This program is designed to equip SOC Managers, analysts, and security leaders with the strategic and operational expertise to build, manage, and mature a modern Security Operations Center:

• SOC Managers and Team Leads.
• Tier 2 and Tier 3 Security Analysts.
• CISO and Security Directors.
• Threat Intelligence Analysts.
• Incident Response Team Members.
• Managed Security Service Provider (MSSP) Staff.
• Security Automation Engineers.

• Group activity designing a SOC organizational structure and staffing plan.
• Case studies on successful threat hunting campaigns and detection tuning.
• Technical exercises analyzing raw log data and writing SIEM correlation rules.
• Discussions on budgeting for SIEM/SOAR/TI platforms.
• Individual assignment creating a threat intelligence report for executive briefing.

Unit 1: The Modern SOC: Strategy and Design

• Defining the mission, vision, and core functions of a modern SOC.
• Different SOC models: internal, outsourced, hybrid, and virtual.
• Key roles and responsibilities within the SOC (Tier 1-3, Hunters, Engineers).
• SOC maturity models and benchmarking performance.

• Selecting and deploying Security Information and Event Management (SIEM).
• Integrating Endpoint Detection and Response (EDR) and Network Detection and Response (NDR).
• The role of Security Orchestration, Automation, and Response (SOAR).
• Log collection strategy, data quality, and retention requirements.

Unit 2: Threat Intelligence Lifecycle and Integration

• Defining strategic, operational, and tactical threat intelligence.
• The threat intelligence lifecycle (Direction, Collection, Processing, Analysis, Dissemination).
• Sources of TI: commercial feeds, open-source, and internal data.
• Understanding and using standards like STIX and TAXII.

• Integrating TI feeds into SIEM and security controls (e.g., firewalls, EDR).
• Developing custom threat intelligence based on the organisation's risk profile.
• Mapping threat actors and campaigns to the MITRE ATT&CK Framework.
• Measuring the effectiveness of TI in detection and blocking.

Unit 3: Detection Engineering and Alert Management

• Developing use cases and writing high-fidelity SIEM rules and queries.
• Leveraging User and Entity Behavior Analytics (UEBA) for anomaly detection.
• Techniques for reducing alert fatigue and managing false positives.
• The concept of "Tuning the Signal" to focus on true threats.

• Establishing consistent triage processes and runbooks.
• Prioritizing incidents based on risk, asset value, and confidence.
• Effective shift-handover procedures in a 24/7 environment.
• Implementing a knowledge base for incident resolution and sharing.

Unit 4: Security Automation and Orchestration (SOAR)

• Identifying high-value SOC tasks for automation (e.g., enrichment, phishing response).
• Designing and building simple to complex playbooks.
• Integration of SOAR with SIEM, EDR, and ticketing systems.
• Assessing the ROI and maturity of SOAR implementation.

• The role and methodology of Proactive Threat Hunting.
• Developing hypothesis-driven hunts using TI and MITRE ATT&CK.
• Metrics for measuring threat hunting success and coverage gaps.
• Vulnerability validation and management in the SOC.

Unit 5: SOC Management, Metrics, and People

• Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the SOC.
• Operational metrics: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
• Reporting SOC performance to executive leadership.
• Financial justification and budget management for SOC resources.

• Addressing SOC staff burnout, turnover, and wellness.
• Hiring, training, and career development pathways for analysts.
• Cultivating collaboration between the SOC, Incident Response, and DevSecOps.
• Tabletop exercises and continuous training for skill maintenance.