SOC360 has been operating for five years. The first ticket appeared in the system on February 10, 2021. Since then, the number of alerts has steadily increased — in January this year we surpassed 500,000 tickets.

Behind every single one of them there is an analysis, a decision, and the responsibility of a specific analyst. It also reflects the evolution of processes, the refinement of teamwork, and constant adaptation to the changing threat landscape.

To mark the 5th anniversary, we asked the team to share their experiences.
In a conversation led by Natalia Prochowska-Zawisza, our Content Manager, we take a look behind the scenes of SOC operations: what a typical analyst’s day looks like, what the biggest challenges are today, and what has changed over the past five years.

The following experts shared their insights in the article:

Filip Duch – Vice Head of Implementation SOC360
Anna Michalska – Training Manager SOC360
Filip Perz – SOC360 Analyst

The biggest challenge was not technology, but processes

Natalia: Five years is a long time. A lot has happened during that period, and your team has grown at a remarkable pace. Looking back from this perspective, what was the biggest challenge for you?

When looking back at the early days of SOC operations, it is easy to assume that the biggest challenge was mysterious alerts, complex incidents, or new tools. In reality, the issue turned out to be much more down-to-earth – Filip Duch laughs

Filip Duch: The main problem turned out to be information handovers. We simply didn’t realize that shift-based work requires proper preparation and clearly defined procedures — especially when dealing with long investigations that extend beyond a single shift. At first, we thought that a quick conversation or a few messages on a communication channel would be enough.

Reality quickly proved us wrong. In practice, important information was often lost along the way. Analysts starting the next shift didn’t always know what stage the case was at or where they should begin.

It also didn’t help that the team was growing very quickly. There were more and more people involved. At that scale, the process started to drift apart and gradually slip out of control.

Natalia: How did you solve that problem?

Filip Duch: We redesigned the entire shift structure. First, we increased the number of shifts to as many as eight within a 24-hour period. Second, we made them heavily overlap on multiple levels.

In practice, at any given moment some people are in the middle of their shift, some are finishing it, and others are just starting. There is always a period of overlap. Thanks to this overlap, shifts no longer need to be formally handed over at a single moment, which significantly reduces communication issues.

Natalia: Your work involves not only analyzing alerts and responding to incidents, but also talking to clients, explaining risks, and making decisions together. What question do you hear most often when clients try to understand how a SOC works?

Filip Perz: “How do you know that this is a real threat?” or “How does an analyst distinguish an anomaly from a real attack?” These questions come up regularly. Clients want to understand what our decisions are based on. In a way, it’s a test of our knowledge and skills.

Natalia: So how do you actually know?

Filip Perz: There isn’t a single factor. There’s no single rule or parameter that says: “this is already an incident.” In my opinion, it mainly comes down to competence, experience, and intuition.

Competence, because you must deeply understand how a system operates in its normal state — what processes are standard and which behaviors are acceptable for a given environment. The better you understand that normal state, the faster you can detect potential threats. That’s when the first red flag appears — but one flag alone is not enough to declare an incident.

Experience also makes a huge difference. Once you’ve handled a sufficiently large number of tickets, you begin to recognize worrying signals much faster. Those signals often form the beginning of a much larger puzzle and deeper investigation that may not be obvious at first glance.

Natalia: You also mentioned “intuition.” What exactly does that mean in practice?

Filip Perz: Intuition develops alongside experience. We know that attackers usually act cleverly. They want to stay hidden. They split their activity into many small steps, each of which appears insignificant on its own. Those small elements create a cause-and-effect chain.

All these side actions — the way the chain is constructed, attempts to mask activity, breaking actions into smaller pieces — begin to indicate that this is not normal behavior. Intuition helps you decide that it’s time to dig deeper.

Natalia: So a real threat is somehow “bigger” or “smarter”?

Filip Perz: It’s not necessarily smarter. It simply tries to mislead us. It tries to deceive and hide. An anomaly alone is not enough to classify something as an incident. I once heard a sentence that fits perfectly here:
“Not every anomaly means an attack. But every real compromise starts with an anomaly.”

“Sharing knowledge is our responsibility”

Natalia: If experience and instinct are so important, I assume that knowledge sharing inside the team must play a big role?

Filip Perz: Absolutely. In fact, I believe it’s the responsibility of every one of us.
Everyone needs to stay up to date with what’s happening — what threats we are observing, what patterns are emerging, what is new and what we have already seen before.

Natalia: Do you have structured ways of sharing that knowledge? For example, regular meetings?

Filip Perz / Filip Duch: Yes. We hold regular briefings and internal lectures.

If we notice a threat that is becoming common — or something unusual that doesn’t fit the typical “attack everyone has seen a thousand times” — we discuss it during briefings. We walk through the event, explain what was unusual, and highlight what others should pay attention to. Everyone can ask questions, clarify doubts, and explore the details. It’s an extremely useful process.

Natalia: You also mentioned regular training. How does that work in practice?

Filip Perz: We run a full training program led by Ania — our Training Manager.

Ania Michalska: Our training program is a structured process designed to onboard analysts and gradually develop their competencies, so that everyone knows where they are in their development and what the next steps are. At the same time, we are very proud of our model in which every team member has dedicated time during working hours for professional development.

Working under time pressure

Natalia: SOC work is often associated with high tempo, urgent alerts, and the need to make critical decisions quickly. Many people imagine constant pressure. What does it actually look like?

Filip Perz: The pressure is real, but only in specific situations.

Usually when we see that something is wrong and there is uncertainty whether the event is malicious or not. In those moments, one thing matters most: protecting the client. That’s the starting point. We don’t begin with a long analysis of every detail. We react first and secure what needs to be secured.

We try to do everything possible to classify the incident as quickly and accurately as possible. Sometimes that means additional consultations, quickly checking multiple sources, or verifying something with another analyst. There have also been situations where we called each other in the middle of the night if necessary. The pressure mainly comes from the level of responsibility.

Natalia: Is that stressful?

Filip Perz: Yes, it can be. Working in a 24/7 model means shift work, responsibility at any time of the day or night, and making decisions under pressure. What I value most, however, is the fact that no one is ever left alone in those situations.

When a case requires analyzing multiple threads at the same time, the team immediately works together. One person looks at one aspect, another checks something else, and someone coordinates the whole process. Even when the situation is stressful, there is never a sense of facing it alone.

AI in cybersecurity may cause more harm than good

Natalia: There is a lot of discussion today about automation and artificial intelligence in cybersecurity. Your work largely relies on experience, knowledge, and manual analysis. Do you use these kinds of tools?

Filip Perz: That’s a difficult question — the answer is both yes and no.

AI genuinely speeds up certain tasks. For example, searching for information about unusual processes. If something rare or unfamiliar appears, AI-based tools help gather basic information faster. But it’s not something that performs the job for us.

For AI to truly make decisions on behalf of an analyst, it would need access to an enormous number of information sources, full organizational context, and something close to human intuition.

Every client operates differently:

• they have a different business profile,
• work in different hours,
• use different software,
• and have different “normal” behaviors within their environment.

Filip Duch: Without that context, an automated decision will simply be wrong. That’s why in cybersecurity AI is useful as support — but if someone treats it as a replacement for analyst experience and responsibility, it can cause more harm than good.

Natalia: After five years of 24/7 operations, half a million tickets, and thousands of decisions made under pressure, we can talk about numbers, process maturity, and technology. What do you consider the greatest success of these five years?

Filip Duch: First and foremost, the fact that we have become a mature, independent organization.

Many similar companies remain stuck in the start-up phase. They operate quickly and reactively to current market trends, often relying on improvisation and the involvement of a few key individuals. That works for a while, but it’s difficult to scale such an organization and maintain it in a 24/7 model.

We managed to move beyond that stage. We built a structure that does not rely on one or two leaders, but on teams, processes, and shared responsibility. Today we are an organization capable of operating steadily under pressure, continuing to grow, and maintaining high quality at the same time.

If you are considering 24/7 security monitoring for your organization through a SOC, contact us. We will discuss your infrastructure, assess your current level of protection, and show how continuous monitoring and incident response can work in practice.