Beyond the Alert

Dropzone AI

Beyond the Alert features security operations leaders and SOC professionals sharing battle-tested insights on scaling security capabilities, managing high-performing teams, and leveraging emerging technologies to transform their operations. Join us as we discuss investigation techniques, leadership strategies, and real-world approaches to delivering effective security outcomes in an increasingly complex environment.

  1. If it's predictable, it's preventable: Duaine Labno’s framework for staying ahead of incidents

    May 21

    If it's predictable, it's preventable: Duaine Labno’s framework for staying ahead of incidents

    Duaine Labno came up through law enforcement before taking over a workplace violence and threat assessment program, and that transition shaped everything about how he runs his threat intel teams. His team processes millions of data points and handles life-safety events in real time. What he lays out in this conversation is less about theory and more about the operational habits that separate teams who stay ahead of incidents from the ones reacting to them. Topics discussed: Anticipating what comes next before it gets asked, and how Duaine trains analysts with no prior experience to think that way Why treating incoming threat data as reliable by default is the single biggest mistake analysts make, and the multi-source verification process his team runs before any alert becomes actionable The three-step decision process his team follows once an alert is verified: confirm it's real, assess impact on the client and public safety, then develop messaging and next steps simultaneously How a modified incident command structure assigns clear roles during a live event so no one is pulled away from where the focus needs to be Running scenario training with ambient sounds and real past incidents to close the gap between classroom readiness and performance under actual pressure How media sensationalism of physical attacks drives copycat behavior, and what that pattern means for how threat teams should read today's domestic threat landscape Reading his team's operational state by walking in and asking a few targeted questions, and why that beats any status update Why urgency alone never moves executives, and how Duaine builds data-justified arguments to get resources and process changes approved after an incident What he learned from interviewing a retired government threat analyst who couldn't carry a conversation, and why communication ability is a hard requirement for anyone on his team "If it's predictable, it's preventable": his one-line framework for how every SOC and threat intelligence leader should start their day Listen to more episodes:  Apple  Spotify  YouTube

    31 min
  2. What Happens When Your AI Agent Learns How to Escape Your Own Lab?

    May 7

    What Happens When Your AI Agent Learns How to Escape Your Own Lab?

    Dhruv Majumdar has 15 years across red teams, incident response, EY and Deloitte consulting, and co-founding an MDR company before Gartner coined the term. That history gives him a vantage point most vendor-side voices don't have: he's been the person buying tools, building detection programs from scratch, and managing ransomware incidents in real time. In this episode, he makes a clear case that the alert problem is a culture problem first and a technology problem second, and explains exactly why adding more agents to an overwhelmed SOC is the wrong answer. Dhruv draws from 13 ransomware incidents across his career, a 2019 near-miss that came down to three minutes before a hypervisor was fully encrypted, and a personal red team lab where one of his own AI agents escaped its network boundaries through a jump server it had learned to traverse during a prior session. Topics discussed: Why scaling from 5,000 to 50,000 alerts won't be solved by more detection agents, and what the autonomous response risk actually costs Applying the nuclear two-key principle to any application with widespread kinetic impact, and why single-admin golden keys are a policy failure not a tech gap Graph-based risk modeling over list-based inventory: cross-referencing MITRE behavior, time span, and response criteria to reduce 50,000 alerts to three users worth investigating Shadow AI as an evolved shadow IT problem: prompt-injected MCP skills files, LiteLLM compromise, and why sandboxing means nothing if you don't burn session tokens after every AI interaction Detecting unauthorized AI in your environment the same way you'd detect malware: unexpected cron jobs, PowerShell calls, and launch control anomalies as behavioral signals Known known vs. known unknown vs. unknown unknown as a SOC maturity diagnostic, and why most teams are still operating in the first tier Who audits the auditor: EDR silencers, log corruption, and the gap between what you think you're seeing and what's actually bypassing your stack What prevented full encryption during a live 2019 ransomware event: a 24-hour audit log re-reviewed by an ML algorithm that flagged the miss seven hours later, plus a SOAR block with three minutes to spare Listen to more episodes:  Apple  Spotify  YouTube

    55 min
  3. Elastic's Darren LaCasse on Why SOC Teams Should Sort Alerts by Volume Before Severity

    Mar 26

    Elastic's Darren LaCasse on Why SOC Teams Should Sort Alerts by Volume Before Severity

    Darren LaCasse, Director of Threat Intelligence, Detection, & Response at Elastic, makes a case that most SOC leaders are solving alert fatigue the wrong way. Starting with critical alerts keeps teams treading water. His approach of sorting by volume first, clearing the biggest bucket, then using that momentum to ask why those alerts existed at all separates short-term queue management from the actual tuning work. He also walks through how his team built an in-house AI agent that cross-references threat intelligence against their own vendor lists, software asset inventory, and vulnerability data before it ever reaches a detection engineer, filtering hundreds of daily articles down to what is actually relevant to their environment. Beyond tooling, Darren challenges how the industry frames the talent shortage. He does not think it is a skills problem. He thinks employers do not want to make the long-term investment in junior analysts, and that avoidance is where burnout compounds. He talks about how he leads that differently: sharing his own mistakes openly, encouraging his team to document every decision so he can back them up, and what he actually looks for when hiring (someone who has solved a real business problem creatively, not a polished resume).  Topics Discussed: Reframing alert prioritization by sorting queues on volume rather than severity to build analyst momentum and reduce backlog Using historical alert data to identify chronic tuning problems versus one-time spikes in SOC queue volume Building in-house AI agents that cross-reference threat intelligence against asset inventory and vulnerability data for environment-specific relevance Translating threat intelligence deliverables into detection rules by running source reports through AI agents and validating against internal data lakes Evolving detection engineering from static, hand-built rules toward dynamic, AI-assisted scoring systems that aggregate signals into actionable investigations Reframing the cybersecurity talent shortage as an employer investment problem rather than a pipeline or skills gap Building team cultures where analysts feel safe to document decisions, admit mistakes, and take time off without guilt Predicting the SOC analyst role shifting toward agent management, including tuning, output validation, and QA across AI-assisted workflows Listen to more episodes:  Apple  Spotify  YouTube

    36 min
  4. ECS's Dave Howard & Jesse Mainor on 40% Faster Triage with 12 Analysts & 30K Monthly Alerts

    Mar 12

    ECS's Dave Howard & Jesse Mainor on 40% Faster Triage with 12 Analysts & 30K Monthly Alerts

    ECS now operates with 12 tier-one analysts instead of 14 while triaging 30,000 monthly alerts, achieving a 40% reduction in mean time to triage for Dropzone-handled alerts. Dave Howard, Senior Director of Cyber Operations, and Jesse Mainor, SOC Manager, built a hybrid model where alert sources flow to SOAR first for initial enrichment and configured auto-closure patterns, then route remaining alerts to Dropzone for structured investigation before landing in ServiceNow with complete context. Their governance approach required SOC 2 Type 2 certification as a blocking requirement before evaluating any AI vendor to prevent downstream compliance issues.  Dave shares how his leadership philosophy comes from his military background: servant leadership that flips the organizational pyramid upside down, empowering teams to deliver outcomes while removing roadblocks. Jesse prioritizes hiring for curiosity over credentials, looking for investigative instinct and comfort with ambiguous, incomplete data rather than training technical tools. Topics Discussed: Building leadership buy-in for AI implementation by framing alert volume as unsustainable headcount scaling problem  Establishing SOC 2 Type 2 compliance as blocking requirement before AI vendor evaluation to prevent downstream governance failures SOAR-to-Dropzone architecture where SOAR handles initial enrichment before routing alerts for structured AI investigation Breaking linear MSSP hiring model where new clients traditionally required proportional analyst headcount to handle alert volume Defining POV success criteria across five operational targets: alert overload, mean time to triage, handling consistency, context enrichment, scalability Training separate Dropzone tenants per client environment since identical alert types require different triage logic based on context Reducing analyst burnout by eliminating queue-clearing pressure and enabling deep-dive investigations, threat hunting, and detection engineering upskilling Applying servant leadership principles from military background to flip organizational hierarchy and empower SOC teams to deliver outcomes Hiring for curiosity over credentials by prioritizing investigative instinct and comfort with ambiguous, incomplete data in security analysts Maintaining 3.2% annual attrition rate by empowering analysts, providing space for mistakes, and servant leadership approach Listen to more episodes:  Apple  Spotify  YouTube

    41 min
  5. How Analyst Feedback Says More Than Any SOC

    Feb 26

    How Analyst Feedback Says More Than Any SOC

    Austin Amraen, SOC Director at CommandLink, has built SOC teams from the ground up multiple times, and his approach challenges some of the field's most accepted assumptions. He rejects the tier-one-to-tier-three analyst model entirely, arguing that the biggest capability gap in most mature stacks isn't endpoint or identity but unmonitored network traffic, and measures SOC effectiveness not by MTTD or MTTR but by whether analysts are surfacing zero-days and proposing detection methods on their own. Austin explains why most organizations have the firewall running but nobody assigned to watch what is actually moving through it and what C2 communications, unusual outbound connections, and open ports look like when someone is finally asking "that's different, what is that?" He also gets into how he handles burnout in practice: mandatory lunch every day, one-on-ones built around career goals rather than company goals, and why process improvements that free up analyst time without reducing workload just move the problem around. Topics Discussed: Rejecting the tier-one-to-tier-three SOC model in favor of hiring senior analysts who can build and adapt NDR as the most overlooked capability gap in organizations with mature EDR, SIEM, and identity coverage Monitoring firewall traffic logs to detect C2 communications, unusual outbound connections, and unauthorized port activity Measuring SOC effectiveness through analyst-driven threat intelligence and direct customer feedback rather than MTTD and MTTR Applying micro-macro thinking from military intelligence to widen investigation scope beyond the immediate alert Preventing burnout through workload ownership, career-goal conversations, and avoiding process improvements that mask headcount gaps Building executive trust through data-driven options frameworks that give leadership decision authority on security investments Hiring for non-traditional backgrounds to build analyst teams with diverse problem-solving approaches and thought processes Listen to more episodes:  Apple  Spotify  YouTube

    38 min
  6. Sneha Regmi on Using Blameless Retros to Enable High-Pressure Decisions

    Feb 10

    Sneha Regmi on Using Blameless Retros to Enable High-Pressure Decisions

    Sneha Regmi, Director of Security Operations & Resilience Engineering at a major Financial Services organization,  has an incident command framework that prioritizes scope and impact determination over immediate containment, even when executives are panicking. Her teams assign ownership in the first 60 seconds, then the lead verbalizes every decision and next three actions aloud, continuous narration that keeps stakeholders aligned and prevents chaos. She pulls subject matter experts into preliminary investigations early, building credibility to make time-sensitive calls later without second-guessing.  On insider threat, Sneha flips the standard monitoring-first approach. Her framework starts with prevention controls around business-critical systems, then layers detection only where prevention blocks legitimate work. Prevention without detection leaves blind spots; detection without prevention means everything looks normal until it's not. Her teams renamed the program from "insider threat" to "insider risk" after realizing the original framing damaged organizational trust. Topics Discussed: Assigning incident ownership within the first 60 seconds and verbalizing every decision to prevent stakeholder panic Eliminating traditional tiered SOC structures in favor of engineering-enabled responders who write detections and handle incident response Prioritizing scope and impact determination over immediate containment to avoid rushing decisions during high-pressure incidents Building blameless retrospective practices that enable teams to make split-second decisions without fear during future critical situations Implementing prevention-first insider threat frameworks around business-critical systems before layering detection controls Pulling subject matter experts into preliminary investigations early to build credibility for time-sensitive containment decisions later Managing security operations burnout by setting clear escalation criteria for weekend pages versus business-hours workflows Leveraging AI and automation for alert backlog triage while reserving human decision-making for high-impact critical investigations

    50 min
  7. The commodity vs. custom threat split: How automation reshapes SOC work | Allen Carter

    Jan 22

    The commodity vs. custom threat split: How automation reshapes SOC work | Allen Carter

    Allen Carter, former Director of IT Security Operations, ran security operations at Gilead Sciences for a decade, building three teams including a global SOC across India, the UK, and multiple US locations. He developed an approach to burnout prevention where managers function as coaches who spot which team members are "struggling with a twisted ankle" before exhaustion hits,. When onboarding SOAR to automate repetitive alerts, his team saw the technology as a relief, but the implementation work to eliminate false positives nearly burned them out. He learned to celebrate the completion milestone explicitly to maintain morale through the grind. Allen's incident reporting framework separates security from IT incidents. Whereas IT outages demand "all hands on deck," security incidents require controlled information flow; the wrong person panicking early can trigger a cascade worse than the breach itself. His dual template system keeps operational details within security while board-level reports stay sanitized. He also touches on how, for technology evaluation in pharma R&D environments, less than half of out-of-the-box vendor alerts proved useful. His OT/IoT deployment went operational with massive data volumes that weren't actionable, forcing reactive tuning. Vendor relationships that prioritize understanding your non-commodity threats outweigh feature matrices. Topics Discussed: Building institutional training programs that create visible advancement pathways for SOC analysts beyond graveyard shift roles Implementing manager-as-coach models to identify team member burnout signals before exhaustion impacts performance and retention Distinguishing security vs IT incident response through controlled information flow versus all-hands-on-deck escalation approaches Creating dual incident reporting templates that maintain operational details internally while providing board-optimized communication  Evaluating security tech vendors based on relationship quality and non-commodity threat understanding, not feature matrix comparisons Managing post-deployment tuning for OT/IoT monitoring to filter unusable industrial control data in operational environments Addressing clinical trial security risks where third-party hospital breaches can invalidate months of patient treatment data Hiring SOC analysts with deep technical networking knowledge over candidates with security certifications but shallow IT foundations Listen to more episodes:  Apple  Spotify  YouTube

    44 min
  8. How to Stop SOC Analyst Burnout: Peacetime vs Wartime Framework

    Jan 8

    How to Stop SOC Analyst Burnout: Peacetime vs Wartime Framework

    Robert Maxwell, Security Operations Leader, has a peacetime versus wartime operating model that gives analysts flexibility during normal operations to balance out the 16-hour days that often happen during incidents. He also automated Google Drive "did you share this publicly on purpose?" alerts into Slack bot interactions, eliminating repetitive analyst work. Robert also amplifies team successes upward and absorbs criticism downward, but scope creep kills incident response teams when executives reassign them to vulnerability management because "the IR team is good at fixing things." He touches on how eliminating entry-level roles destroys the talent pipeline for Tier 2 and Tier 3 and that alert prioritization judgment comes from processing thousands under time pressure.  Topics Discussed: Using "explain how the internet works" interview questions to identify candidates who demonstrate intellectual honesty and research skills Peacetime vs wartime operating models that balance analyst flexibility during normal operations with intensive incident response expectationsAutomating repetitive Google Drive security alerts through Slack bot interactions to free analysts from time-consuming workflow tasksMaintaining 8-12 direct report spans of control to enable meaningful people development rather than administrative timecard managementPreventing scope creep that transforms effective incident response teams into catch-all security functionsPreserving Tier 1 analyst roles as essential talent pipelines for developing Tier 2 and Tier 3 expertise through alert triage experienceBuilding alert prioritization judgment through thousands of real-world investigations rather than skipping directly to complex security workAddressing staffing redundancy failures that ignore team vacation patterns and create unsustainable SOC coverage gapsListen to more episodes:  Apple  Spotify  YouTube

    34 min
See All (19)

About

Beyond the Alert features security operations leaders and SOC professionals sharing battle-tested insights on scaling security capabilities, managing high-performing teams, and leveraging emerging technologies to transform their operations. Join us as we discuss investigation techniques, leadership strategies, and real-world approaches to delivering effective security outcomes in an increasingly complex environment.

Information

  • Creator
    Dropzone AI
  • Years Active
    2025 - 2026
  • Episodes
    19
  • Rating
    Clean
  • Copyright
    © Dropzone AI
  • Show Website
    Beyond the Alert