SOC-Class – BruCON 0x0D Edition

Course Description

This course provides a comprehensive picture of a Cyber Security Operations Center (CSOC or SOC). Discussion on the technology needed to run a SOC are handled in a vendor agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. Staff roles needed are enumerated. Informing and training staff through internal training and information sharing is addressed.

The interaction between functional areas and data exchanged is detailed. Processes to coordinate the technology, the SOC staff, and the business are enumerated. After attending this class, the participant will have a roadmap (and Gantt chart) for what needs to be done in the organization seeking to implement security operations.

Course contents

Class Orientation

  • A Story About Telling Stories
  • First Principles and Terminology

Business Alignment

  • Steering Committee – Phase 1: Design
  • Requirements
  • Impact
  • Charter

SOC Design

  • Functional Components
  • Presumed Organizational Support Functions
  • Functional Arrangements
  • Operational and Architectural Considerations
  • SOC Organizational Position
  • Multi SOC Models
  • SOC and IT Relations
  • Size and Maturity
  • Size: What Does It Look Like?
  • Outsourcing Advice

Overall Program of Operations

  • Intro
  • Command Center
  • Network Security Monitoring
  • Threat Intelligence
  • Incident Response
  • Forensics
  • Self Assessment

Business Alignment (2)

  • Defensive Topology
  • Steering Committee: Phase 2: Build

SOC Design

  • Functional Area Work Products
  • Technology Selection
  • Physical SOC Build
  • Technology Selection
  • Cultural and Organizational Influence on SOC Requirements and Performance
  • Orchestration and Automation


  • Analytical Methodology for the SOC
  • Applied ACH
  • Available Frameworks for Analysis
  • Analytical Methodology: Wrap Up


  • Roles
  • Hiring
  • Onboarding
  • Training
  • Meetings
  • Retention


  • Tempo
  • Pre-Forensics
  • Threat Hunting
  • Use Case Development


  • Introduction
  • Appropriate Audience
  • Reported
  • Steering Committee: Phase 3: Operations
  • Service Level Objectives
  • SOC Internal Health and Performance


  • Introduction
  • SOC-CMM Walkthrough


  • Process list
  • Sequence Walk Through

Case Study

  • Phin Phisher
  • Insiders
  • Equifax

Who should take this course?

Ideally, attendees will be SOC managers, team leads in security specializations or lead technical staff, security architects. CIO, CISO or CSO (Chief Security Officer) is the highest level in the organization appropriate to attend.


  • Fundamental knowledge of information security principles. Beneficial to have some experience with security operations, but if you don’t that’s ok.

What students should bring

  • A computer is not necessary, bring your willingness to thoughtfully contribute to discussions.

Trainer Biography

Christopher Crowley has 20 years of experience managing and securing networks, beginning with his first job as an Ultrix and VMS systems administrator at 15 years old. Today, Crowley is a Senior Instructor at the SANS Institute and the course author for He works with a variety of organizations across industries providing cybersecurity technical analysis, developing and publishing research, sharing expert security insights at conferences, and chairing security operations events.

Crowley holds a multitude of cybersecurity industry certifications and provides independent consulting services specializing in effective computer network defense via Montance® LLC, based in Washington, DC. Montance® provides cybersecurity assessments and framework development services that enable clients to develop new security operations centers (SOC) and improve existing security operations.

An independent consulting firm, Montance® provides direct, customized services to organizations large and small in the financial, industrial, energy, medical, and defense industries.