Production-tested guides, detection queries, and playbooks from 10 years of real SOC operations. No theory. No filler.
Hypothesis generation, hunt execution, evidence documentation, and detection engineering output. With working queries for CrowdStrike, Sentinel, and Splunk you can run today.
Microsoft SentinelProduction KQL patterns for Sentinel — allowlist suppression, dynamic baselining, multi-signal correlation, entity mapping, and a tuning workflow that works before rules go live.
SplunkFive production SPL queries covering suspicious process creation, brute force detection, NTLM lateral movement, data exfiltration volume, and scheduled task persistence — with tuning notes.
Detection EngineeringHow to map your detection rules to MITRE ATT&CK, measure coverage honestly across three confidence levels, and prioritize what to build next based on your actual threat profile.
SOC OperationsMTTD, MTTR, false positive rate, and detection coverage — what each means, how to calculate it honestly, and how to translate it into business risk language for non-technical leadership.
SOC FundamentalsThe essential Event IDs for SOC monitoring. What each event means, when to alert, and production detection queries covering 4624, 4625, 4688, 4698, 4732, 4776, 7045, and 4104.
Insider ThreatBehavioral analytics and SIEM queries for detecting insider threats. Data volume anomalies, USB usage, after-hours access, email forwarding rules, and print volume detection.
CrowdStrikeSeven production LogScale detection rules covering PowerShell from Office apps, LOLBin abuse, reflective DLL injection, DNS correlation, service installation, and mass file deletion.
SplunkSeven production Splunk SPL queries covering LOLBin detection, encoded PowerShell, admin account creation, credential dumping, scheduled task persistence, lateral movement, and recon.
Incident ResponseComplete ransomware IR checklist covering pre-incident preparation, detection, containment, patient zero investigation, executive communication, eradication, and post-incident review.
Threat HuntingHow to detect lateral movement using behavioral anomaly detection. First-time host authentication, SMB volume anomalies, WMI execution, and pass-the-hash patterns with production queries.
Microsoft SentinelSix production-tested KQL queries for Sentinel covering suspicious PowerShell, new admin accounts, impossible travel, scheduled task creation, mass file access, and MFA bypass detection.
CrowdStrikeFive production-tested LogScale queries for detecting LOLBin abuse, suspicious PowerShell, off-hours admin account creation, mass file deletion, and BloodHound LDAP reconnaissance.
Microsoft SentinelA working SOC analyst's guide to detecting PowerShell -EncodedCommand abuse using a weighted scoring model, with MITRE ATT&CK mapping and real-world tuning notes.
CareerReal SOC analyst interview questions with detailed answers. Technical investigation questions, scenario-based questions, and what experienced hiring managers are actually evaluating.
Incident ResponseComplete phishing IR runbook covering detection, containment, investigation, communication scripts, and recovery. Built from real phishing incidents at major financial institutions.
Alert TriageA repeatable 5-phase alert triage process covering severity assessment, context building, investigation, escalation, and documentation. Includes a P1 to P4 severity matrix.
Production detection rule, real incident case study, hunt hypothesis, and career tip — every Tuesday. Plus monthly Office Hours and a private Discord. $14.99/month, founding member rate locked for life.
Join the Intelligence Pack — $14.99/mo →