish secure storage for forensic images with role-based access and audit logging to prevent tampering.
Document data collection timelines to support timeline reconstruction and root cause analysis.

Module 4: Incident Response Orchestration and Playbook Execution

Develop response playbooks that specify conditional branching based on compromised asset type (e.g., domain controller vs. workstation).
Integrate SOAR platforms with firewall, email gateway, and identity systems to enable automated containment actions.
Define approval workflows for high-impact actions like account deactivation or network isolation to prevent operational disruption.
Conduct tabletop exercises to validate playbook accuracy and identify gaps in tooling or access permissions.
Version-control playbooks and track changes to ensure consistency across shifts and audit readiness.
Log all automated and manual response actions in a centralized case management system for post-incident review.

Module 5: Cross-Functional Coordination and Escalation

Define RACI matrices for breach response involving legal, PR, IT operations, and executive leadership.
Establish secure communication channels (e.g., dedicated Slack workspace or encrypted email) for crisis coordination.
Develop pre-approved messaging templates for internal stakeholders to prevent inconsistent communication during high-pressure events.
Coordinate with external parties such as law enforcement, regulators, or MSSPs while maintaining control over data disclosure.
Conduct post-escalation debriefs to assess timeliness and clarity of interdepartmental communication.
Integrate HR processes for handling insider threat cases involving employee misconduct or termination.

Module 6: Post-Incident Analysis and Reporting

Perform root cause analysis using techniques like the 5 Whys or fishbone diagrams to identify systemic control failures.
Generate technical incident reports that include timeline, affected systems, attacker TTPs, and remediation steps taken.
Produce executive summaries that translate technical details into business impact metrics such as downtime and recovery cost.
Archive investigation artifacts in a structured repository to support future threat hunting and training scenarios.
Identify detection gaps revealed during the incident and prioritize sensor placement or log source collection enhancements.
Present findings to the CISO and board with recommendations for strategic security improvements.

Module 7: Continuous Improvement and Maturity Assessment

Measure mean time to detect (MTTD) and mean time to respond (MTTR) across incidents to benchmark SOC performance.
Conduct red team exercises periodically to test detection and response capabilities under realistic attack conditions.
Update detection rules and correlation logic based on lessons learned from recent breach investigations.
Evaluate analyst performance using metrics such as alert accuracy, documentation quality, and playbook adherence.
Adopt frameworks like NIST or CIS to assess SOC maturity and identify capability gaps.
Rotate analysts through specialized roles (e.g., threat hunting, forensics) to build cross-functional expertise.