Sign up to save your podcasts
Or
Share How Analyst Feedback Says More Than Any SOC
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How Analyst Feedback Says More Than Any SOC
Austin Amraen, SOC Director at CommandLink, has built SOC teams from the ground up multiple times, and his approach challenges some of the field's most accepted assumptions. He rejects the tier-one-to-tier-three analyst model entirely, arguing that the biggest capability gap in most mature stacks isn't endpoint or identity but unmonitored network traffic, and measures SOC effectiveness not by MTTD or MTTR but by whether analysts are surfacing zero-days and proposing detection methods on their own.
Austin explains why most organizations have the firewall running but nobody assigned to watch what is actually moving through it and what C2 communications, unusual outbound connections, and open ports look like when someone is finally asking "that's different, what is that?" He also gets into how he handles burnout in practice: mandatory lunch every day, one-on-ones built around career goals rather than company goals, and why process improvements that free up analyst time without reducing workload just move the problem around.
Topics Discussed:
Rejecting the tier-one-to-tier-three SOC model in favor of hiring senior analysts who can build and adapt
NDR as the most overlooked capability gap in organizations with mature EDR, SIEM, and identity coverage
Monitoring firewall traffic logs to detect C2 communications, unusual outbound connections, and unauthorized port activity
Measuring SOC effectiveness through analyst-driven threat intelligence and direct customer feedback rather than MTTD and MTTR
Applying micro-macro thinking from military intelligence to widen investigation scope beyond the immediate alert
Preventing burnout through workload ownership, career-goal conversations, and avoiding process improvements that mask headcount gaps
Building executive trust through data-driven options frameworks that give leadership decision authority on security investments
Hiring for non-traditional backgrounds to build analyst teams with diverse problem-solving approaches and thought processes
Listen to more episodes:
Apple
Spotify
YouTube
View all episodes
By Dropzone AIAustin Amraen, SOC Director at CommandLink, has built SOC teams from the ground up multiple times, and his approach challenges some of the field's most accepted assumptions. He rejects the tier-one-to-tier-three analyst model entirely, arguing that the biggest capability gap in most mature stacks isn't endpoint or identity but unmonitored network traffic, and measures SOC effectiveness not by MTTD or MTTR but by whether analysts are surfacing zero-days and proposing detection methods on their own.
Austin explains why most organizations have the firewall running but nobody assigned to watch what is actually moving through it and what C2 communications, unusual outbound connections, and open ports look like when someone is finally asking "that's different, what is that?" He also gets into how he handles burnout in practice: mandatory lunch every day, one-on-ones built around career goals rather than company goals, and why process improvements that free up analyst time without reducing workload just move the problem around.
Topics Discussed:
Rejecting the tier-one-to-tier-three SOC model in favor of hiring senior analysts who can build and adapt
NDR as the most overlooked capability gap in organizations with mature EDR, SIEM, and identity coverage
Monitoring firewall traffic logs to detect C2 communications, unusual outbound connections, and unauthorized port activity
Measuring SOC effectiveness through analyst-driven threat intelligence and direct customer feedback rather than MTTD and MTTR
Applying micro-macro thinking from military intelligence to widen investigation scope beyond the immediate alert
Preventing burnout through workload ownership, career-goal conversations, and avoiding process improvements that mask headcount gaps
Building executive trust through data-driven options frameworks that give leadership decision authority on security investments
Hiring for non-traditional backgrounds to build analyst teams with diverse problem-solving approaches and thought processes
Listen to more episodes:
Apple
Spotify
YouTube