Threat Hunting Process: A Repeatable Framework SOC Analysts Actually Use

Hypothesis generation, hunt execution, evidence documentation, and detection engineering output. With working queries for CrowdStrike, Sentinel, and Splunk you can run today.

KQL Detection Engineering: Writing Sentinel Rules That Actually Fire Correctly

Production KQL patterns for Sentinel — allowlist suppression, dynamic baselining, multi-signal correlation, entity mapping, and a tuning workflow that works before rules go live.

Splunk SOC Queries: Production SPL for Triage, Hunting, and Incident Response

Five production SPL queries covering suspicious process creation, brute force detection, NTLM lateral movement, data exfiltration volume, and scheduled task persistence — with tuning notes.

MITRE ATT&CK Detection Coverage: How to Map Your Rules and Find Real Gaps

How to map your detection rules to MITRE ATT&CK, measure coverage honestly across three confidence levels, and prioritize what to build next based on your actual threat profile.

SOC Metrics That Actually Matter: What to Measure and How to Report to Leadership

MTTD, MTTR, false positive rate, and detection coverage — what each means, how to calculate it honestly, and how to translate it into business risk language for non-technical leadership.

Windows Event Log Monitoring: Critical Event IDs Every SOC Analyst Must Know

The essential Event IDs for SOC monitoring. What each event means, when to alert, and production detection queries covering 4624, 4625, 4688, 4698, 4732, 4776, 7045, and 4104.

Insider Threat Detection: Queries and Behavioral Indicators for SOC Teams

Behavioral analytics and SIEM queries for detecting insider threats. Data volume anomalies, USB usage, after-hours access, email forwarding rules, and print volume detection.

CrowdStrike Falcon Detection Rules: Production LogScale Queries for SOC Teams

Seven production LogScale detection rules covering PowerShell from Office apps, LOLBin abuse, reflective DLL injection, DNS correlation, service installation, and mass file deletion.

Splunk Threat Hunting Queries: Production SPL for SOC Analysts

Seven production Splunk SPL queries covering LOLBin detection, encoded PowerShell, admin account creation, credential dumping, scheduled task persistence, lateral movement, and recon.

Ransomware Incident Response Checklist: Step-by-Step SOC Playbook

Complete ransomware IR checklist covering pre-incident preparation, detection, containment, patient zero investigation, executive communication, eradication, and post-incident review.

Lateral Movement Detection: Production Queries for CrowdStrike, Sentinel, and Splunk

How to detect lateral movement using behavioral anomaly detection. First-time host authentication, SMB volume anomalies, WMI execution, and pass-the-hash patterns with production queries.

Microsoft Sentinel KQL Queries for Threat Hunting: Production-Ready Detections

Six production-tested KQL queries for Sentinel covering suspicious PowerShell, new admin accounts, impossible travel, scheduled task creation, mass file access, and MFA bypass detection.

CrowdStrike LogScale Queries Every SOC Analyst Should Know

Five production-tested LogScale queries for detecting LOLBin abuse, suspicious PowerShell, off-hours admin account creation, mass file deletion, and BloodHound LDAP reconnaissance.

How to Detect PowerShell Encoded Commands in Microsoft Sentinel

A working SOC analyst's guide to detecting PowerShell -EncodedCommand abuse using a weighted scoring model, with MITRE ATT&CK mapping and real-world tuning notes.

SOC Analyst Interview Questions and Answers: What Hiring Managers Actually Ask

Real SOC analyst interview questions with detailed answers. Technical investigation questions, scenario-based questions, and what experienced hiring managers are actually evaluating.

Phishing Incident Response: A Step-by-Step Runbook for SOC Teams

Complete phishing IR runbook covering detection, containment, investigation, communication scripts, and recovery. Built from real phishing incidents at major financial institutions.

SOC Alert Triage Process: The 5-Phase Method That Works at 2AM

A repeatable 5-phase alert triage process covering severity assessment, context building, investigation, escalation, and documentation. Includes a P1 to P4 severity matrix.

Founding member pricing — locked for life
Get a new detection rule every Tuesday

Production detection rule, real incident case study, hunt hypothesis, and career tip — every Tuesday. Plus monthly Office Hours and a private Discord. $14.99/month, founding member rate locked for life.

Join the Intelligence Pack — $14.99/mo →