Continue your mission
The Security Operations Center emerged from the collision between 1990s SIEM technology and a growing recognition that the internet was not a trusted network. What began as a monitoring function borrowed from NOC operations has become the dominant organizational model for detecting and responding to threats, and it is now showing structural strain under the weight of alert volumes no human workforce can absorb.
A Security Operations Center (SOC) is an organizational unit responsible for the continuous monitoring, detection, analysis, and response to cybersecurity events affecting an organization. In its most common form, it is a team of analysts working from a centralized location (or a distributed virtual equivalent), watching security data streams, triaging alerts, investigating incidents, and escalating or containing threats.
The SOC is both a technology deployment and an organizational design. The technology typically includes a Security Information and Event Management (SIEM) platform for log aggregation and correlation, endpoint detection tools, network monitoring, threat intelligence feeds, and increasingly automation platforms for tier-1 triage. The organizational design determines how analysts are structured, what shift coverage exists, what escalation paths look like, and how outcomes are measured.
Two PDM domains define the SOC's function. The Threat Intelligence and Defense (TID) domain, guided by the Predictive Defense Intelligence (PDI) methodology, is the SOC's primary operating domain: see the threat before it sees you. The Security Posture and Hygiene (SPH) domain, governed by Autonomous Posture Command (APC), sets the baseline from which SOC monitoring operates: a SOC monitoring a poorly configured environment spends most of its time investigating noise generated by its own infrastructure.
---
The SOC did not spring into existence as a designed institution. It evolved from adjacent disciplines, shaped by real incidents and driven by technology that created new problems in the process of solving old ones.
Network Operations Centers and the 1990s Baseline
The organizational ancestor of the SOC is the Network Operations Center (NOC). NOCs emerged in the 1980s and early 1990s as telecommunications companies and large enterprises needed 24/7 visibility into network availability and performance. The NOC model established the operational pattern that the SOC would inherit: a centralized monitoring function, always-on coverage, tiered analyst roles, and escalation procedures for incidents that exceeded analyst authority to resolve.
What the NOC did not do was security. It watched for outages, latency spikes, and hardware failures. Security events, to the extent anyone was watching for them, were typically handled by the same administrators who managed the infrastructure, on a reactive basis.
Incidents That Changed the Equation
The late 1990s produced a series of incidents that made visible, at national scale, the inadequacy of treating security as an afterthought.
The Morris Worm (1988) was early and relatively contained, but it established the proof of concept: a single piece of software, propagating autonomously across the network, could cause widespread disruption in hours. Solar Sunrise (1998) was more alarming to government and military officials. A series of intrusions into U.S. Department of Defense systems, initially attributed to Iraq but ultimately traced to two California teenagers and an Israeli hacker, demonstrated that critical government infrastructure was not only vulnerable but being actively exploited. The investigation revealed that the DoD had almost no visibility into its own network: the intrusions had been ongoing for weeks before anyone noticed.
Moonlight Maze (1999) was the most significant of the era. An extended campaign of intrusions attributed to Russian state-affiliated actors targeted U.S. government, military, and research networks over a period that lasted more than a year. Moonlight Maze was an early example of what would later be called an Advanced Persistent Threat (APT): patient, sophisticated, and focused on intelligence collection rather than disruption. The investigation demonstrated that reacting to incidents as they were reported was not an adequate model. Something had to be watching continuously.
The SIEM Creates the Alert Queue
The early 2000s brought the first generation of Security Information and Event Management platforms. ArcSight, founded in 2000, was among the first commercial SIEM products. The value proposition was aggregation: security events were scattered across dozens of log sources (firewalls, servers, applications, network devices), and no one could watch all of them individually. A SIEM collected, normalized, and correlated these events, applying rules to generate alerts when patterns suggested something worth investigating.
The unintended consequence was the alert queue. SIEM correlation rules, applied to the volume of log data generated by a large enterprise network, produced thousands of alerts per day. Each alert notionally required human review. The only organizational structure capable of staffing that review function continuously was the SOC.
The SOC emerged not because someone designed it as the optimal security organizational model. It emerged because SIEMs produced queues, and someone had to work the queues.
2010s: Commoditization and Alert Fatigue
Through the 2010s, the SOC became standard practice for enterprise organizations. Large companies built internal SOCs. Mid-market organizations purchased SOC capabilities through Managed Security Service Providers (MSSPs), which operated shared SOC infrastructure serving multiple clients.
The decade also produced a term that captured a structural problem: alert fatigue. As enterprise environments grew more complex, as the number of security tools proliferated, and as SIEM rules accumulated without corresponding review and pruning, alert volumes grew faster than analyst capacity. Studies from the era consistently found that analysts at peak periods were processing more than 1,000 alerts per shift. False positive rates above 90 percent were not unusual, and some environments were significantly worse. Analysts trained themselves, consciously or unconsciously, to move fast through the queue rather than investigate thoroughly, because investigating thoroughly and keeping up with the queue were mutually exclusive.
The consequences were real. Genuinely significant alerts were buried in noise. Analysts burned out and left the profession. The industry began discussing whether the SOC model was fundamentally broken.
2020s: Structural Stress and New Architectures
The pandemic accelerated several trends that were already stressing the traditional SOC model. Remote work scattered the workforce that SOCs were designed to monitor. Traditional network perimeters dissolved, meaning the network boundary that anchored perimeter-monitoring controls became largely notional. The attack surface expanded as home networks, personal devices, and a sprawl of SaaS applications entered scope.
Extended Detection and Response (XDR) platforms emerged as a technology response to alert fatigue. XDR attempts to correlate telemetry across endpoint, network, and cloud sources into a single detection surface, reducing the volume of individual alerts by surfacing higher-confidence incidents rather than raw event matches. Security Orchestration, Automation, and Response (SOAR) platforms addressed the tier-1 triage problem by automating routine investigation steps: enriching an alert with threat intelligence, checking an IP address against known-bad lists, or isolating an endpoint, actions that had previously required analyst time.
The organizational design question remained unresolved. Automation could handle known-pattern tier-1 cases. It could not replace the judgment required for novel threats, sophisticated campaigns, or incidents that required business-context understanding.
---
The SOC matters because it is the answer most organizations give to the question: how do we know when something bad is happening? In the absence of a continuous monitoring function, detection depends on users reporting unusual behavior, on automated blocking controls that catch what they were configured to catch, and on forensic investigation after the fact. None of these provide the proactive detection capability that the threat landscape requires.
The evidence on dwell time, the period between initial compromise and detection, makes the case plainly. Industry data consistently places median dwell time in the range of weeks to months. Organizations with mature SOC operations, capable detection coverage, and strong threat intelligence integration consistently achieve shorter dwell times than those without. The gap represents the window during which an attacker can operate undetected: collecting credentials, mapping infrastructure, staging exfiltration, establishing persistence.
For organizations subject to regulatory requirements, the SOC is also frequently a compliance necessity. NIST CSF, ISO 27001, SOC 2, PCI DSS, and sector-specific frameworks all include monitoring and detection requirements that the SOC operationalizes.
---
The modern SOC is built on several technology layers, each with distinct functions and failure modes.
Log Aggregation and SIEM: The foundational layer. Log sources include endpoint agents, network flow data, firewall and IDS/IPS logs, cloud provider logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs), application logs, and identity provider events. The SIEM normalizes these into a common schema and applies correlation rules to generate alerts. The quality of SIEM coverage is a direct function of log source completeness: gaps in log collection create blind spots.
Endpoint Detection and Response (EDR): Agents deployed on endpoints provide telemetry beyond what logs capture: process execution trees, memory analysis, file system events, and network connections from the endpoint perspective. EDR is the primary tool for investigating endpoint-level incidents and for visibility into threats that evade network controls.
Threat Intelligence Integration: Threat intelligence feeds provide context for SOC decisions: whether an IP address is associated with known infrastructure, whether a file hash matches a known malware family, whether a domain was registered yesterday with anonymized WHOIS data. The value of intelligence is determined by its relevance to the specific environment and the timeliness of its updates.
Tier Structure: Most SOC organizations operate a tier model. Tier 1 analysts handle initial triage, filtering noise and escalating genuine incidents. Tier 2 analysts investigate escalated incidents, perform deeper analysis, and coordinate containment. Tier 3 analysts handle complex investigations, threat hunting (proactive search for threats not generating alerts), and development of new detection content.
Automation and Orchestration: SOAR platforms automate repetitive tier-1 tasks. The degree of automation appropriate for any given action depends on confidence level and blast radius: actions with high confidence and low blast radius (blocking a known-malicious IP) can be fully automated. Actions with lower confidence or higher impact (isolating a production server) require analyst approval.
---
CDA's approach to SOC operations, rooted in the CDArmy operational model, treats the traditional alert-factory SOC as a design failure, not a design aspiration.
The fundamental problem with the alert-factory model is that it optimizes for throughput on a queue rather than for security outcomes. An analyst who processes 1,000 alerts per shift without missing a single ticket is not necessarily making the organization more secure. They are completing a process. When the queue contains 970 alerts that are false positives or low-significance events, processing them thoroughly is operational waste. When the 30 genuinely significant alerts are distributed randomly through the queue, the throughput model is likely to miss them.
CDArmy's mission-based operations model replaces the queue with defined objectives, completion states, and measurable outcomes. Rather than "watch the queue and triage what comes in," a mission is a specific, bounded task: "investigate lateral movement indicators in the finance segment between these dates," "confirm or rule out compromise of these credentials after the phishing campaign," "assess whether these anomalous DNS queries represent a genuine threat." Missions have success criteria. They have scope. They end.
The Predictive Defense Intelligence (PDI) methodology, governing the TID domain, provides the threat intelligence framework that makes mission-based operations possible. PDI's principle is: "See the threat before it sees you." Intelligence-driven operations start with threat actor profiles, attack patterns, and indicators relevant to the specific organization's risk profile, and work inward toward the network, rather than starting with raw alert volume and working outward toward meaning.
---
---
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system.
Written by Evan Morgan
Found an issue? Help improve this article.