Introduction to Modern Cybersecurity Operations
Cybersecurity operations is the continuous practice of detecting threats, managing vulnerabilities, responding to incidents, and maintaining visibility across the environments your organization operates. Modern SecOps has evolved dramatically: the SOC has moved from a log-watching function to a threat-informed, automation-assisted, cloud-aware detection and response capability. This course covers the foundational concepts, tools, and processes of a modern security operations program.
- Security analysts joining or building a SOC
- IT administrators moving into security operations
- GRC professionals needing SecOps context
- Cloud engineers adding security operations responsibilities
- Students pursuing CompTIA Security+, CySA+, or GCIA certifications
- Managers overseeing security operations teams
- Basic understanding of networking concepts (TCP/IP, DNS, HTTP)
- Familiarity with operating systems (Windows or Linux)
- Basic awareness of what security threats are (malware, phishing, intrusion)
What you will be able to do
- Describe the SOC model, SIEM, SOAR, EDR, and XDR and how they work together.
- Explain threat intelligence using the MITRE ATT&CK framework and the CTI lifecycle.
- Apply risk-based vulnerability prioritization using CVSS, EPSS, and CISA KEV.
- Execute an incident response workflow using NIST SP 800-61 stages.
- Describe CSPM, CWPP, and CIEM and how they address cloud-native security operations.
- Define the key SecOps metrics (MTTD, MTTR, false positive rate) and use them to assess program maturity.
Security Operations Foundations
25 min • SOC models, SIEM, SOAR, EDR, XDR, detection concepts
The Security Operations Center: models and functions
A Security Operations Center (SOC) is the team and capability responsible for monitoring, detecting, and responding to security events. SOC models vary significantly by organizational size and maturity: an in-house SOC maintains full ownership of tooling, analysis, and response; a co-managed SOC partners with an MSSP for 24/7 monitoring coverage while retaining response ownership; a Managed Detection and Response (MDR) arrangement fully outsources detection and initial response; and a virtual SOC uses cloud-native tooling with a geographically distributed team. No model is universally best — the choice depends on required detection coverage, budget, available analyst skill, and the organization's threat profile.
Regardless of model, SOC functions include: Tier 1 (alert triage — is this real or a false positive?), Tier 2 (incident investigation — what happened, what is the scope?), Tier 3 (threat hunting and advanced analysis — proactively looking for attacker TTPs not yet detected by alerts), and Tier 4 / SOC Management (tooling, process improvement, reporting, and threat intelligence integration).
The core SOC tooling stack
SIEM (Security Information and Event Management) aggregates and correlates log data from across the environment to detect anomalous patterns and trigger alerts. Modern SIEMs (Splunk, Microsoft Sentinel, Google Chronicle, IBM QRadar) ingest hundreds of billions of events daily and apply detection rules, ML models, and user behavior analytics (UEBA). SOAR (Security Orchestration, Automation, and Response) connects the SIEM to response workflows — automatically enriching alerts, opening tickets, isolating endpoints, and triggering playbooks, reducing MTTD and MTTR. EDR (Endpoint Detection and Response) provides deep telemetry and response capability at the endpoint level — recording process execution, file system activity, network connections, and registry changes, and enabling real-time isolation. XDR (Extended Detection and Response) extends EDR correlation across endpoint, network, cloud, identity, and email telemetry — providing attack path visibility across the entire kill chain.
| Tool | Primary function | Detection coverage |
|---|---|---|
| SIEM | Log aggregation, correlation, alerting | Network, identity, cloud, application, endpoint (via agents) |
| SOAR | Playbook automation, alert enrichment, case management | Integrates with SIEM + all connected tools |
| EDR | Deep endpoint telemetry + response | Endpoint: process, file, network, registry, memory |
| NDR | Network traffic analysis, east-west visibility | Network: flows, payloads, anomaly detection |
| XDR | Cross-domain correlation and response | Endpoint + network + cloud + identity + email unified |
| UEBA | User and entity behavior analytics | Identity: insider threat, credential abuse, lateral movement |
Threat Intelligence and Threat Modeling
25 min • Intelligence • MITRE ATT&CK, threat actors, TTPs, CTI lifecycle
The intelligence-driven SOC
Reactive security — waiting for alerts to fire — is insufficient against sophisticated threat actors who spend months in an environment before being detected. Intelligence-driven security operations use knowledge of real-world attacker behavior to proactively hunt for signs of intrusion, tune detections to the actual TTPs (Tactics, Techniques, and Procedures) used against organizations like yours, and prioritize defensive investments based on threat relevance. The SANS Institute and MITRE define threat intelligence as "evidence-based knowledge about an existing or emerging threat that can inform decisions and actions." It must be actionable — if it can't change a decision or action, it is information, not intelligence.
MITRE ATT&CK: the adversary behavior knowledge base
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK v15 contains 14 tactics (the adversary's goal at each stage) and hundreds of techniques and sub-techniques describing how those goals are achieved. The 14 tactics map the full attack lifecycle: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
ATT&CK is used in three primary ways: Detection coverage mapping — which ATT&CK techniques can your current SIEM rules and EDR detections detect? This reveals coverage gaps. Threat actor profiling — ATT&CK Groups profiles document the specific techniques used by named threat actor groups. If APT29 uses technique T1078 (Valid Accounts) for initial access, your detection coverage for that technique is a priority. Red team and purple team exercises — emulating specific ATT&CK techniques to test whether detection rules fire as expected.
The Cyber Threat Intelligence (CTI) lifecycle
Effective CTI follows a six-phase lifecycle: Direction (what questions does the organization need intelligence to answer?), Collection (gathering raw intelligence from feeds, ISACs, OSINT, dark web monitoring, and vendor reporting), Processing (normalizing, filtering, and deduplicating raw data), Analysis (turning data into actionable intelligence — enriching indicators, assessing confidence, attributing to known groups), Dissemination (delivering intelligence in the right format to the right audience — IOCs to SIEM/EDR, strategic reports to executives), and Feedback (reviewing whether the intelligence actually informed decisions and improved detection).
| Intelligence type | Audience | Examples | Operational shelf life |
|---|---|---|---|
| Tactical | SOC analysts | IOCs (IPs, hashes, domains), YARA rules, Sigma rules | Hours to days (IOCs expire quickly) |
| Operational | IR teams, threat hunters | Campaign analysis, threat actor TTPs, malware family behavior | Weeks to months |
| Strategic | CISO, board, executives | Threat landscape reports, industry targeting trends, geopolitical context | Months to years |
Vulnerability Management
25 min • CVSS, EPSS, KEV, risk-based prioritization, patch operations
Why CVSS alone is insufficient for prioritization
The Common Vulnerability Scoring System (CVSS) rates vulnerability severity on a 0–10 scale based on exploitability metrics (attack vector, complexity, privileges required, user interaction) and impact metrics (confidentiality, integrity, availability). A CVSS score tells you how bad a vulnerability could be if exploited — but it does not tell you how likely it is to be exploited in your environment. The average enterprise has thousands of CVSS High/Critical vulnerabilities at any point in time. Treating them all with equal urgency is operationally impossible. This is the core problem with CVSS-only prioritization.
Risk-based prioritization: CVSS + EPSS + KEV
EPSS (Exploit Prediction Scoring System, developed by FIRST) estimates the probability that a CVE will be exploited in the wild within the next 30 days. EPSS scores range from 0–100%. The vast majority of CVEs have EPSS scores below 1% — meaning active exploitation is very unlikely. CVEs with both a high CVSS score AND a high EPSS score are the true priority. CISA KEV (Known Exploited Vulnerabilities Catalog) is the most authoritative source of CVEs that are actively being exploited in the wild right now. CISA Binding Operational Directive 22-01 mandates that US federal agencies remediate KEV-listed vulnerabilities within tight timelines. All organizations should treat KEV listings as their highest remediation priority, regardless of CVSS score.
The SSVC (Stakeholder-Specific Vulnerability Categorization) framework, developed by CISA and Carnegie Mellon, offers a decision tree model for prioritization that incorporates exploitation status (KEV), technical impact, and mission/well-being impact — producing four outcomes: Track, Track*, Attend, Act. SSVC is increasingly adopted as a replacement for CVSS-only prioritization in mature vulnerability management programs.
The vulnerability management lifecycle
Effective vulnerability management is a closed-loop process: Discover (authenticated scanning across all assets — network, cloud, containers, applications, APIs; NIST SP 800-115 guidance on technical testing), Prioritize (apply CVSS + EPSS + KEV + asset criticality + compensating controls), Remediate (patch, compensating control, or documented exception), Verify (rescan to confirm remediation), Report (SLA compliance tracking, trend reporting to leadership). The loop must be continuous — not quarterly. Cloud environments change daily; weekly scanning is the minimum for production cloud infrastructure.
Incident Response and Recovery
30 min • NIST SP 800-61, IR lifecycle, containment, eradication, DFIR basics
The incident response lifecycle (NIST SP 800-61 Rev 2)
NIST SP 800-61 defines incident response as a four-phase lifecycle. Phase 1: Preparation — establishing the IR capability before incidents occur: IR policy, playbooks, contact lists, tool access, table-top exercises, detection baselines. Phase 2: Detection and Analysis — identifying and confirming that an incident has occurred, scoping the impact, classifying severity, and declaring an incident. Phase 3: Containment, Eradication, and Recovery — stopping the spread (containment), removing attacker presence (eradication), and restoring affected systems (recovery). Phase 4: Post-Incident Activity — lessons learned, evidence retention, report documentation, and process improvement.
The two most common IR failures are: premature eradication (cleaning infected systems before fully scoping the attacker's access — the attacker simply re-enters through a still-compromised account or persistence mechanism) and inadequate preparation (having no playbooks, no contact lists, no tool access, and no practice before the incident occurs — then trying to learn and respond simultaneously during a crisis). IR preparation investment pays the highest dividend in reducing incident impact.
Incident classification and severity
Before executing IR workflows, the team must classify severity. Most organizations use a P1–P4 or Sev1–Sev4 scale: P1/Sev1 (Critical — active breach, ransomware deployment, significant data exfiltration, or major service disruption), P2/Sev2 (High — confirmed unauthorized access, actively spreading malware, or regulatory-notifiable event), P3/Sev3 (Medium — isolated compromise, phishing success without lateral movement), P4/Sev4 (Low — policy violation, failed attack attempt). Severity determines escalation path, communication requirements, and resource commitment — a P1 escalates to CISO and legal immediately; a P4 may be handled entirely at analyst level.
Digital Forensics and Incident Response (DFIR)
When an incident requires legal or regulatory follow-up, DFIR practices ensure evidence is collected in a forensically sound manner. Key principles: Order of volatility (collect memory before disk before network logs before file system metadata), Chain of custody (documented evidence handling from collection through legal proceedings), Legal holds (freezing log retention when litigation is anticipated), Write blockers (preventing modification of evidence during acquisition). ISO/IEC 27037:2012 provides guidelines for identification, collection, acquisition, and preservation of digital evidence.
Cloud Security Operations
25 min • CSPM, CWPP, CIEM, cloud-native threats and detection
Why traditional security operations tools miss cloud threats
Traditional SIEM/EDR approaches were designed for on-premises environments with a defined network perimeter. Cloud environments break these assumptions: infrastructure is ephemeral (resources spin up and down in seconds), the attack surface includes APIs, IAM misconfigurations, and serverless functions that generate no conventional network traffic, and the shared responsibility model means the cloud provider secures the infrastructure but you are responsible for everything you build on it. The 2024 DBIR identified misconfiguration and cloud identity exploitation as the two most rapidly growing cloud breach vectors — both of which are invisible to traditional endpoint and network detection tools.
Cloud Security Posture Management (CSPM)
CSPM tools continuously assess cloud infrastructure configurations against security best practices and compliance frameworks. They detect: publicly accessible storage (S3 buckets, Azure Blob, GCS), overly permissive IAM roles, unencrypted databases, open security groups with unrestricted ingress, disabled CloudTrail/audit logging, and missing MFA on root/admin accounts. AWS Security Hub, Microsoft Defender for Cloud, and Google Security Command Center are native CSPM capabilities; Wiz, Orca, Prisma Cloud, and Lacework are multi-cloud CSPM leaders. The output of CSPM is a prioritized finding list — but findings must be triaged for asset criticality and exploitability, not just CSPM score, to be operationally useful.
Cloud Workload Protection Platform (CWPP)
CWPP extends EDR-like capabilities to cloud workloads: VMs, containers, serverless functions, and Kubernetes pods. CWPP provides runtime threat detection (detecting process injection, cryptomining, reverse shells, container escapes), vulnerability scanning of running workloads, and compliance enforcement. Kubernetes-specific security (network policies, RBAC, pod security standards, admission controllers) falls within the CWPP domain. The CIS Kubernetes Benchmark and NIST SP 800-190 (Application Container Security Guide) provide control frameworks for container security.
Cloud Infrastructure Entitlement Management (CIEM)
Identity is the primary attack vector in cloud environments. CIEM tools discover, analyze, and right-size cloud IAM permissions by identifying: over-privileged roles and users, unused permissions (permissions granted but never exercised — violating least privilege), cross-account access relationships, service accounts with excessive permissions, and public-facing resources with no authentication requirement. CIEM data often reveals that 90%+ of granted cloud permissions are never used — representing an enormous lateral movement surface for attackers who compromise any one identity.
SecOps Metrics and Maturity
20 min • MTTD, MTTR, KPIs, SOC maturity model, and program improvement
The essential SecOps metrics
MTTD (Mean Time to Detect) measures the average time between when an incident begins and when the security team becomes aware of it. IBM's Cost of a Data Breach Report 2024 found the global average MTTD is 194 days — meaning attackers operate in environments for over six months before detection. Mature SOCs target MTTD below 24 hours for critical incidents. MTTR (Mean Time to Respond/Remediate) measures the average time from detection to containment and remediation. The 2024 IBM report found average MTTR of 64 days — an attacker present for 64 days after detection has enormous lateral movement opportunity. MTTC (Mean Time to Contain) is increasingly used separately from MTTR to measure how quickly the spread of an incident is stopped, as distinct from full eradication and recovery.
| Metric | Definition | Industry average (2024) | Mature target |
|---|---|---|---|
| MTTD | Breach start → detection | 194 days | <24 hours for P1 |
| MTTC | Detection → containment | ~4 hours (P1) | <1 hour for P1 |
| MTTR | Detection → full remediation | 64 days | <30 days for P1 |
| False Positive Rate | False alerts / total alerts | ~65–80% | <30% for mature SOC |
| Alert-to-Case Rate | Alerts escalated to full investigation | Varies widely | All P1/P2 alerts → case |
| Vuln SLA compliance | Vulns remediated within SLA / total | Varies widely | ≥95% Critical within SLA |
SOC maturity models
Gartner's SOC maturity model and the MITRE SOAR maturity model both define progression from reactive to proactive operations. At Level 1 (Reactive/Ad-hoc): no formal SOC, reactive response only, minimal logging, no defined IR process. At Level 2 (Managed): SIEM deployed, defined alert triage, basic IR playbooks, reactive vulnerability management. At Level 3 (Defined): threat intelligence integration, proactive threat hunting, SOAR automation, defined metrics. At Level 4 (Quantitative): metrics-driven operations, continuous improvement, ATT&CK coverage measurement, purple team exercises. At Level 5 (Optimizing): threat-anticipatory operations, machine-speed detection, fully automated Tier 1 response, continuous red team feedback loop.
Most commercial organizations operate at Level 2–3. The progression from Level 2 to Level 3 — adding threat intelligence, proactive hunting, and SOAR automation — produces the most significant improvements in MTTD and MTTR for the investment. Organizations should target Level 3 before investing in Level 4 capabilities.
Course Assessment — Introduction to Modern Cybersecurity Operations
Completing all six modules qualifies you for the knowledge assessment. This course is a recommended prerequisite for the Cloud Security and Vulnerability Management practitioner courses.
| Assessment domain | Weight |
|---|---|
| SOC models and detection tooling | 20% |
| Threat intelligence and MITRE ATT&CK | 20% |
| Vulnerability management and prioritization | 20% |
| Incident response lifecycle and DFIR | 20% |
| Cloud security operations and metrics | 20% |
Capstone scenario
At 11:30 PM on a Friday, your SIEM fires a high-severity alert: a service account in AWS has made 4,000 API calls to s3:GetObject across a sensitive data bucket in the last 20 minutes. The service account was created 6 months ago and has rarely been used. Your threat intelligence platform shows the source IP is associated with a known data theft tool. Your task:
- Classify the incident severity and explain your rationale.
- Describe the first three containment actions and the order in which you take them.
- Identify what forensic evidence you need to collect and in what order.
- Explain how CIEM analysis of this service account would have been a preventive control.
- Describe the post-incident activities and what metrics this incident will affect.