About SOCAuthority

Built by someone who
still works alerts.

Not a marketing team. Not a content agency. One analyst who has spent over a decade in the seat, writing down what actually works.

SOCAuthority is run by a single security practitioner with more than 10 years of continuous, hands-on work in security operations centers, incident response teams, and threat hunting programs, primarily inside regulated Canadian financial institutions where the stakes of getting detection wrong are measured in real financial and reputational terms, not hypotheticals.

In short: built by a Canadian SOC and threat hunting analyst. Identity and employer names are withheld for confidentiality, but the work background covers enterprise SOC operations, financial-sector incident response, and detection engineering, not a marketing team writing about security secondhand.

That distinction matters more than it sounds. A huge amount of security content online is written by people who have never carried a pager, never sat through a 3am escalation, and never had to explain to an executive why an alert sat in a queue for six hours. Everything published here comes from the other side of that experience.

Ten years is long enough to see the same five attack patterns rotate through a dozen different disguises, and short enough to still remember what it felt like not knowing which alert mattered.

What the work has actually looked like

The career arc behind this site runs through the full lifecycle of a security operations function rather than staying in one lane. That breadth is intentional — it's the reason the content here connects detection engineering to investigation to remediation instead of treating them as separate disciplines.

SOC Operations & Alert Triage

Years of daily alert queue work across high-volume enterprise environments. Severity scoring, shift handover, escalation pathways, and the unglamorous discipline of closing tickets correctly under time pressure.

Incident Response & Investigations

Hands-on response to phishing campaigns, ransomware precursors, credential compromise, business email compromise, and insider threat cases — from initial detection through containment, eradication, and post-incident review.

Threat Hunting

Hypothesis-driven hunting programs built around MITRE ATT&CK, behavioral baselining, and the unglamorous baseline-then-tune cycle that actually separates a usable detection rule from a noisy one.

Vulnerability Management

Exposure tracking and remediation prioritization across enterprise asset inventories — translating scan output into a risk-ranked patching program that engineering teams will actually act on.

Penetration Testing & Findings

Participation in authorized internal and external penetration testing engagements, including writing the findings and remediation reports that bridge offensive results into defensive backlog items.

Cloud & Infrastructure Security

Securing virtualized infrastructure and cloud workloads alongside traditional on-prem environments, including identity hardening, conditional access policy design, and endpoint configuration baselines.

Tools used daily, not just studied

Every platform listed here has been used to triage a real alert, write a real detection rule, or close a real ticket. None of it is theoretical familiarity from documentation.

CrowdStrike Falcon Falcon LogScale Microsoft Sentinel Microsoft Defender Splunk Microsoft Entra ID Microsoft Purview Tenable Kali Linux MITRE ATT&CK
10+Years in SOC & IR
5Core security disciplines
0Recycled vendor content

Why this exists

Most weekly security newsletters are written by people one step removed from the work — aggregators, marketers, or analysts early enough in their career that the content reads like study notes rather than field experience. SOCAuthority exists because there wasn't a version of this built by someone still doing the work, still tuning the same noisy rule for the third time this month, still explaining to a junior analyst why a parent process matters more than a command line string.

Every detection rule, every incident case study, and every hunt hypothesis published through the Weekly Intelligence Pack goes through the same filter: would this have actually helped on a real shift. If the answer is no, it doesn't get published.

A note on identity and confidentiality: specific employer names, client names, and identifying details are intentionally withheld throughout this site to respect confidentiality agreements and protect the institutions referenced. All incident scenarios are illustrative composites built from general security operations experience, created for educational purposes. Nothing published here describes an active, unresolved, or attributable real-world incident.
Join the Intelligence Pack — $14.99/mo