A production detection rule, a real incident case study, a hunt query, and a career tip — every Tuesday. Built from 10 years running SOC at major financial institutions, not adapted from vendor docs.
CrowdStrike · Splunk · Microsoft Sentinel · Defender
Not a newsletter. An operational package, every single week.
This is one real detection rule from the archive, complete and unedited. Every Tuesday, subscribers get a new one like it, with the same depth: required logs, false positives, tuning notes, investigation steps, MITRE mapping, and ticket wording attached.
Written by a working SOC and threat hunting analyst with 10+ years across CrowdStrike, Splunk, Sentinel, and Defender. Examples are sanitized for education.
// PowerShell from Office or browser — Critical #event_simpleName=ProcessRollup2 ImageFileName=/\/powershell\.exe$/i ParentBaseFileName IN ( "WINWORD.EXE", "OUTLOOK.EXE", "chrome.exe", "msedge.exe" ) | table @timestamp ComputerName UserName CommandLine | "sort" @timestamp desc // Rarely legitimate in enterprise. // Treat as high confidence, investigate immediately.
I downloaded the free SOC starter kit first just to see what kind of material this was. Honestly, it was better than I expected. The severity matrix and step-by-step triage flow are the kind of things I can actually use during a shift, not just read once and forget. It gave me a good feel for how SOCAuthority explains things — simple, practical, and straight to the point.
I subscribed and received the first Tuesday newsletter. The best part was how everything connected together — the detection rule, the hunt query, and the case study were all based on a real SOC-style scenario. It helped me think through what to check, what logs matter, how to reduce false positives, and how to write up the ticket.
I found the blog first and liked that the posts were not generic cybersecurity content. The hunting queries, investigation steps, and walkthroughs are written in a way that makes sense for someone actually working alerts. I'm planning to subscribe because this looks like something I can keep using every week.
Subscribe for new content every week, or buy the foundation once and keep it forever.
Not sure where to start? Get the Complete SOC Toolkit for the full foundation — triage, IR, hunting, quick reference, runbooks, templates, and scripts. Buy once, keep forever.
Senior cybersecurity analyst with 10+ years in SOC operations, incident response, and threat hunting at major Canadian financial institutions. Every query and runbook on this site has been used on a real incident in a production environment, not adapted from vendor documentation by a consultant who theorizes about security.
Read the full story →Every Tuesday: a production-ready detection rule, a real incident case study, a hunt hypothesis with a query, and a career tip. Plus monthly Office Hours, private Discord, and a growing detection archive. Regular price is $29/month — founding members lock in $14.99/month for life.
CrowdStrike Falcon LogScale, Microsoft Sentinel KQL, and Splunk SPL. Platforms rotate weekly so over a month you get coverage across all three.
Yes. 30-day money back guarantee on the subscription and every product. Request a refund through Gumroad, no questions asked.
The one-time kits are playbooks and frameworks you keep forever. The Intelligence Pack is a weekly delivery of new content plus direct access through Office Hours. Many people use both — the kits for the foundation, the subscription for staying current.
The blog gives you the query. The Intelligence Pack gives you the full operational picture behind it: required log sources, false positive guidance, investigation steps, MITRE mapping, and ticket wording, plus the hunt hypothesis and career tip that ship with it every week, and Office Hours and the archive on top of that.
Yes. Cancel anytime through Gumroad, no lock-in. Access to the Discord and detection archive lasts as long as your subscription is active.
A detection rule that's already been tuned. A case study that's already happened. A hunt query that's already worked. $14.99 a month, locked for life if you're early.
Severity matrix, 5-phase process, 8 critical Event IDs, Splunk cheatsheet. One page.
Get the Free Checklist