AiVRICAcademy
Course progress
0%
Foundational • Platform-Agnostic • ~3 hours

Introduction to Modern Cybersecurity Operations

Cybersecurity operations is the continuous practice of detecting threats, managing vulnerabilities, responding to incidents, and maintaining visibility across the environments your organization operates. Modern SecOps has evolved dramatically: the SOC has moved from a log-watching function to a threat-informed, automation-assisted, cloud-aware detection and response capability. This course covers the foundational concepts, tools, and processes of a modern security operations program.

~3 hours 6 modules + assessment Foundation Platform-agnostic with CloudSignals callouts
Who this course is for
  • Security analysts joining or building a SOC
  • IT administrators moving into security operations
  • GRC professionals needing SecOps context
  • Cloud engineers adding security operations responsibilities
  • Students pursuing CompTIA Security+, CySA+, or GCIA certifications
  • Managers overseeing security operations teams
Prerequisites
  • Basic understanding of networking concepts (TCP/IP, DNS, HTTP)
  • Familiarity with operating systems (Windows or Linux)
  • Basic awareness of what security threats are (malware, phishing, intrusion)

What you will be able to do

  1. Describe the SOC model, SIEM, SOAR, EDR, and XDR and how they work together.
  2. Explain threat intelligence using the MITRE ATT&CK framework and the CTI lifecycle.
  3. Apply risk-based vulnerability prioritization using CVSS, EPSS, and CISA KEV.
  4. Execute an incident response workflow using NIST SP 800-61 stages.
  5. Describe CSPM, CWPP, and CIEM and how they address cloud-native security operations.
  6. Define the key SecOps metrics (MTTD, MTTR, false positive rate) and use them to assess program maturity.
Framework references in this course: MITRE ATT&CK v15, NIST SP 800-61 Rev 2 (Incident Handling), NIST SP 800-137 (Continuous Monitoring), NIST CSF 2.0 (Detect, Respond, Recover functions), CISA Known Exploited Vulnerabilities (KEV) Catalog, CVSS v3.1 and v4.0 (FIRST), EPSS (FIRST), CIS Controls v8 (IG2 and IG3), Gartner SOC Maturity Model.
1

Security Operations Foundations

25 min • SOC models, SIEM, SOAR, EDR, XDR, detection concepts

The Security Operations Center: models and functions

A Security Operations Center (SOC) is the team and capability responsible for monitoring, detecting, and responding to security events. SOC models vary significantly by organizational size and maturity: an in-house SOC maintains full ownership of tooling, analysis, and response; a co-managed SOC partners with an MSSP for 24/7 monitoring coverage while retaining response ownership; a Managed Detection and Response (MDR) arrangement fully outsources detection and initial response; and a virtual SOC uses cloud-native tooling with a geographically distributed team. No model is universally best — the choice depends on required detection coverage, budget, available analyst skill, and the organization's threat profile.

Regardless of model, SOC functions include: Tier 1 (alert triage — is this real or a false positive?), Tier 2 (incident investigation — what happened, what is the scope?), Tier 3 (threat hunting and advanced analysis — proactively looking for attacker TTPs not yet detected by alerts), and Tier 4 / SOC Management (tooling, process improvement, reporting, and threat intelligence integration).

The core SOC tooling stack

SIEM (Security Information and Event Management) aggregates and correlates log data from across the environment to detect anomalous patterns and trigger alerts. Modern SIEMs (Splunk, Microsoft Sentinel, Google Chronicle, IBM QRadar) ingest hundreds of billions of events daily and apply detection rules, ML models, and user behavior analytics (UEBA). SOAR (Security Orchestration, Automation, and Response) connects the SIEM to response workflows — automatically enriching alerts, opening tickets, isolating endpoints, and triggering playbooks, reducing MTTD and MTTR. EDR (Endpoint Detection and Response) provides deep telemetry and response capability at the endpoint level — recording process execution, file system activity, network connections, and registry changes, and enabling real-time isolation. XDR (Extended Detection and Response) extends EDR correlation across endpoint, network, cloud, identity, and email telemetry — providing attack path visibility across the entire kill chain.

ToolPrimary functionDetection coverage
SIEMLog aggregation, correlation, alertingNetwork, identity, cloud, application, endpoint (via agents)
SOARPlaybook automation, alert enrichment, case managementIntegrates with SIEM + all connected tools
EDRDeep endpoint telemetry + responseEndpoint: process, file, network, registry, memory
NDRNetwork traffic analysis, east-west visibilityNetwork: flows, payloads, anomaly detection
XDRCross-domain correlation and responseEndpoint + network + cloud + identity + email unified
UEBAUser and entity behavior analyticsIdentity: insider threat, credential abuse, lateral movement
CloudSignals connection: CloudSignals integrates with your SIEM and security tooling stack as a posture and risk context layer. When a SIEM alert fires on a cloud resource, CloudSignals provides the asset context (what is this resource, what data does it handle, what compliance controls apply), the vulnerability context (are there known vulnerabilities on this host), and the risk context (is this asset linked to a risk register entry). This enrichment turns raw SIEM alerts into governance-contextualized incidents.
In Practice — Assess your SOC coverage model
1
Identify your current SOC model: in-house, co-managed, MDR, or virtual. Map your detection coverage: which log sources are ingested by your SIEM? Which are not? Gaps in log ingestion are blind spots.
2
List your current detection tools: SIEM, EDR, NDR, SOAR. For each, identify what percentage of your environment is covered. An EDR deployed on 60% of endpoints means 40% have no endpoint telemetry.
3
Identify your top 5 alert types by volume. For each, estimate your false positive rate: how many are real incidents vs. noise? A false positive rate above 80% indicates tuning debt that is degrading your detection capability.
4
Assess your after-hours detection capability: is your SOC staffed 24/7, or do you have a coverage gap between 6pm and 8am? Most ransomware deployments occur during off-hours. Document the gap and evaluate MDR augmentation if needed.
Map your log source coverage: List all log sources that should be in your SIEM. Mark which are connected and which are missing. Prioritize missing sources by risk (cloud infrastructure and identity logs first).
Assess EDR deployment coverage: Confirm what percentage of endpoints have EDR agents deployed. Schedule a deployment campaign for any gap above 5%.
Document your after-hours coverage plan: Define how after-hours detections are handled. If no 24/7 capability exists, document the risk and the plan to address it (MDR, on-call rotation, etc.).
Knowledge Check
A SOC analyst receives 500 alerts per day from the SIEM, and investigation reveals that 480 of them are false positives. What is the primary operational risk this creates?
The SIEM is malfunctioning — a 96% false positive rate means the correlation rules are not working and the vendor should be contacted for a replacement system.
Alert fatigue: analysts spending most of their time on false positives will miss or delay the 20 real incidents, increasing MTTD and MTTR for genuine threats. High false positive rates degrade the value of the entire detection capability and lead to analysts becoming desensitized to alerts — including real ones.
Log storage costs — 500 alerts per day with 96% false positives indicates excessive log ingestion that will exceed SIEM licensing limits and incur overage charges.
Compliance risk — regulators require that false positive rates remain below 50% or the SIEM deployment fails the relevant control requirement.
Move on when you've mapped your log coverage, assessed EDR deployment, and documented your after-hours detection plan.
2

Threat Intelligence and Threat Modeling

25 min • Intelligence • MITRE ATT&CK, threat actors, TTPs, CTI lifecycle

The intelligence-driven SOC

Reactive security — waiting for alerts to fire — is insufficient against sophisticated threat actors who spend months in an environment before being detected. Intelligence-driven security operations use knowledge of real-world attacker behavior to proactively hunt for signs of intrusion, tune detections to the actual TTPs (Tactics, Techniques, and Procedures) used against organizations like yours, and prioritize defensive investments based on threat relevance. The SANS Institute and MITRE define threat intelligence as "evidence-based knowledge about an existing or emerging threat that can inform decisions and actions." It must be actionable — if it can't change a decision or action, it is information, not intelligence.

MITRE ATT&CK: the adversary behavior knowledge base

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK v15 contains 14 tactics (the adversary's goal at each stage) and hundreds of techniques and sub-techniques describing how those goals are achieved. The 14 tactics map the full attack lifecycle: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

ATT&CK is used in three primary ways: Detection coverage mapping — which ATT&CK techniques can your current SIEM rules and EDR detections detect? This reveals coverage gaps. Threat actor profiling — ATT&CK Groups profiles document the specific techniques used by named threat actor groups. If APT29 uses technique T1078 (Valid Accounts) for initial access, your detection coverage for that technique is a priority. Red team and purple team exercises — emulating specific ATT&CK techniques to test whether detection rules fire as expected.

The Cyber Threat Intelligence (CTI) lifecycle

Effective CTI follows a six-phase lifecycle: Direction (what questions does the organization need intelligence to answer?), Collection (gathering raw intelligence from feeds, ISACs, OSINT, dark web monitoring, and vendor reporting), Processing (normalizing, filtering, and deduplicating raw data), Analysis (turning data into actionable intelligence — enriching indicators, assessing confidence, attributing to known groups), Dissemination (delivering intelligence in the right format to the right audience — IOCs to SIEM/EDR, strategic reports to executives), and Feedback (reviewing whether the intelligence actually informed decisions and improved detection).

Intelligence typeAudienceExamplesOperational shelf life
TacticalSOC analystsIOCs (IPs, hashes, domains), YARA rules, Sigma rulesHours to days (IOCs expire quickly)
OperationalIR teams, threat huntersCampaign analysis, threat actor TTPs, malware family behaviorWeeks to months
StrategicCISO, board, executivesThreat landscape reports, industry targeting trends, geopolitical contextMonths to years
CloudSignals connection: CloudSignals Vision intelligence capabilities surface threat-relevant context during investigation workflows. When a security team investigates a finding against an asset, Vision can provide contextual threat intelligence about the vulnerability or misconfiguration — including known exploitation in the wild (linked to CISA KEV) and relevant ATT&CK technique mappings — enriching the investigation without requiring the analyst to leave the platform.
In Practice — Map MITRE ATT&CK coverage
1
Go to attack.mitre.org. Select a threat actor group (ATT&CK Groups) relevant to your industry (e.g., APT29 for technology, FIN7 for financial services, Lazarus for any sector). Review their commonly used techniques.
2
For the top 10 techniques used by that group, assess whether your SIEM has detection rules for each. This is your ATT&CK coverage gap against your most relevant threat actor.
3
Use the ATT&CK Navigator (mitre-attack.github.io/attack-navigator) to create a coverage heat map: mark which techniques your current detections cover. Techniques with no coverage in the Initial Access and Privilege Escalation tactics are your highest-priority gaps.
4
Identify your current threat intelligence feeds. For each, classify whether it provides tactical, operational, or strategic intelligence. If you only have tactical IOC feeds, add at least one operational-level source (industry ISAC, vendor threat research).
Build an ATT&CK threat actor profile: Identify the two most relevant threat actor groups for your industry. Document their primary techniques across Initial Access, Persistence, and Exfiltration tactics.
Map ATT&CK detection coverage: Using ATT&CK Navigator, mark which techniques your SIEM/EDR currently detects. Identify the three highest-priority gaps to close in the next 90 days.
Join your industry ISAC: If not already a member, identify and join your sector's Information Sharing and Analysis Center (ISAC). ISACs provide operational threat intelligence specific to your industry's threat landscape.
Knowledge Check
A threat intelligence feed provides a list of 10,000 IP addresses linked to malicious activity. This is immediately blocked in the firewall. Why might this approach be insufficient as a complete threat intelligence program?
Blocking IPs in the firewall is not allowed under most compliance frameworks because it creates availability risks for legitimate traffic.
This uses only tactical intelligence (IOCs with hours-to-days shelf life) with no operational intelligence (TTPs, campaign behavior) or strategic intelligence (threat landscape, targeting patterns). Sophisticated attackers change IPs constantly — IOC-only defenses are easy to evade. A complete program needs operational intelligence to detect attacker behavior even when IPs change.
The approach is sufficient — blocking known malicious IPs is the most effective form of threat intelligence operationalization, and additional intelligence types add cost without proportionate protection value.
Firewall blocking should only be applied to IOCs verified through internal analysis — third-party IP lists cannot be trusted without independent validation.
Move on when you've built your threat actor profile, mapped ATT&CK coverage, and identified your intelligence feed gaps.
3

Vulnerability Management

25 min • CVSS, EPSS, KEV, risk-based prioritization, patch operations

Why CVSS alone is insufficient for prioritization

The Common Vulnerability Scoring System (CVSS) rates vulnerability severity on a 0–10 scale based on exploitability metrics (attack vector, complexity, privileges required, user interaction) and impact metrics (confidentiality, integrity, availability). A CVSS score tells you how bad a vulnerability could be if exploited — but it does not tell you how likely it is to be exploited in your environment. The average enterprise has thousands of CVSS High/Critical vulnerabilities at any point in time. Treating them all with equal urgency is operationally impossible. This is the core problem with CVSS-only prioritization.

Risk-based prioritization: CVSS + EPSS + KEV

EPSS (Exploit Prediction Scoring System, developed by FIRST) estimates the probability that a CVE will be exploited in the wild within the next 30 days. EPSS scores range from 0–100%. The vast majority of CVEs have EPSS scores below 1% — meaning active exploitation is very unlikely. CVEs with both a high CVSS score AND a high EPSS score are the true priority. CISA KEV (Known Exploited Vulnerabilities Catalog) is the most authoritative source of CVEs that are actively being exploited in the wild right now. CISA Binding Operational Directive 22-01 mandates that US federal agencies remediate KEV-listed vulnerabilities within tight timelines. All organizations should treat KEV listings as their highest remediation priority, regardless of CVSS score.

The SSVC (Stakeholder-Specific Vulnerability Categorization) framework, developed by CISA and Carnegie Mellon, offers a decision tree model for prioritization that incorporates exploitation status (KEV), technical impact, and mission/well-being impact — producing four outcomes: Track, Track*, Attend, Act. SSVC is increasingly adopted as a replacement for CVSS-only prioritization in mature vulnerability management programs.

The vulnerability management lifecycle

Effective vulnerability management is a closed-loop process: Discover (authenticated scanning across all assets — network, cloud, containers, applications, APIs; NIST SP 800-115 guidance on technical testing), Prioritize (apply CVSS + EPSS + KEV + asset criticality + compensating controls), Remediate (patch, compensating control, or documented exception), Verify (rescan to confirm remediation), Report (SLA compliance tracking, trend reporting to leadership). The loop must be continuous — not quarterly. Cloud environments change daily; weekly scanning is the minimum for production cloud infrastructure.

CloudSignals connection: CloudSignals continuously runs posture scans and surfaces findings linked to CVSS scores, CISA KEV status, and asset criticality scores. The vulnerability-to-risk pipeline in CloudSignals automatically creates RiskOps risk entries for findings meeting defined thresholds — giving risk owners a pre-prioritized treatment queue based on combined risk signals rather than CVSS alone.
In Practice — Improve your vulnerability prioritization
1
From your most recent vulnerability scan, export all Critical and High CVEs. For each, look up the EPSS score at epss.cyentia.com. How many have EPSS above 10%? These are your true-priority vulnerabilities.
2
Cross-reference your vulnerability list against the CISA KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog). Any KEV-listed vulnerability in your environment is Priority 1, regardless of CVSS score. How many KEV-listed CVEs are currently unpatched in your environment?
3
Review your SLAs for vulnerability remediation. Do you have tiered SLAs (e.g., Critical = 15 days, High = 30 days, Medium = 90 days)? Are they tracked and reported? SLAs without tracking are targets without accountability.
4
Identify assets with vulnerability scan coverage gaps. Any asset not scanned in the last 7 days (for production cloud) or 30 days (for on-prem) is a blind spot in your vulnerability program.
Cross-reference with CISA KEV: Compare your open vulnerability list against the KEV catalog. Any KEV-listed CVE in your environment goes immediately to Priority 1 treatment.
Add EPSS to your prioritization process: For all Critical and High CVEs, add EPSS score lookup to your triage workflow. Deprioritize CVEs with EPSS below 1% that have compensating controls in place.
Define and document your remediation SLAs: Set tiered SLA targets for Critical, High, Medium, and Low severity findings. Assign an owner to track SLA compliance monthly and report to leadership.
Knowledge Check
A system has a CVSS score of 6.5 (Medium) with an EPSS score of 45% and is listed on the CISA KEV catalog. Another system has a CVSS score of 9.8 (Critical) with an EPSS score of 0.2% and is not on KEV. Which should be prioritized first?
The CVSS 9.8 Critical vulnerability — higher severity always takes priority regardless of exploitation probability or KEV status.
The CVSS 6.5 / EPSS 45% / KEV-listed vulnerability — active exploitation in the wild (KEV) and a 45% probability of exploitation in 30 days (EPSS) indicate this vulnerability is being actively used by attackers right now. The CVSS 9.8 with 0.2% EPSS represents theoretical severity but very low likelihood of exploitation currently. Risk-based prioritization uses all three dimensions.
Both should be remediated simultaneously — any CVSS above 6.0 requires immediate attention regardless of EPSS or KEV status under most vulnerability management policies.
KEV listings apply only to US federal agencies — private sector organizations should prioritize by CVSS score alone.
Move on when you've cross-referenced your vulnerabilities with KEV, added EPSS to your triage, and defined remediation SLAs.
4

Incident Response and Recovery

30 min • NIST SP 800-61, IR lifecycle, containment, eradication, DFIR basics

The incident response lifecycle (NIST SP 800-61 Rev 2)

NIST SP 800-61 defines incident response as a four-phase lifecycle. Phase 1: Preparation — establishing the IR capability before incidents occur: IR policy, playbooks, contact lists, tool access, table-top exercises, detection baselines. Phase 2: Detection and Analysis — identifying and confirming that an incident has occurred, scoping the impact, classifying severity, and declaring an incident. Phase 3: Containment, Eradication, and Recovery — stopping the spread (containment), removing attacker presence (eradication), and restoring affected systems (recovery). Phase 4: Post-Incident Activity — lessons learned, evidence retention, report documentation, and process improvement.

The two most common IR failures are: premature eradication (cleaning infected systems before fully scoping the attacker's access — the attacker simply re-enters through a still-compromised account or persistence mechanism) and inadequate preparation (having no playbooks, no contact lists, no tool access, and no practice before the incident occurs — then trying to learn and respond simultaneously during a crisis). IR preparation investment pays the highest dividend in reducing incident impact.

Incident classification and severity

Before executing IR workflows, the team must classify severity. Most organizations use a P1–P4 or Sev1–Sev4 scale: P1/Sev1 (Critical — active breach, ransomware deployment, significant data exfiltration, or major service disruption), P2/Sev2 (High — confirmed unauthorized access, actively spreading malware, or regulatory-notifiable event), P3/Sev3 (Medium — isolated compromise, phishing success without lateral movement), P4/Sev4 (Low — policy violation, failed attack attempt). Severity determines escalation path, communication requirements, and resource commitment — a P1 escalates to CISO and legal immediately; a P4 may be handled entirely at analyst level.

Digital Forensics and Incident Response (DFIR)

When an incident requires legal or regulatory follow-up, DFIR practices ensure evidence is collected in a forensically sound manner. Key principles: Order of volatility (collect memory before disk before network logs before file system metadata), Chain of custody (documented evidence handling from collection through legal proceedings), Legal holds (freezing log retention when litigation is anticipated), Write blockers (preventing modification of evidence during acquisition). ISO/IEC 27037:2012 provides guidelines for identification, collection, acquisition, and preservation of digital evidence.

Before wiping a compromised system: Capture a memory image (using a tool like Magnet RAM Capture, WinPMEM, or LiME) and a full disk image before reimaging. Premature wiping destroys evidence needed to understand the full attack scope, identify other compromised systems, and potentially meet regulatory evidence requirements.
In Practice — Test your IR preparation
1
Review your IR policy and playbooks. When were they last updated? Do they cover your current environment (cloud workloads, SaaS, remote workers)? Playbooks that don't reflect your current architecture are training documents, not operational ones.
2
Confirm your IR contact list is current: security team, legal, executive leadership, external IR retainer, cyber insurance carrier, PR/communications. In a crisis, you will not have time to look up who to call.
3
Run a 30-minute tabletop exercise: "A finance employee reports their laptop is behaving strangely. IT discovers ransomware has been deployed across 20% of endpoints and is still spreading." Walk through every decision from Detection to Containment. Identify the first gap in your process.
4
Verify your ability to isolate a compromised host within 15 minutes of detection: can you isolate a cloud VM, an on-prem server, and a remote employee laptop? Any isolation capability gap above 30 minutes for critical assets is a P1 response failure risk.
Update your IR playbooks: Review all IR playbooks and confirm they cover your current environment. At minimum: ransomware, data breach, phishing, and insider threat playbooks should exist and be tested annually.
Verify your IR contact list: Confirm all contacts are current, including external IR retainer, cyber insurance, legal, and PR. Test communication channels at least quarterly.
Schedule your next tabletop exercise: If no tabletop has been run in the last 12 months, schedule one within 60 days. Tabletops are the only way to find IR process gaps before a real incident exposes them.
Knowledge Check
During an incident response, the IT team identifies 5 infected workstations and immediately reimages them without capturing memory or disk images first. Why is this a problem?
Reimaging is not a valid IR action — infected systems should remain online to monitor attacker behavior until the full extent of the breach is understood.
Premature eradication without forensic capture destroys the evidence needed to: (1) understand the full attack scope (what other systems were accessed?), (2) identify persistence mechanisms (will the attacker re-enter?), (3) determine the breach timeline (when did compromise begin?), and (4) meet potential legal or regulatory evidence preservation requirements. The team may have contained 5 workstations while the attacker remains active elsewhere.
Reimaging is too slow — in a live incident, infected systems should be physically destroyed to prevent any reinfection risk, which reimaging cannot guarantee.
The issue is only a problem if litigation is anticipated — for internal incidents with no regulatory notification requirement, immediate reimaging is the recommended approach.
Move on when you've reviewed your IR playbooks, updated your contact list, and scheduled a tabletop exercise.
5

Cloud Security Operations

25 min • CSPM, CWPP, CIEM, cloud-native threats and detection

Why traditional security operations tools miss cloud threats

Traditional SIEM/EDR approaches were designed for on-premises environments with a defined network perimeter. Cloud environments break these assumptions: infrastructure is ephemeral (resources spin up and down in seconds), the attack surface includes APIs, IAM misconfigurations, and serverless functions that generate no conventional network traffic, and the shared responsibility model means the cloud provider secures the infrastructure but you are responsible for everything you build on it. The 2024 DBIR identified misconfiguration and cloud identity exploitation as the two most rapidly growing cloud breach vectors — both of which are invisible to traditional endpoint and network detection tools.

Cloud Security Posture Management (CSPM)

CSPM tools continuously assess cloud infrastructure configurations against security best practices and compliance frameworks. They detect: publicly accessible storage (S3 buckets, Azure Blob, GCS), overly permissive IAM roles, unencrypted databases, open security groups with unrestricted ingress, disabled CloudTrail/audit logging, and missing MFA on root/admin accounts. AWS Security Hub, Microsoft Defender for Cloud, and Google Security Command Center are native CSPM capabilities; Wiz, Orca, Prisma Cloud, and Lacework are multi-cloud CSPM leaders. The output of CSPM is a prioritized finding list — but findings must be triaged for asset criticality and exploitability, not just CSPM score, to be operationally useful.

Cloud Workload Protection Platform (CWPP)

CWPP extends EDR-like capabilities to cloud workloads: VMs, containers, serverless functions, and Kubernetes pods. CWPP provides runtime threat detection (detecting process injection, cryptomining, reverse shells, container escapes), vulnerability scanning of running workloads, and compliance enforcement. Kubernetes-specific security (network policies, RBAC, pod security standards, admission controllers) falls within the CWPP domain. The CIS Kubernetes Benchmark and NIST SP 800-190 (Application Container Security Guide) provide control frameworks for container security.

Cloud Infrastructure Entitlement Management (CIEM)

Identity is the primary attack vector in cloud environments. CIEM tools discover, analyze, and right-size cloud IAM permissions by identifying: over-privileged roles and users, unused permissions (permissions granted but never exercised — violating least privilege), cross-account access relationships, service accounts with excessive permissions, and public-facing resources with no authentication requirement. CIEM data often reveals that 90%+ of granted cloud permissions are never used — representing an enormous lateral movement surface for attackers who compromise any one identity.

CloudSignals connection: CloudSignals is purpose-built as a continuous CSPM across AWS, Azure, GCP, and OCI. Scan results feed directly into the UCB control evidence layer — meaning every posture finding is mapped to a governance control, creating the link between operational security posture and GRC compliance state. Cloud findings triggering RiskOps risk entries are automatically prioritized by asset criticality and CVSS/KEV data.
In Practice — Assess your cloud security operations posture
1
Review your CSPM tool's finding dashboard. What percentage of findings are categorized as Critical or High? What are the top three misconfiguration categories? These reveal your cloud security hygiene gaps.
2
Audit cloud IAM: in your primary cloud provider, list all IAM roles and users with Administrator or equivalent permissions. For each, confirm the permission is necessary and actively used. Remove or restrict any unused admin permissions.
3
Check cloud audit logging: confirm CloudTrail (AWS), Activity Logs (Azure), or Cloud Audit Logs (GCP) are enabled in all regions and all accounts/subscriptions/projects. Disabled audit logging is a Tier 1 CSPM finding and removes your forensic visibility entirely.
4
Test public resource exposure: use your cloud provider's built-in tools (AWS Trusted Advisor, Azure Secure Score, GCP Security Health Analytics) to identify any publicly accessible storage, databases, or compute resources that should not be public. Remediate within 24 hours of discovery.
Enable cloud audit logging in all regions: Confirm audit logging (CloudTrail, Activity Logs, Cloud Audit Logs) is enabled everywhere with a retention period meeting your compliance requirements (typically 90 days minimum, 1 year for most regulations).
Right-size admin permissions: Identify and remove or restrict all cloud IAM admin roles that are not actively required. Require MFA for all admin access. Use just-in-time (JIT) access for privileged operations.
Integrate CSPM findings into your risk process: Establish a workflow connecting Critical/High CSPM findings to your risk register or treatment queue. CSPM findings that sit unresolved longer than 30 days without a documented treatment plan are operational risk exposure.
Knowledge Check
A security team deploys best-in-class EDR on all Windows and Linux servers and reports 100% endpoint coverage. A cloud breach subsequently occurs through an exposed S3 bucket and an overly permissive IAM role. Why did the EDR fail to prevent this?
The EDR failed because it was not configured to monitor outbound traffic from the S3 bucket — a configuration change would have detected the exfiltration.
EDR detects and responds to threats at the endpoint (process execution, file system, memory). Cloud resource attacks through misconfigured S3 permissions and IAM exploitation don't involve endpoint execution — they use the cloud control plane API. These threats are invisible to EDR and require CSPM (detecting misconfiguration) and CIEM (detecting excessive permissions) to address.
The EDR coverage was insufficient — 100% of Windows and Linux servers doesn't include macOS endpoints where the attacker originated.
EDR cannot detect IAM-based attacks because cloud providers do not allow EDR agents on their infrastructure — this is a shared responsibility model gap the cloud provider is responsible for.
Move on when you've enabled cloud audit logging everywhere, right-sized admin permissions, and integrated CSPM findings into your risk process.
6

SecOps Metrics and Maturity

20 min • MTTD, MTTR, KPIs, SOC maturity model, and program improvement

The essential SecOps metrics

MTTD (Mean Time to Detect) measures the average time between when an incident begins and when the security team becomes aware of it. IBM's Cost of a Data Breach Report 2024 found the global average MTTD is 194 days — meaning attackers operate in environments for over six months before detection. Mature SOCs target MTTD below 24 hours for critical incidents. MTTR (Mean Time to Respond/Remediate) measures the average time from detection to containment and remediation. The 2024 IBM report found average MTTR of 64 days — an attacker present for 64 days after detection has enormous lateral movement opportunity. MTTC (Mean Time to Contain) is increasingly used separately from MTTR to measure how quickly the spread of an incident is stopped, as distinct from full eradication and recovery.

MetricDefinitionIndustry average (2024)Mature target
MTTDBreach start → detection194 days<24 hours for P1
MTTCDetection → containment~4 hours (P1)<1 hour for P1
MTTRDetection → full remediation64 days<30 days for P1
False Positive RateFalse alerts / total alerts~65–80%<30% for mature SOC
Alert-to-Case RateAlerts escalated to full investigationVaries widelyAll P1/P2 alerts → case
Vuln SLA complianceVulns remediated within SLA / totalVaries widely≥95% Critical within SLA

SOC maturity models

Gartner's SOC maturity model and the MITRE SOAR maturity model both define progression from reactive to proactive operations. At Level 1 (Reactive/Ad-hoc): no formal SOC, reactive response only, minimal logging, no defined IR process. At Level 2 (Managed): SIEM deployed, defined alert triage, basic IR playbooks, reactive vulnerability management. At Level 3 (Defined): threat intelligence integration, proactive threat hunting, SOAR automation, defined metrics. At Level 4 (Quantitative): metrics-driven operations, continuous improvement, ATT&CK coverage measurement, purple team exercises. At Level 5 (Optimizing): threat-anticipatory operations, machine-speed detection, fully automated Tier 1 response, continuous red team feedback loop.

Most commercial organizations operate at Level 2–3. The progression from Level 2 to Level 3 — adding threat intelligence, proactive hunting, and SOAR automation — produces the most significant improvements in MTTD and MTTR for the investment. Organizations should target Level 3 before investing in Level 4 capabilities.

CloudSignals connection: CloudSignals+RiskOps tracks security posture trends over time, enabling you to measure CSPM finding resolution rates, vulnerability SLA compliance, and risk treatment velocity — all as governance metrics linked to specific control areas. The executive reports module generates posture trend reporting that answers the CISO's board question: "Are we more secure this quarter than last quarter, and why?"
In Practice — Baseline and improve your SecOps metrics
1
Calculate your current MTTD and MTTR from your incident records over the last 6 months. Compare to the industry average. If your MTTD is worse than average, identify the detection gap (log coverage, alert tuning, hunting cadence) causing the delay.
2
Measure your false positive rate for your top 10 alert types. For any alert with false positive rate above 80%, create a tuning plan: add environment-specific context (asset criticality, business hours), reduce noise at the data source, or suppress known benign patterns.
3
Assess your SOC maturity level honestly against the five-level model. Identify which Level 3 capabilities you lack (threat intelligence program, threat hunting, SOAR automation, ATT&CK coverage mapping) and create a prioritized roadmap to close the gap.
4
Set 12-month targets for your top three SecOps metrics. Communicate them to leadership. Metrics without targets are observations; targets create accountability and drive program investment decisions.
Baseline your MTTD and MTTR: Calculate 6-month averages for both metrics from your incident log. Set improvement targets for the next 12 months. Share with leadership.
Reduce your false positive rate: For your three noisiest alert types, create tuning plans targeting reduction to <50% false positive rate within 90 days. Track before/after.
Build your SOC maturity roadmap: Rate your current maturity level and identify the two highest-value Level 3 capabilities to pursue. Define the investment and timeline for each.
Knowledge Check
A SOC has an MTTD of 120 days and an MTTR of 80 days. The SOC manager reports this as "acceptable because it's below the industry average of 194 and 64." What is wrong with this reasoning?
The reasoning is correct — any metric below industry average represents above-average security performance and does not require further improvement.
MTTD 120 days means attackers operate in the environment for four months before detection — that is 120 days of potential data exfiltration, lateral movement, and persistence establishment. MTTR of 80 days adds another 80 days of exposure. "Below industry average" is not an appropriate target for a security program — the target should be the level that reduces business risk to acceptable levels, which for most organizations means P1 MTTD in hours and MTTR in days, not months.
The MTTR of 80 days is above the 64-day average — so the reasoning is flawed because the metric is actually worse than average, not better.
Industry averages include very small organizations that skew the data — a well-resourced SOC should be compared only to peers of similar size and complexity.
Move on when you've baselined your MTTD/MTTR, started tuning your noisiest alerts, and built your SOC maturity roadmap.

Course Assessment — Introduction to Modern Cybersecurity Operations

Completing all six modules qualifies you for the knowledge assessment. This course is a recommended prerequisite for the Cloud Security and Vulnerability Management practitioner courses.

Assessment domainWeight
SOC models and detection tooling20%
Threat intelligence and MITRE ATT&CK20%
Vulnerability management and prioritization20%
Incident response lifecycle and DFIR20%
Cloud security operations and metrics20%

Capstone scenario

At 11:30 PM on a Friday, your SIEM fires a high-severity alert: a service account in AWS has made 4,000 API calls to s3:GetObject across a sensitive data bucket in the last 20 minutes. The service account was created 6 months ago and has rarely been used. Your threat intelligence platform shows the source IP is associated with a known data theft tool. Your task:

  1. Classify the incident severity and explain your rationale.
  2. Describe the first three containment actions and the order in which you take them.
  3. Identify what forensic evidence you need to collect and in what order.
  4. Explain how CIEM analysis of this service account would have been a preventive control.
  5. Describe the post-incident activities and what metrics this incident will affect.
Passing criteria: P1/Sev1 classification with correct rationale (active data exfiltration, known threat actor TTP). First action is IAM credential revocation, not system shutdown. Forensic collection follows order of volatility. CIEM analysis correctly identified as CIEM, not EDR or CSPM. Post-incident includes MTTD calculation, CIEM right-sizing, and lessons learned documentation.
🏅
Course complete!
You've completed Introduction to Modern Cybersecurity Operations. Continue to Introduction to DevSecOps.
Next: Introduction to DevSecOps