Resources

Field notes from a security operations team.

Written by analysts and detection engineers — not by marketing. Free to use, attribution appreciated.

Guides
Investigation guides
12 items

Walk-throughs for the alert types modern SOCs see most — encoded PowerShell, OAuth grant abuse, MFA fatigue, cloud key exposure.

Playbooks
Security operations playbooks
18 items

Field-tested response playbooks with explicit approval gates, scoped permissions, and reversal plans you can adopt today.

Detection notes
Detection engineering notes
24 items

Annotated detection rules, ATT&CK coverage analyses, and the false-positive patterns we see most across customer environments.

Templates
Incident response templates
9 items

Ready-to-use IR templates: executive briefs, customer notifications, regulator filings, and internal post-mortems.

Checklists
Compliance checklists
7 items

Mapped to SOC 2, ISO 27001, PCI and NIST CSF — the controls auditors actually ask about, with the evidence we collect by default.

Product changelog
Shipped in the last 90 days

Every entry is live in the product. Workspace activity reflects what your team can use today.

18 updates
  1. Mobile
    Mobile SOC review experience

    Analysts can now triage the review queue, approve playbook actions, and read investigation timelines from any modern phone browser.

  2. Trust Center
    Trust Center improvements

    Expanded subprocessor list, refreshed control mappings, and a public status page surface — all reachable from the marketing Trust Center.

  3. Settings
    Data retention controls

    Per-resource retention windows, export request workflow, and admin-approved deletion requests with full audit trail.

  4. Developer
    Developer API and webhook settings

    Scoped API keys, signed webhook endpoints, and a curl quick-start. Outbound deliveries are HMAC-verified by default.

  5. Reporting
    Executive reporting center

    Board-ready briefs and program reports generated from real workspace activity, with per-section evidence references.

  6. MSSP
    MSSP client workspace foundation

    Multi-tenant client switching in the operations console with scoped roles, per-client risk tiers, and isolated audit trails.

  7. Compliance
    Compliance Evidence Pack exports

    One-click export packs mapped to SOC 2, ISO 27001, PCI and NIST CSF — every control linked to the underlying alerts and investigations.

  8. Alerts
    Saved alert views

    Personal and shared saved views with filter, sort and column presets. Backed by per-org access rules.

  9. Integrations
    Integration health monitoring

    Live ingestion and webhook health per source, with degraded/failing thresholds surfaced in the operations console.

  10. Reporting
    Incident brief generator

    Generates exec, board and customer-notification drafts directly from an investigation — every claim traceable to evidence.

  11. Response
    Response approval queue

    Two-person approval queue for any write action. Scoped permissions, reversible plans, and a complete approval log.

  12. Triage
    False-positive learning workflow

    Analyst feedback now feeds suppression rules with an audit trail and rollback. False-positive trend visible per source.

  13. Investigation
    Threat Graph relationship view

    Real-time entity graph of hosts, identities, processes and infrastructure — every edge traceable to source telemetry.

  14. Investigation
    Read-only investigation mode

    Default-safe investigation view for auditors and external responders. No write paths, full evidence access.

  15. Audit
    Analyst decision audit trail

    Every verdict, override and approval written to an immutable audit log with reasoning and source references.

  16. Investigation
    Investigation case timeline improvements

    Forensic-style ordered evidence rows with collapsible sub-events and cross-source correlation highlighting.

  17. Integrations
    Sentinel, Okta and CrowdStrike setup flows

    Guided telemetry source flows for Microsoft Sentinel, Okta and CrowdStrike Falcon — read-only by default with least-privilege scopes.

  18. Triage
    Evidence-backed alert triage workspace

    Verdict, confidence meter and reasoning trace on every incoming alert, before an analyst opens it.

Newsletter

One detection note. Once a month. No fluff.