Extended Detection & Response (XDR)

Events

Views Navigation

Event Views Navigation

Today

    • Your SOC Has a Retention Problem. Your Tooling Might Be the Cause.

    Seventy percent of SOC analysts with five years or less of experience leave within three years. The typical explanation is burnout from an overwhelming threat landscape. The less comfortable explanation is that the tools meant to help analysts are making their jobs worse. Fragmented workflows, constant context-switching across disconnected platforms, and thousands of daily alerts with no actionable context are turning what should be a high-impact career into a repetitive grind. When analysts spend more time wrangling dashboards than investigating threats, the best ones leave.

    The retention problem is not just a staffing issue. It is an operational risk. Every departure takes institutional knowledge with it, increases the load on remaining team members, and widens the window for missed detections. Organizations that want to keep experienced analysts need to redesign how SOC work gets done, starting with how detection, investigation, automation, and analyst experience are delivered across the stack.

    Addressing this challenge requires coordination across SIEM, XDR, SOAR, MDR, and security analytics platforms to reduce friction, improve context, and make investigations more actionable.

    Topics include:

    • How fragmented tooling and manual workflows contribute to analyst turnover
    • Reducing cognitive load through unified investigation and automated triage
    • Building a SOC environment that retains talent by making the work sustainable

    Join us to explore how rethinking SOC tooling and workflows can address the retention crisis at its source.

    Topics:
    , , , , , , ,

    AI in the SOC: Separating the Tools That Actually Work From the Ones That Add More Noise

    Every security vendor now claims AI capabilities. For SOC teams already processing thousands of alerts per day, the promise is appealing: automated triage, intelligent prioritization, faster investigations. The reality is more complicated. Poorly implemented AI can generate its own layer of noise, create false confidence in automated decisions, and introduce opaque reasoning that analysts cannot validate or trust.

    The SOC teams seeing real results from AI are the ones asking the right questions before deploying it. They are auditing data quality first, defining what “automated” should and should not mean for their environment, and measuring whether AI is reducing time-to-resolution or just shifting where analysts spend their time.

    Getting this right requires alignment across detection, triage, investigation, and automation layers of the SOC – from SIEM and XDR to SOAR, MDR, and AI-driven analytics platforms.

    Topics include:

    • Evaluating AI-driven SOC tools based on measurable outcomes, not vendor claims
    • Addressing data quality and pipeline readiness before deploying AI-powered detection
    • Defining the right division of labor between automated triage and human investigation

    Join us for an honest look at where AI is delivering real value in security operations and where it is falling short.

    Topics:
    , , , , , , ,

    Living-Off-the-Land Attacks Dwell for Months. Here’s Why Your Detection Stack Keeps Missing Them.

    Living-off-the-land (LOTL) attacks do not drop malware, install backdoors, or trigger signature-based detections. They use the tools already present in your environment: PowerShell, WMI, legitimate remote administration utilities, and valid credentials. Nation-state groups and sophisticated criminal operators favor this approach because it blends seamlessly with normal administrative activity. Some LOTL intrusions dwell for months or even years before discovery.

    Most detection stacks were built to find things that should not be there. LOTL attacks invert the problem by using things that should be there. As a result, organizations are being forced to rethink how detection, identity, and behavioral signals work together across the stack to distinguish legitimate activity from attacker behavior.

    Addressing LOTL techniques requires coordination across endpoint, network, identity, and behavioral analytics capabilities – from EDR and XDR to ITDR, NDR, UEBA, and deception technologies.

    Topics include:

    • How LOTL attackers exploit native tools and legitimate credentials to evade detection
    • Why signature-based and file-based detection strategies fail against fileless techniques
    • Building a detection posture around behavioral analysis, credential monitoring, and assumed compromise

    Discover how to close the detection gaps that LOTL attackers are counting on and build defenses designed for threats that look like normal operations.

    Topics:
    , , , , , , , , , ,

    • Your Security Team Is Five People. The Threat Landscape Doesn't Care. What Managed Services Actually Solve.

    Most SOCs consist of two to ten full-time analysts. That number has not changed since the SANS Institute started tracking it in 2017. What has changed is the scope of coverage: cloud environments, SaaS platforms, remote endpoints, OT networks, and now AI workloads. The attack surface grew by orders of magnitude while headcount stayed flat. For mid-market and resource-constrained organizations, the math stopped working years ago.

    Managed security services are no longer a concession. They are an architectural decision. The question has shifted from "can we afford outside help?" to "can we afford not to extend coverage into the environments we currently cannot see?" Addressing this requires evaluating options across MDR, MSSP, XDR, and platform-driven co-managed models to find the right fit for each organization's risk profile and operational maturity. The organizations making managed services work are the ones that define clear boundaries: what stays internal, what gets co-managed, and what gets fully outsourced, while retaining control over incident response decisions and strategic direction.

    Topics include:

    • Defining which security functions to keep in-house, co-manage, or fully outsource
    • Extending detection and response coverage into cloud, SaaS, and hybrid environments with lean teams
    • Evaluating managed service providers based on transparency, integration, and measurable outcomes

    Learn how resource-constrained security teams are extending their coverage and capabilities through managed services without giving up control.

    Topics:
    , , , , , ,

    Context Lives in Five Different Tools. That's Why Your Incident Response Takes Hours Instead of Minutes.

    The average enterprise deploys 28 security monitoring tools. Each one generates its own alert stream, uses its own console, and stores context in its own format. When an incident occurs, analysts do not start by investigating. They start by assembling. They pull logs from the SIEM, check the EDR console, cross-reference the firewall, open the ticketing system, and manually piece together a timeline. This context-switching burns time, introduces errors, and extends incident response from minutes to hours. The tools designed to improve security are, in practice, fragmenting the information analysts need most.

    The organizations with the fastest response times are not necessarily using better tools. They are using fewer consoles, shared context, and automated enrichment that presents a unified investigation surface. Addressing this requires coordination across SIEM, XDR, SOAR, MDR, security analytics, and data enrichment platforms to collapse the distance between alert and decision. When an alert arrives pre-correlated with asset data, user context, threat intelligence, and historical activity, analysts skip the assembly phase and go straight to decision-making. That is the difference between a 15-minute investigation and a three-hour one.

    Topics include:

    • Reducing context-switching by consolidating investigation workflows across security tools
    • Automating alert enrichment with asset, identity, and threat intelligence context at the point of triage
    • Building incident response workflows that prioritize speed-to-decision over tool-by-tool investigation

    Learn how SOC teams are cutting investigation time by unifying the context that is currently scattered across their security stack.

    Topics:
    , , , , , ,

    Nation-state Tactics in Criminal Hands: What the Blurring of Threat Actor Lines Means for Your Defenses

    The line separating nation-state operations from criminal activity is collapsing. Criminal groups are adopting techniques that were once the exclusive domain of state-sponsored actors: supply chain compromise, living-off-the-land intrusions, pre-positioning inside critical infrastructure, and coordinated campaigns timed to geopolitical events. At the same time, nation-states are outsourcing operations to criminal proxies, creating a blended threat landscape where attribution is harder and the sophistication floor keeps rising. What once required a government-backed team and years of development is now available as a service on dark web forums.

    For defenders, this convergence changes the calculus. Threat models built around the assumption that criminal actors use commodity tools and state actors use custom capabilities no longer hold. Addressing this requires coordination across threat intelligence, detection and response platforms, and security analytics capabilities to build defenses that account for sophisticated adversaries regardless of attribution. That means threat intelligence that tracks actor behavior rather than just indicators of compromise, detection strategies calibrated for advanced tradecraft at any scale, and incident response plans that prepare for the possibility that a ransomware attack is the visible layer of a deeper intrusion.

    Topics include:

    • How the convergence of criminal and nation-state tactics is reshaping the threat landscape
    • Moving threat intelligence from indicator-based feeds to behavior-based analysis
    • Building detection and response capabilities calibrated for sophisticated adversaries at any scale

    Explore what the blurring of threat actor lines means for your security strategy and how to defend against adversaries who no longer fit neatly into categories.

    Topics:
    , , , , , , , , ,