1. Scenario: Your organization has 3 security staff. One senior analyst (5 years experience) handles detection engineering, complex investigations, and SOC management. Two junior analysts handle alert triage. The senior analyst is going on 2 weeks of annual leave. What operational preparation is needed?
Prepare across three dimensions: (1) Authority delegation: Temporarily designate one junior analyst as T2 for defined scenarios — pre-authorize them for token revocation and password reset on confirmed compromises, with a documented scope limit (escalate anything beyond credential compromise to the on-call CISO contact). (2) External support: Brief your MDR provider or external IR contact that the senior analyst is unavailable and they may need to provide deeper investigation support than usual. Confirm their escalation contact details. (3) Documentation check: Verify all active detection rules have specifications, all playbooks are current, and the investigation log for any open incidents is up to date. The junior analysts will rely on documented procedures more heavily than usual. Schedule a handover briefing before the leave starts covering: current detection rule status, any known environmental conditions, any pending PIR actions.
No special preparation — the juniors can handle triage for 2 weeks
Hire a temporary contractor to cover the senior role
Single-point-of-failure mitigation requires preparation across authority (who can make decisions), support (who provides backup), and documentation (what is the team relying on instead of the senior analyst's judgment). Two weeks without T2/T3 capability is a significant risk that needs active management, not just triage continuation.
2. Scenario: Your SOC dashboard shows that SLA compliance for triage has dropped from 91% to 72% over 3 months, while alert volume increased from 380 to 520 per month. MTTD remained stable. What do the metrics tell you and what action do you recommend?
The metrics show a capacity constraint: alert volume increased 37% but the team size (presumably) did not change. Stable MTTD means detection is working — the rules are firing on time. Declining triage SLA means the team cannot process the increased volume within the defined timeframes. Two possible responses: (1) Reduce volume: Identify which detection rules are driving the increase. If new rules were deployed without adequate tuning, their FP rates may be inflating the queue. Tune the noisiest rules to reduce alert volume back to manageable levels. (2) Increase capacity: If the volume increase represents genuine threat activity (more true positives), the team needs more capacity — either additional headcount, automation for routine triage (Sentinel automation rules for low-severity known patterns), or expanded MDR provider scope. Present the data to the CISO: "Alert volume increased 37%, triage SLA dropped 19 points. We need either tuning investment (reduce noise) or capacity investment (handle the volume)."
Relax the triage SLA to match the team's actual performance
The team needs to work faster — implement triage time targets per alert
Metrics tell the story: detection is stable (MTTD unchanged), but response is degrading (SLA dropping) because volume outpaced capacity. The fix is either reduce volume (tune noisy rules) or increase capacity (people or automation). Relaxing the SLA masks the problem. Pressuring analysts to triage faster reduces investigation quality.
3. Scenario: You present the SOC charter to the CISO for approval. The CISO asks: "Why does the SOC need pre-authorization to revoke user tokens? Why can't the analyst just ask me each time?" What is your response?
Time. The Critical severity SLA requires containment within 15 minutes. If the analyst must locate the CISO, brief them, and obtain approval before every token revocation, the approval process alone may consume the entire SLA window — especially after hours when the CISO may not be immediately reachable. Token revocation is a low-blast-radius action (the user is temporarily inconvenienced by re-authentication) with high containment value (the adversary's active session is terminated). Pre-authorization for low-blast-radius, high-value actions enables the analyst to contain the threat within the SLA. High-blast-radius actions (account disablement, device isolation) retain the CISO approval requirement because their impact on the user and the business justifies the deliberation time.
The CISO should always approve containment — it is their responsibility
Pre-authorization is standard practice in all SOCs
Pre-authorization is justified by the combination of time sensitivity (SLA requirements), low blast radius (token revocation is reversible and low-impact), and availability constraints (the CISO is not always reachable in 5 minutes). The charter gives the analyst authority to act quickly on low-risk containment while preserving CISO authority for high-impact decisions.
4. Scenario: Your SOC maturity assessment shows: Detection Level 3, Investigation Level 2, Containment Level 1, Documentation Level 1, Metrics Level 1. You can only invest in improving one domain this quarter. Which do you choose?
Containment (Level 1 → Level 2). Detection at Level 3 means you are finding threats effectively. Investigation at Level 2 means you can investigate them with some consistency. But Containment at Level 1 means when you find a confirmed threat, the response is ad hoc — no documented authority, no blast radius awareness, no systematic persistence removal. You detect threats and investigate them, but the final step — stopping the adversary — is inconsistent and potentially incomplete. Deploy the containment framework from Module S7 (subsection 7.3) and the authority section from the SOC charter (subsection 1.6). This directly improves the operational outcome of every investigation. Documentation at Level 1 is also critical but containment has a more immediate security impact — you can document imperfectly while containing effectively, but you cannot document perfectly while containing poorly.
Documentation — it is the foundation for everything else
Metrics — you cannot improve what you do not measure
Containment is the gap with the most immediate security impact. You are detecting and investigating threats but not consistently stopping them. Every other improvement (documentation, metrics) has more value once containment is reliable. Fix the containment gap first, then documentation (which supports containment verification), then metrics (which measure everything).
💬
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.
