Are Current SOCs Adequate for the Threats They Face?

Most SOCs were built for a different war.

Perimeter firewalls. Signature-based IDS. Malware on endpoints. The SOC model that emerged in the 2010s was designed to detect known threats at known boundaries — and for that era, it worked reasonably well. An analyst watched the alert queue, triaged by severity, and escalated anything that matched a playbook.

That model is now failing against the threats that actually compromise organisations.

Not because the analysts are bad. Not because the tools are broken. Because the architecture of most SOCs assumes a threat landscape that stopped being accurate around 2022, and nobody rebuilt the operation to match what replaced it.

The threat landscape shifted. Most SOCs didn’t.

The attacks that cause the most damage today share three characteristics that the traditional SOC model handles poorly:

They start with identity, not malware. AiTM credential phishing, token theft, OAuth consent grants, and MFA fatigue attacks bypass endpoint detection entirely. The attacker never drops a binary. They steal a session token, authenticate as the user, and operate through legitimate cloud applications. The SOC that watches for malicious executables on endpoints sees nothing.

They cross environment boundaries. A stolen Entra ID session token gives the attacker cloud email access, VPN connectivity, and — if the environment is poorly segmented — a path to on-premises Active Directory and Linux servers. The attack chain touches cloud identity, Windows endpoints, and Linux infrastructure in a single incident. The SOC with separate cloud and endpoint teams, using separate tools with separate alert queues, investigates the cloud alert and the endpoint alert independently — and never connects them as one attack.

They operate at the speed of automation. The gap between initial access and data staging is measured in minutes, not hours. In recent incidents I’ve worked, the attacker moved from AiTM phishing to database access in under five minutes. Registered a new MFA method in 33 seconds. Created inbox forwarding rules and consented to OAuth applications simultaneously with lateral movement. The SOC that triages alerts in queue order, with a 30-minute mean time to acknowledge, is already behind before they start.

Where the gaps actually are

I run a CSOC operation across Microsoft 365, on-premises infrastructure, Palo Alto perimeter, and a managed SOC partner. The gaps I see are not theoretical — they show up in every incident.

Gap 1: Single-environment triage. When an AiTM alert fires in Entra ID and a suspicious process alert fires on an endpoint 90 seconds later, most SOCs triage them as two separate incidents. Different analysts. Different queues. Different tools. The correlation — same attacker IP, same user, same attack chain — is discovered hours later during investigation, not minutes later during triage. By then, the attacker has been on the Linux database server for 45 minutes.

The fix is not more tools. It is a triage methodology that checks all environments for every alert. When an identity alert fires, the responder checks endpoints and servers. When an endpoint alert fires, the responder checks cloud sign-ins and network logs. Cross-environment correlation is not an investigation luxury — it is a triage requirement.

Gap 2: Containment is a single action, not a coordinated operation. The standard playbook says: disable the user account. But the attacker who stole a session token and registered a new MFA method and consented to an OAuth application and created an inbox forwarding rule and deployed a Run key on the endpoint and added an SSH key to a Linux server has SEVEN persistence mechanisms. Disabling the user account addresses one. The attacker returns through any of the other six within minutes.

Containment for modern attacks requires: simultaneous action across every compromised environment, addressing every persistence mechanism, and verification that each mechanism was actually neutralised. This is a coordinated operation, not a checkbox.

Gap 3: The analyst skill set has not evolved. Most SOC analysts are hired for endpoint and network skills. They can analyse process trees, read firewall logs, and identify known malware. But the attack that starts with an OAuth consent grant, pivots through Azure Run Command, and lands on a Linux server running PostgreSQL requires: KQL for cloud log analysis, PowerShell for Windows investigation, Bash for Linux triage, and the judgment to correlate findings across all three. That is a different skill profile than the one most SOC job descriptions are written for.

Gap 4: Evidence volatility is not understood. Cloud session tokens expire in 60 minutes. Memory contents change every second. Container ephemeral layers disappear on restart. The SOC that triages in queue order — handling the alert that arrived first, regardless of evidence volatility — loses evidence that can never be recovered. The AiTM alert that sat in the queue for 45 minutes before an analyst picked it up? The session token has expired. The sign-in context is gone. The responder is now reconstructing from logs what they could have observed live.

Gap 5: Regulatory awareness is absent from triage. When the triage reveals that an attacker accessed a database containing 5,000 EU customer records and 810 employee payroll records with national insurance numbers, the GDPR 72-hour clock starts. The NIS2 24-hour clock starts. The cyber insurance notification deadline starts. The SOC analyst who does not recognise these triggers during triage — who treats regulatory assessment as “someone else’s problem” — causes the organisation to miss notification deadlines. The regulatory assessment is not a legal team activity that happens after the investigation. It starts at triage, because triage is when the data exposure is first identified.

The SOC capability gap assessment

This is the question every SOC leader should be asking: can your current operation handle a cross-environment, identity-first attack chain that moves from cloud to endpoint to server in under five minutes?

Score your SOC against these 10 capabilities. Each is a yes/no — partial credit does not count in an incident.

SOC CAPABILITY GAP ASSESSMENT
Score: 1 point for each YES. 0 for NO or PARTIAL.

TRIAGE CAPABILITIES
[ ] 1. Can your analysts triage across cloud, Windows, AND Linux
       in a single incident workflow? (Not escalate to separate teams)
[ ] 2. Can your team identify a cross-environment attack chain
       (cloud → endpoint → server) within 15 minutes of the first alert?
[ ] 3. Do your analysts understand evidence volatility and prioritise
       collection based on what disappears first?

CONTAINMENT CAPABILITIES
[ ] 4. Can your team execute coordinated containment across cloud
       sessions, endpoints, and servers simultaneously?
[ ] 5. Do your containment playbooks address persistence mechanisms
       beyond "disable the user account"?

TOOL CAPABILITIES
[ ] 6. Can your analysts write KQL queries against Sentinel/Defender
       (not just use the portal UI)?
[ ] 7. Do your analysts have access to memory acquisition tools
       (WinPMem, LiME) and know when to use them?
[ ] 8. Can your team collect forensic artifacts from endpoints
       (KAPE, Velociraptor) without waiting for the IR team?

OPERATIONAL CAPABILITIES
[ ] 9. Can your analysts identify regulatory notification triggers
       (GDPR, NIS2, DORA) during triage — not after investigation?
[ ] 10. Do your triage reports include enough detail for the
        investigation team to start working immediately?

SCORING:
  8-10: Your SOC is built for current threats
  5-7:  Significant gaps that attackers will exploit
  3-4:  Your SOC handles last decade's threats
  0-2:  Your SOC is a monitoring function, not a response function

Most SOCs I’ve assessed score 3-5. They can triage endpoint alerts competently. They fall apart when the attack crosses environment boundaries, when containment requires more than one action, or when regulatory timelines enter the picture.

What “adequate” actually looks like

An adequate SOC for today’s threats is not necessarily a larger SOC. It is a SOC where:

Every analyst can operate across environments. Not specialist cloud analysts and specialist endpoint analysts. Generalists who can run the 5-query KQL triage pack against Sentinel, check process trees on Windows, and read auth.log on Linux — all for the same incident. The depth comes from the investigation team. The breadth must exist at the triage level.

Containment is a coordinated protocol, not a single action. The analyst has a containment checklist per environment and executes all of them in a 60-second window. Cloud session revocation, endpoint isolation, Linux account lock, network blocks — simultaneously. Rehearsed quarterly.

Evidence preservation is muscle memory. The analyst does not debate whether to capture memory or collect KAPE artifacts. The triage workflow defines: what to collect, in what order, with what tools, for every environment type. The tools are pre-staged in a go-bag. The commands are scripted.

Regulatory awareness is embedded in triage. Not a separate process. Not a legal team activity. The triage scorecard includes a regulatory trigger check. The analyst identifies which data was accessed, which regulations apply, and which notification clocks have started — in the same workflow that identifies the attacker’s TTPs.

This is not aspirational. It is the operational standard required by the threats that are actually landing in production environments today. The gap between what most SOCs can do and what these threats demand is the gap that attackers exploit — not through sophisticated zero-days, but through commodity phishing kits and the knowledge that most defenders still think in single environments.

The uncomfortable question

If your SOC received three simultaneous alerts right now — an AiTM sign-in in the cloud, a suspicious process on an endpoint, and an SSH connection from an unknown IP to a production Linux server — could your on-call analyst scope, contain, and report on the incident within 60 minutes?

Not the IR team lead. Not the senior engineer. The analyst who is actually on call at 02:00 on a Saturday.

If the answer is anything other than “yes, confidently,” the SOC is not adequate for the threats it faces. The question is not whether to close that gap — the attacks are already here. The question is how quickly.

Next week: five KQL queries that every triage responder should have bookmarked — the cloud triage pack that scopes an M365 compromise in 10 minutes.

We publish weekly on making security operations work in practice. If that’s useful, subscribe below.