Module 1: SOC Foundations & Operational Readiness

What this module is about

Before detection rules, playbooks, and IR reports, a SOC needs structure. Who is responsible for what? When an alert fires at 03:00, who picks it up? When the T1 analyst finds something they cannot resolve, who do they escalate to and how? When the shift changes, how does the outgoing analyst hand off active investigations? How does the SOC measure whether it is getting better or worse?

These questions are not glamorous. They do not involve KQL queries or MITRE ATT&CK technique IDs. But they determine whether everything built in subsequent modules — the detection rules, the playbooks, the IR documentation — actually works in practice. A brilliant detection rule that fires at 02:00 and sits in the queue until 08:00 because nobody was assigned to monitor overnight has zero operational value.

This module provides the organizational framework: operating models, roles and responsibilities, handover procedures, escalation paths, operational metrics, and the SOC charter that codifies all of it. It is the first module in the course sequence because understanding the operational context makes every subsequent module more effective.

What you will be able to do after completing this module

• Select and implement a SOC operating model appropriate to your organization’s size and maturity
• Define analyst tier responsibilities and escalation criteria
• Implement shift handover procedures that prevent investigation gaps
• Build an escalation matrix that routes incidents to the right person at the right time
• Track operational metrics (MTTD, MTTR, dwell time, alert volume, SLA compliance) and use them to drive improvement
• Write a SOC charter that documents roles, responsibilities, authorities, and operating procedures

Sections in this module

1. SOC Operating Models — dedicated, hybrid, virtual, and managed SOC models with selection criteria based on organization size, budget, and risk profile
2. Analyst Tiers and Role Definitions — T1 through T3 responsibilities, skill requirements, and career progression paths that match the playbook framework from Module S7
3. Shift Handover Procedures — structured handover that prevents investigation gaps, active incident transfer, and queue state communication
4. Escalation Framework — when to escalate, who to escalate to, and how escalation decisions map to the severity classifications from S7 and S8
5. Operational Metrics and KPIs — MTTD, MTTR, dwell time, alert volume, SLA compliance, detection coverage, and false positive rate — the numbers that tell you whether your SOC is improving
6. The SOC Charter — the authoritative document that codifies operating model, roles, authorities, escalation paths, metrics targets, and review schedule
7. Tool Stack Integration — how Sentinel, Defender XDR, ticketing systems, communication platforms, and automation tools fit together in the operational workflow
8. SOC Maturity Assessment — evaluating your current SOC against a maturity model and building a roadmap from your current state to your target state

Sections in this module