Founding member pricing: $14.99/mo, locked for life Claim it →
Every Tuesday · Written by one working analyst

Weekly SOC detections
you can actually run.

A production detection rule, a real incident case study, a hunt query, and a career tip — every Tuesday. Built from 10 years running SOC at major financial institutions, not adapted from vendor docs.

CrowdStrike · Splunk · Microsoft Sentinel · Defender

What you're actually paying for

Everything that ships with every issue

Not a newsletter. An operational package, every single week.

Detection Rule
Production-ready, for CrowdStrike, Sentinel, or Splunk, rotating weekly.
Case Study
A real incident walkthrough, what fired, what was investigated, what almost got missed.
Hunt Query
A hypothesis and a working query to run proactively, not just react to alerts.
Career Tip
One concrete move for promotion, interviews, or handling friction with your team.
Office Hours
A monthly 30-minute live Q&A. Recording sent to every subscriber, live or not.
Private Discord
A community of working analysts, not a comment section full of marketers. Join now and you're one of the first in the room.
Detection Archive
Every past issue, searchable, growing every week you're subscribed.
30-Day Guarantee
If it's not useful in your first month, full refund, no questions asked.
See exactly what subscribers get

A real example.
Not a description of value.

This is one real detection rule from the archive, complete and unedited. Every Tuesday, subscribers get a new one like it, with the same depth: required logs, false positives, tuning notes, investigation steps, MITRE mapping, and ticket wording attached.

Written by a working SOC and threat hunting analyst with 10+ years across CrowdStrike, Splunk, Sentinel, and Defender. Examples are sanitized for education.

Detection rule of the week — CrowdStrike LogScale
// PowerShell from Office or browser — Critical
#event_simpleName=ProcessRollup2
ImageFileName=/\/powershell\.exe$/i
ParentBaseFileName IN (
  "WINWORD.EXE", "OUTLOOK.EXE",
  "chrome.exe", "msedge.exe"
)
| table @timestamp ComputerName
    UserName CommandLine
| "sort" @timestamp desc

// Rarely legitimate in enterprise.
// Treat as high confidence, investigate immediately.
From the free kit, the first newsletter, and the blog — unedited

What early readers are saying

I downloaded the free SOC starter kit first just to see what kind of material this was. Honestly, it was better than I expected. The severity matrix and step-by-step triage flow are the kind of things I can actually use during a shift, not just read once and forget. It gave me a good feel for how SOCAuthority explains things — simple, practical, and straight to the point.

Mark Lee Information Security Analyst II Downloaded the free Starter Kit

I subscribed and received the first Tuesday newsletter. The best part was how everything connected together — the detection rule, the hunt query, and the case study were all based on a real SOC-style scenario. It helped me think through what to check, what logs matter, how to reduce false positives, and how to write up the ticket.

David H. Senior SOC Analyst Subscriber, first Tuesday issue

I found the blog first and liked that the posts were not generic cybersecurity content. The hunting queries, investigation steps, and walkthroughs are written in a way that makes sense for someone actually working alerts. I'm planning to subscribe because this looks like something I can keep using every week.

Kashif K. Senior Splunk Consultant Reader of the blog and hunting guides
Pricing

Two ways to get this.

Subscribe for new content every week, or buy the foundation once and keep it forever.

Founding member pricing — locked for life
Weekly Intelligence Pack
$29 $14.99 / month
Locked for life. Annual $149 — save 2 months.
30-day money back · cancel anytime
One-time, own it forever
Prefer to buy once?

Not sure where to start? Get the Complete SOC Toolkit for the full foundation — triage, IR, hunting, quick reference, runbooks, templates, and scripts. Buy once, keep forever.

SOC Starter KitBest for: junior analysts, interview prep, and a repeatable triage workflow4 files · PDF + DOCX · CrowdStrike, Splunk, Sentinel
$39 Get →
  • Alert Triage Handbook
  • IR Runbook Set
  • Threat Hunting Playbook
  • Quick Reference Card
PDF + DOCX · Splunk, Sentinel, CrowdStrike examples · Instant download · 30-day money back
View sample pages →
IR Runbook BundleBest for: phishing, ransomware, credential compromise, and insider threat4 runbooks + post-IR template · scripts included
$49 Get →
  • Phishing IR Runbook
  • Ransomware IR Runbook
  • Credential Compromise Runbook
  • Insider Threat Runbook
  • Post-Incident Review Template
PDF + DOCX · CrowdStrike, Splunk, Sentinel KQL, Entra ID · Instant download · 30-day money back
View sample pages →
Complete BundleBest value: everything in both kits, buy once, keep forever8 documents total · save $9 vs buying separately
$79 Get →
  • All 4 documents from SOC Starter Kit
  • All 4 documents from IR Runbook Bundle
PDF + DOCX · CrowdStrike, Splunk, Sentinel, Entra ID, MITRE ATT&CK · Instant download · 30-day money back
View Starter Kit sample → · View IR Bundle sample →
Or grab the free triage checklist first.

Built by someone who still works alerts.

Senior cybersecurity analyst with 10+ years in SOC operations, incident response, and threat hunting at major Canadian financial institutions. Every query and runbook on this site has been used on a real incident in a production environment, not adapted from vendor documentation by a consultant who theorizes about security.

Read the full story →
10+Years in SOC and IR
4SIEM and EDR platforms
0Textbook theory
FAQ

Common questions

What's in the Intelligence Pack?+

Every Tuesday: a production-ready detection rule, a real incident case study, a hunt hypothesis with a query, and a career tip. Plus monthly Office Hours, private Discord, and a growing detection archive. Regular price is $29/month — founding members lock in $14.99/month for life.

What platforms are covered?+

CrowdStrike Falcon LogScale, Microsoft Sentinel KQL, and Splunk SPL. Platforms rotate weekly so over a month you get coverage across all three.

Is there a money back guarantee?+

Yes. 30-day money back guarantee on the subscription and every product. Request a refund through Gumroad, no questions asked.

Subscription or one-time purchase — which should I get?+

The one-time kits are playbooks and frameworks you keep forever. The Intelligence Pack is a weekly delivery of new content plus direct access through Office Hours. Many people use both — the kits for the foundation, the subscription for staying current.

Why pay if the blog already shows real queries?+

The blog gives you the query. The Intelligence Pack gives you the full operational picture behind it: required log sources, false positive guidance, investigation steps, MITRE mapping, and ticket wording, plus the hunt hypothesis and career tip that ship with it every week, and Office Hours and the archive on top of that.

Can I cancel anytime?+

Yes. Cancel anytime through Gumroad, no lock-in. Access to the Discord and detection archive lasts as long as your subscription is active.

Every Tuesday. One subscription.

A detection rule that's already been tuned. A case study that's already happened. A hunt query that's already worked. $14.99 a month, locked for life if you're early.

Join — $14.99/mo Read the Blog First
Before you go

Free SOC Triage Checklist

Severity matrix, 5-phase process, 8 critical Event IDs, Splunk cheatsheet. One page.

Get the Free Checklist