Field notes from a security operations team.
Written by analysts and detection engineers — not by marketing. Free to use, attribution appreciated.
Walk-throughs for the alert types modern SOCs see most — encoded PowerShell, OAuth grant abuse, MFA fatigue, cloud key exposure.
Field-tested response playbooks with explicit approval gates, scoped permissions, and reversal plans you can adopt today.
Annotated detection rules, ATT&CK coverage analyses, and the false-positive patterns we see most across customer environments.
Ready-to-use IR templates: executive briefs, customer notifications, regulator filings, and internal post-mortems.
Mapped to SOC 2, ISO 27001, PCI and NIST CSF — the controls auditors actually ask about, with the evidence we collect by default.
Every entry is live in the product. Workspace activity reflects what your team can use today.
- MobileMobile SOC review experience
Analysts can now triage the review queue, approve playbook actions, and read investigation timelines from any modern phone browser.
- Trust CenterTrust Center improvements
Expanded subprocessor list, refreshed control mappings, and a public status page surface — all reachable from the marketing Trust Center.
- SettingsData retention controls
Per-resource retention windows, export request workflow, and admin-approved deletion requests with full audit trail.
- DeveloperDeveloper API and webhook settings
Scoped API keys, signed webhook endpoints, and a curl quick-start. Outbound deliveries are HMAC-verified by default.
- ReportingExecutive reporting center
Board-ready briefs and program reports generated from real workspace activity, with per-section evidence references.
- MSSPMSSP client workspace foundation
Multi-tenant client switching in the operations console with scoped roles, per-client risk tiers, and isolated audit trails.
- ComplianceCompliance Evidence Pack exports
One-click export packs mapped to SOC 2, ISO 27001, PCI and NIST CSF — every control linked to the underlying alerts and investigations.
- AlertsSaved alert views
Personal and shared saved views with filter, sort and column presets. Backed by per-org access rules.
- IntegrationsIntegration health monitoring
Live ingestion and webhook health per source, with degraded/failing thresholds surfaced in the operations console.
- ReportingIncident brief generator
Generates exec, board and customer-notification drafts directly from an investigation — every claim traceable to evidence.
- ResponseResponse approval queue
Two-person approval queue for any write action. Scoped permissions, reversible plans, and a complete approval log.
- TriageFalse-positive learning workflow
Analyst feedback now feeds suppression rules with an audit trail and rollback. False-positive trend visible per source.
- InvestigationThreat Graph relationship view
Real-time entity graph of hosts, identities, processes and infrastructure — every edge traceable to source telemetry.
- InvestigationRead-only investigation mode
Default-safe investigation view for auditors and external responders. No write paths, full evidence access.
- AuditAnalyst decision audit trail
Every verdict, override and approval written to an immutable audit log with reasoning and source references.
- InvestigationInvestigation case timeline improvements
Forensic-style ordered evidence rows with collapsible sub-events and cross-source correlation highlighting.
- IntegrationsSentinel, Okta and CrowdStrike setup flows
Guided telemetry source flows for Microsoft Sentinel, Okta and CrowdStrike Falcon — read-only by default with least-privilege scopes.
- TriageEvidence-backed alert triage workspace
Verdict, confidence meter and reasoning trace on every incoming alert, before an analyst opens it.