Scroll Top


Course Description

The class provides the following:

  • Guidance on business orientation, use case development, hunting techniques
  • Reference model for all functions of a SOC: monitoring, response, intelligence, metrics
  • Guidance on developing internal capability and strategic outsourcing
  • Detailed discussion of technology, process, and analytical staff relations and optimization
  • Sequence of actions for building a SOC, or cross reference an established SOC’s maturity

This course provides a comprehensive picture of a Cyber Security Operations Center (CSOC or SOC). Discussion on the technology needed to run a SOC are handled in a vendor agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. Staff roles needed are enumerated. Informing and training staff through internal training and information sharing is addressed. The interaction between functional areas and data exchanged is detailed. Processes to coordinate the technology, the SOC staff, and the business are enumerated.

After attending this class, the participant will have a roadmap (and Gantt chart) for what needs to be done in the organization seeking to implement security operations. Ideally, attendees will be  SOC managers, team leads in security specializations or lead technical staff, security architects. CIO, CISO or CSO (Chief Security Officer) is the highest level in the organization appropriate to  attend.

The inclusion of all functional areas of security operations is intended to develop a standardized program for an organization and express all necessary capabilities. Admittedly ambitious, the intention of the class is to provide a unified picture of coordination among teams with different skillsets to help the business prevent loss due to poor security practices. I have encountered detrimental compartmentalization in most organizations. There is a tendency for a specialist to look only at her piece of the problem, without understanding the larger scope of information security within an organization.

Organizations are likely to perceive a security operations center as a tool, and not the unification of people, processes, and technologies. This class is not technical in nature, but someone without knowledge of IT common practices and Information Security fundamentals (such as the Confidentiality, Integrity, and Availability triad) will be lost very quickly. This is not a class to send SOC analysts, but is great for the technical lead and manager.

Course contents

Class Orientation

  • A Story About Telling Stories
  • First Principles and Terminology

Business Alignment

  • Steering Committee – Phase 1: Design
  • Requirements
  • Impact
  • Charter

SOC Design

  • Functional Components
  • Presumed Organizational Support Functions
  • Functional Arrangements
  • Operational and Architectural Considerations
  • SOC Organizational Position
  • Multi SOC Models
  • SOC and IT Relations
  • Size and Maturity
  • Size: What Does It Look Like?
  • Outsourcing Advice

Overall Program of Operations

  • Intro
  • Command Center
  • Network Security Monitoring
  • Threat Intelligence
  • Incident Response
  • Forensics
  • Self Assessment

Business Alignment (2)

  • Defensive Topology
  • Steering Committee: Phase 2: Build

SOC Design

  • Functional Area Work Products
  • Technology Selection
  • Physical SOC Build
  • Technology Selection
  • Cultural and Organizational Influence on SOC Requirements and Performance
  • Orchestration and Automation


  • Analytical Methodology for the SOC
  • Applied ACH
  • Available Frameworks for Analysis
  • Analytical Methodology: Wrap Up


  • Roles
  • Hiring
  • Onboarding
  • Training
  • Meetings
  • Retention


  • Tempo
  • Pre-Forensics
  • Threat Hunting
  • Use Case Development


  • Introduction
  • Appropriate Audience
  • Reported
  • Steering Committee: Phase 3: Operations
  • Service Level Objectives
  • SOC Internal Health and Performance


  • Introduction
  • SOC-CMM Walkthrough


  • Process list
  • Sequence Walk Through

Case Study

  • Phin Phisher
  • Insiders
  • Equifax

Who should take this course?

Ideally, attendees will be SOC managers, team leads in security specializations or lead technical staff, security architects. CIO, CISO or CSO (Chief Security Officer) is the highest level in the organization appropriate to attend.


  • Fundamental knowledge of information security principles. Beneficial to have some experience with security operations, but if you don’t that’s ok.

What students should bring

  • A computer is not necessary, bring your willingness to thoughtfully contribute to discussions.

Trainer Biography

Christopher Crowley has 20 years of experience managing and securing networks, beginning with his first job as an Ultrix and VMS systems administrator at 15 years old. Today, Crowley is a Senior Instructor at the SANS Institute and the course author for He works with a variety of organizations across industries providing cybersecurity technical analysis, developing and publishing research, sharing expert security insights at conferences, and chairing security operations events.

Crowley holds a multitude of cybersecurity industry certifications and provides independent consulting services specializing in effective computer network defense via Montance® LLC, based in Washington, DC. Montance® provides cybersecurity assessments and framework development services that enable clients to develop new security operations centers (SOC) and improve existing security operations.

An independent consulting firm, Montance® provides direct, customized services to organizations large and small in the financial, industrial, energy, medical, and defense industries.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.