Future of
SecOps

Future of
SecOps

Opinionated analysis, guides, and expert takes from security operations practitioners.

Competitive Content

Mandiant reviewed: the engagement practitioners buy

Most IR retainer buyers get the first contract wrong. The SLA looks clear, the fund pool looks flexible, and the sizing feels obvious — until an incident lands and the math stops working. Daniel Carter has run a Mandiant retainer through one live breach and two renewal cycles. This is his honest take on what the engagement actually delivers, where the DFIR bench earns its cost, and which two buyer profiles should save the budget for something else.

DCDaniel C. · Jun 15, 2026
Cloud Security Operations

Multi-cloud security without a mountain of tooling

At some point, the security stack stops being a solution and starts being a liability. Daniel Carter counted eleven tools spread across AWS, GCP, and Azure — none retired, all justified at purchase, none obviously redundant until you saw them together. This piece covers the consolidation principle he built from that exercise, and why coverage depth usually beats tool count.

DCDaniel C. · Jun 15, 2026

Stay sharp on security operations

Practitioner takes on SOC modernization, detection engineering, threat hunting, and more. No fluff. No product pitches.

Latest

AI in Security Operations

Most AI SOC demos are scripted against scripted data

A detection engineer's take on why the AI SOC demo always looks clean, and what to do about it. Theo Hartley breaks down the six incentives that make curated demos the rational default, why POC numbers don't survive contact with production data, and how to run an evaluation the vendor can't script against.

THTheo H. · Jun 15, 2026
AI in Security Operations

What an AI SOC agent actually does on a Tier 1 alert

An AI SOC agent closed an impossible-travel alert with a full evidence chain in under four minutes. It also recommended isolating a production server over clean traffic the same week. Marta Kowalska walks one real Entra ID alert through the agent's full investigation chain — and shows exactly where the reasoning broke on a different alert class.

MKMarta K. · Jun 15, 2026
AI in Security Operations

The AI SOC Analyst: Augmentation or Replacement?

Every AI SOC vendor says the technology augments analysts. Their own ROI math says something different. Theo Hartley breaks down why "augmentation" is doing commercial work rather than describing the product — and what the broken entry-level hiring pipeline tells you about where Tier 1 is actually headed.

THTheo H. · Jun 14, 2026
Identity & Access Security Operations

Privileged access management from the SOC seat

I inherited a CyberArk rollout eighteen months in, vault live and compliance satisfied. When I asked what detection rules the team had built against the PAM logs in the SIEM, the answer was zero.

DCDaniel C. · Jun 5, 2026
Cloud Security Operations

Runtime security is where cloud attacks actually get caught

The CNAPP dashboard stayed green while an attacker with a stolen access key moved through three AWS accounts and touched 19 IAM principals. Prevention had nothing to flag because the login was legitimate, the permissions were real, and the only signal was runtime behavior.

DCDaniel C. · Jun 5, 2026
AI in Security Operations

Most autonomous SOC pitches don't survive a real alert stream

The autonomous SOC demo cleared 40 curated alerts in under two minutes. Four hours into a real production queue on a Wednesday night, it had already stalled on a custom cloud detection, silently closed a dedup cluster, and skipped an alert that needed a Jira ticket to answer.

MKMarta K. · Jun 5, 2026
Detection Engineering

What we got wrong in our first 100 detections

We shipped a hundred detections and the ATT&CK heatmap stayed green through fourteen broken rules, week-stale IOCs, and a log pipeline that had stopped exporting months earlier. Every failure traced to the same root: we treated detection engineering as rule writing and skipped the maintenance.

MKMarta K. · Jun 5, 2026
MDR

What an MDR renewal conversation actually sounds like

Most MDR vendors arrive at renewal with a polished QBR deck. Most customers arrive with nothing to push back with. That asymmetry is the whole game — and it's why flat escalation rates, unaudited closed verdicts, and a 2 AM analyst who knows nothing about your environment survive contract after contract. This piece is the counter-metric.

MKMarta K. · Jun 5, 2026
Detection Engineering

Sigma rules are essential, and also overrated

Sigma solved detection portability but not tuning, conversion fidelity, or cloud coverage. Where the format still delivers value and where teams over-rely on it.

MKMarta K. · Jun 3, 2026