Future of
SecOps

Future of
SecOps

Opinionated analysis, guides, and expert takes from security operations practitioners.

Competitive Content

Mandiant reviewed: the engagement practitioners buy

Most IR retainer buyers get the first contract wrong. The SLA looks clear, the fund pool looks flexible, and the sizing feels obvious — until an incident lands and the math stops working. Daniel Carter has run a Mandiant retainer through one live breach and two renewal cycles. This is his honest take on what the engagement actually delivers, where the DFIR bench earns its cost, and which two buyer profiles should save the budget for something else.

DCDaniel C. · Jun 15, 2026
Cloud Security Operations

Multi-cloud security without a mountain of tooling

At some point, the security stack stops being a solution and starts being a liability. Daniel Carter counted eleven tools spread across AWS, GCP, and Azure — none retired, all justified at purchase, none obviously redundant until you saw them together. This piece covers the consolidation principle he built from that exercise, and why coverage depth usually beats tool count.

DCDaniel C. · Jun 15, 2026

Stay sharp on security operations

Practitioner takes on SOC modernization, detection engineering, threat hunting, and more. No fluff. No product pitches.

Latest

AI in Security Operations

Most AI SOC demos are scripted against scripted data

A detection engineer's take on why the AI SOC demo always looks clean, and what to do about it. Theo Hartley breaks down the six incentives that make curated demos the rational default, why POC numbers don't survive contact with production data, and how to run an evaluation the vendor can't script against.

THTheo H. · Jun 15, 2026
AI in Security Operations

What an AI SOC agent actually does on a Tier 1 alert

An AI SOC agent closed an impossible-travel alert with a full evidence chain in under four minutes. It also recommended isolating a production server over clean traffic the same week. Marta Kowalska walks one real Entra ID alert through the agent's full investigation chain — and shows exactly where the reasoning broke on a different alert class.

MKMarta K. · Jun 15, 2026
AI in Security Operations

The AI SOC Analyst: Augmentation or Replacement?

Every AI SOC vendor says the technology augments analysts. Their own ROI math says something different. Theo Hartley breaks down why "augmentation" is doing commercial work rather than describing the product — and what the broken entry-level hiring pipeline tells you about where Tier 1 is actually headed.

THTheo H. · Jun 14, 2026
Detection Engineering

Sigma rules are essential, and also overrated

Sigma solved detection portability but not tuning, conversion fidelity, or cloud coverage. Where the format still delivers value and where teams over-rely on it.

MKMarta K. · Jun 3, 2026
Competitive Content

Top MDR providers in 2026: an operator's read

An operator's take on MDR provider archetypes, response authority, automation depth, and breach warranties in 2026.

DCDaniel C. · Jun 3, 2026
Cloud Security Operations

What cloud security monitoring actually looks like in a mid-market SOC

Cloud security monitoring for 3-5 person SOC teams: four pillars, co-managed MDR, telemetry strategy, and where most stacks fail.

MKMarta K. · Jun 2, 2026
AI in Security Operations

Agentic security: What the term should mean in practice

Agentic security means two things. Practitioners need both. Here's the definitional work.

DCDaniel C. · Jun 2, 2026
AI in Security Operations

Auditability is the AI SOC question buyers aren't asking (yet)

Explainability wins the demo. Auditability survives the audit. The three questions AI SOC buyers should add to their vendor scorecard.

THTheo H. · Jun 2, 2026
Threat Intelligence

Most threat intelligence sits unread

Most threat intelligence never reaches a detection rule. The cause is structural: a format mismatch between TI delivery and detection workflows.

THTheo H. · May 26, 2026