Beyond the Alert

Dropzone AI
  • 5.0 (1)
  • TECHNOLOGY

Beyond the Alert features security operations leaders and SOC professionals sharing battle-tested insights on scaling security capabilities, managing high-performing teams, and leveraging emerging technologies to transform their operations. Join us as we discuss investigation techniques, leadership strategies, and real-world approaches to delivering effective security outcomes in an increasingly complex environment.

  1. How Analyst Feedback Says More Than Any SOC

    FEB 26

    How Analyst Feedback Says More Than Any SOC

    Austin Amraen, SOC Director at CommandLink, has built SOC teams from the ground up multiple times, and his approach challenges some of the field's most accepted assumptions. He rejects the tier-one-to-tier-three analyst model entirely, arguing that the biggest capability gap in most mature stacks isn't endpoint or identity but unmonitored network traffic, and measures SOC effectiveness not by MTTD or MTTR but by whether analysts are surfacing zero-days and proposing detection methods on their own. Austin explains why most organizations have the firewall running but nobody assigned to watch what is actually moving through it and what C2 communications, unusual outbound connections, and open ports look like when someone is finally asking "that's different, what is that?" He also gets into how he handles burnout in practice: mandatory lunch every day, one-on-ones built around career goals rather than company goals, and why process improvements that free up analyst time without reducing workload just move the problem around. Topics Discussed: Rejecting the tier-one-to-tier-three SOC model in favor of hiring senior analysts who can build and adapt NDR as the most overlooked capability gap in organizations with mature EDR, SIEM, and identity coverage Monitoring firewall traffic logs to detect C2 communications, unusual outbound connections, and unauthorized port activity Measuring SOC effectiveness through analyst-driven threat intelligence and direct customer feedback rather than MTTD and MTTR Applying micro-macro thinking from military intelligence to widen investigation scope beyond the immediate alert Preventing burnout through workload ownership, career-goal conversations, and avoiding process improvements that mask headcount gaps Building executive trust through data-driven options frameworks that give leadership decision authority on security investments Hiring for non-traditional backgrounds to build analyst teams with diverse problem-solving approaches and thought processes Listen to more episodes:  Apple  Spotify  YouTube

    38 min
  2. Sneha Regmi on Using Blameless Retros to Enable High-Pressure Decisions

    FEB 10

    Sneha Regmi on Using Blameless Retros to Enable High-Pressure Decisions

    Sneha Regmi, Director of Security Operations & Resilience Engineering at a major Financial Services organization,  has an incident command framework that prioritizes scope and impact determination over immediate containment, even when executives are panicking. Her teams assign ownership in the first 60 seconds, then the lead verbalizes every decision and next three actions aloud, continuous narration that keeps stakeholders aligned and prevents chaos. She pulls subject matter experts into preliminary investigations early, building credibility to make time-sensitive calls later without second-guessing.  On insider threat, Sneha flips the standard monitoring-first approach. Her framework starts with prevention controls around business-critical systems, then layers detection only where prevention blocks legitimate work. Prevention without detection leaves blind spots; detection without prevention means everything looks normal until it's not. Her teams renamed the program from "insider threat" to "insider risk" after realizing the original framing damaged organizational trust. Topics Discussed: Assigning incident ownership within the first 60 seconds and verbalizing every decision to prevent stakeholder panic Eliminating traditional tiered SOC structures in favor of engineering-enabled responders who write detections and handle incident response Prioritizing scope and impact determination over immediate containment to avoid rushing decisions during high-pressure incidents Building blameless retrospective practices that enable teams to make split-second decisions without fear during future critical situations Implementing prevention-first insider threat frameworks around business-critical systems before layering detection controls Pulling subject matter experts into preliminary investigations early to build credibility for time-sensitive containment decisions later Managing security operations burnout by setting clear escalation criteria for weekend pages versus business-hours workflows Leveraging AI and automation for alert backlog triage while reserving human decision-making for high-impact critical investigations

    50 min
  3. The commodity vs. custom threat split: How automation reshapes SOC work | Allen Carter

    JAN 22

    The commodity vs. custom threat split: How automation reshapes SOC work | Allen Carter

    Allen Carter, former Director of IT Security Operations, ran security operations at Gilead Sciences for a decade, building three teams including a global SOC across India, the UK, and multiple US locations. He developed an approach to burnout prevention where managers function as coaches who spot which team members are "struggling with a twisted ankle" before exhaustion hits,. When onboarding SOAR to automate repetitive alerts, his team saw the technology as a relief, but the implementation work to eliminate false positives nearly burned them out. He learned to celebrate the completion milestone explicitly to maintain morale through the grind. Allen's incident reporting framework separates security from IT incidents. Whereas IT outages demand "all hands on deck," security incidents require controlled information flow; the wrong person panicking early can trigger a cascade worse than the breach itself. His dual template system keeps operational details within security while board-level reports stay sanitized. He also touches on how, for technology evaluation in pharma R&D environments, less than half of out-of-the-box vendor alerts proved useful. His OT/IoT deployment went operational with massive data volumes that weren't actionable, forcing reactive tuning. Vendor relationships that prioritize understanding your non-commodity threats outweigh feature matrices. Topics Discussed: Building institutional training programs that create visible advancement pathways for SOC analysts beyond graveyard shift roles Implementing manager-as-coach models to identify team member burnout signals before exhaustion impacts performance and retention Distinguishing security vs IT incident response through controlled information flow versus all-hands-on-deck escalation approaches Creating dual incident reporting templates that maintain operational details internally while providing board-optimized communication  Evaluating security tech vendors based on relationship quality and non-commodity threat understanding, not feature matrix comparisons Managing post-deployment tuning for OT/IoT monitoring to filter unusable industrial control data in operational environments Addressing clinical trial security risks where third-party hospital breaches can invalidate months of patient treatment data Hiring SOC analysts with deep technical networking knowledge over candidates with security certifications but shallow IT foundations Listen to more episodes:  Apple  Spotify  YouTube

    44 min
  4. How to Stop SOC Analyst Burnout: Peacetime vs Wartime Framework

    JAN 8

    How to Stop SOC Analyst Burnout: Peacetime vs Wartime Framework

    Robert Maxwell, Security Operations Leader, has a peacetime versus wartime operating model that gives analysts flexibility during normal operations to balance out the 16-hour days that often happen during incidents. He also automated Google Drive "did you share this publicly on purpose?" alerts into Slack bot interactions, eliminating repetitive analyst work. Robert also amplifies team successes upward and absorbs criticism downward, but scope creep kills incident response teams when executives reassign them to vulnerability management because "the IR team is good at fixing things." He touches on how eliminating entry-level roles destroys the talent pipeline for Tier 2 and Tier 3 and that alert prioritization judgment comes from processing thousands under time pressure.  Topics Discussed: Using "explain how the internet works" interview questions to identify candidates who demonstrate intellectual honesty and research skills Peacetime vs wartime operating models that balance analyst flexibility during normal operations with intensive incident response expectationsAutomating repetitive Google Drive security alerts through Slack bot interactions to free analysts from time-consuming workflow tasksMaintaining 8-12 direct report spans of control to enable meaningful people development rather than administrative timecard managementPreventing scope creep that transforms effective incident response teams into catch-all security functionsPreserving Tier 1 analyst roles as essential talent pipelines for developing Tier 2 and Tier 3 expertise through alert triage experienceBuilding alert prioritization judgment through thousands of real-world investigations rather than skipping directly to complex security workAddressing staffing redundancy failures that ignore team vacation patterns and create unsustainable SOC coverage gapsListen to more episodes:  Apple  Spotify  YouTube

    34 min
  5. How to Build Efficient Security Teams with AI and Automation

    12/18/2025

    How to Build Efficient Security Teams with AI and Automation

    Joe Albers, Director of Information Security Operations at Element Solutions, Inc., manages a six-person follow-the-sun security team with a counterintuitive framework: accept reduced alert coverage for 6 months while building strategic automation, then gain exponentially more capacity for threat hunting. His approach to AI rejects black box solutions in favor of transparent contextual enrichment that surfaces device background, related tickets, IP ownership, and cross-tool correlations directly to analysts.  The OT security challenge exposes assumptions that break outside corporate IT. Joe manages environments where patching happens quarterly instead of instantly, and upgrading security tools can void warranties on multimillion-dollar control systems. His vulnerability management shifts from immediate remediation to detailed risk registers documenting why specific vulnerabilities cannot be mitigated and what compensating controls exist instead.    Topics Discussed: Why deliberately sacrificing short-term alert triage for strategic automation buildout creates exponentially more SOC capacityHow transparent AI augmentation through contextual enrichment accelerates junior analyst development without replacing human judgmentThe leadership framework that treats analyst mistakes as team failures rather than individual performance issues, creating psychological safetyWhy IT security's instant patching model breaks in OT environments where quarterly cycles, warranty constraints, and production disruption risks require risk registers over rapid remediationHow threat actors consistently exploit holiday periods when SOC staffing drops and response capacity diminishesThe vulnerability management shift from immediate IT patching to OT risk documentationWhy hiring for curiosity and basic networking knowledge produces better security analysts than extensive credentialsHow to present security ROI by translating annual tool costs into prevented business lossesWhy succession planning focuses on identifying analysts who actively ask why and how rather than those with the most certificationsListen to more episodes:  Apple  Spotify  YouTube

    44 min
  6. Advanced Persistent Threats Targeting Nonprofits Explained

    12/04/2025

    Advanced Persistent Threats Targeting Nonprofits Explained

    Robert Keefer, Associate Director of Security Operations at The Pew Charitable Trusts, has reversed the traditional security equation by building defense in depth that forces attackers to succeed multiple times rather than once. Unlike opportunistic criminal attacks that move on when initial methods fail, nation-state actors now specifically target nonprofits to destroy their ability to gather and disseminate truth, requiring continuous defense rather than single-point protection. His framework combines outsourced SOC providers, automated response systems, and zero trust principles, creating multiple layers where each bypass triggers immediate team response. Robert positions security as a mission enabler rather than cataloging potential disasters, showing executives how to navigate regulatory requirements like GDPR without disrupting operations. He builds partnerships by being prescriptive about security goals while leaving implementation entirely to subject matter experts, treating each team member as a force multiplier rather than someone to micromanage. The philosophy extends to talent retention through genuine work-life balance where vacation means complete disconnection, mission-driven hiring that attracts people who prioritize purpose over maximum compensation, and vulnerability as a leadership strength.  Topics Discussed: Why nation-state actors now specifically target nonprofits, requiring different defense models than opportunistic criminal attacksBuilding defense in depth that forces attackers to succeed multiple times before reaching valuable assets rather than defending perfectlyThe prescriptive rather than proscriptive security approach that defines goals while leaving implementation to subject matter expertsHow outsourced SOC providers enable continuous level-one triage through hundreds of rotating analysts who stay alertGetting executive buy-in by positioning security as a mission enabler that streamlines operationsAttracting and retaining security talent through mission alignment, genuine work-life balance, and vulnerability as leadership strengthThe shift from passwords to passphrases with MFA that eliminated help desk bottlenecks and half-day downtimes for remote workers.Why security leadership has become a people role, with effective leaders spending time away from computers to build partnershipsThe democratization of cybersecurity decision-making as organizations split CISO responsibilities by function and push security decisions down to teams doing day-to-day work

    40 min
  7. Interview Questions That Predict SOC Analyst Burnout Risk

    11/20/2025

    Interview Questions That Predict SOC Analyst Burnout Risk

    Andrew “AJ” Jarrett, Director of Cyber Monitoring & Incident Response at DTCC, applies emergency response frameworks from his firefighting career to build SOC teams that execute under pressure rather than panic. His approach centers on the Incident Command System, where establishing clear roles, management by objectives, and documentation unit leaders replaces ad-hoc crisis response. Even junior analysts cycle through incident commander roles, building muscle memory for when real incidents strike at 2AM.  The apprenticeship pipeline in cybersecurity faces an existential threat as organizations rush to replace tier one analysts with AI. AJ identifies this as the critical challenge for the next 5 years, not because automation is wrong but because eliminating entry-level roles breaks the path to developing tier-three analysts and team leads. His interview process prioritizes soft skills over technical certifications, asking candidates about their stress management systems, ethical decision-making frameworks, and whether they have hobbies beyond studying more cybersecurity.  Topics Discussed: How the Incident Command System from emergency response creates SOC teams that execute rather than panic when incidents strike.Why reducing signal-to-noise ratios through obsessive tuning matters more than adding new security tools for managing alert volume.Interview questions that reveal whether candidates can handle SOC pressure, such as about their support systems and personal ethics.Why promoting technical experts into people management roles without leadership development creates more bad managers.How PTO as "prepare the others" ensures analysts can disconnect completely rather than remaining tethered to unfinished work.The apprenticeship crisis emerging as organizations eliminate tier-one roles without preserving the pipeline for developing senior analysts.Why AI analysts need extensive training from senior team members before junior analysts can learn from them without oversight.Moving security budget conversations from fear, uncertainty, and doubt toward quantified risk management that executives can evaluate.The shift from location-based security models to zero trust architectures accelerated by pandemic-driven remote work adoption.Listen to more episodes:  Apple  Spotify  YouTube

    41 min
  8. TransUnion's Eder Ribeiro on Teaching "Barney Style" and with Empathy

    11/06/2025

    TransUnion's Eder Ribeiro on Teaching "Barney Style" and with Empathy

    When seven different responders and law firms were thrown into the same ransomware negotiation chat by a threat actor, Eder Ribeiro, Director of Global Incident Response at TransUnion, it became his framework for managing global incident response: map the data, map the people, and look as holistically as possible before acting. To do this, executive trust must be built long before the 3AM phone call requiring million-dollar decisions. Eder breaks down complex security issues "Barney style" and with empathy, remembering that instruction works best when adapted to how the audience receives it, not how the teacher wants to give it. For emerging AI risks, he's tracking prompt injection as the attack vector that creates a more linear path to data, particularly in enterprise bundle add-ons that sit in the gray zone between public tools and properly isolated solutions. When investigations spiral, he returns to "control the controllables," reset without finger-pointing, and compress what should take weeks into days. His military-informed leadership philosophy centers on generating agency and freedom for his team, accepting that incident response inherently lacks balance and compensating through daily autonomy. Topics Discussed: Learning holistic incident response through multi-responder ransomware coordination requiring collaboration Building executive trust through "Barney style" communication that adapts technical concepts to how leadership receives information Developing IR leaders through time-based training requiring exposure to diverse stakeholder reactions rather than seeking unicorn hires Mapping both data and people as critical incident response variables beyond traditional digital tooling and endpoint visibility Controlling the controllables during spiraling incidents by resetting without blame and compressing investigation timelines Tracking prompt injection as emerging AI attack vector creating linear data access paths through enterprise bundle add-ons Generating agency and freedom as leadership philosophy compensating for incident response's inherent lack of work-life balance Retraining security awareness beyond grammar errors as AI-powered phishing eliminates traditional detection indicators Listen to more episodes:  Apple  Spotify  YouTube

    26 min
See All (15)

About

Beyond the Alert features security operations leaders and SOC professionals sharing battle-tested insights on scaling security capabilities, managing high-performing teams, and leveraging emerging technologies to transform their operations. Join us as we discuss investigation techniques, leadership strategies, and real-world approaches to delivering effective security outcomes in an increasingly complex environment.

Information

  • Creator
    Dropzone AI
  • Years Active
    2025 - 2026
  • Episodes
    15
  • Rating
    Clean
  • Copyright
    © Dropzone AI
  • Show Website
    Beyond the Alert