SOC Manager Entry Path¶
Audience: SOC Manager, SOC Lead, Shift Manager Purpose: Use this guide to run the SOC day to day, set cadence, and enforce quality.
graph TD
A["Review Scope and Staffing"] --> B["Set Operating Rhythm"]
B --> C["Enforce Triage and Handoff"]
C --> D["Track Metrics and Gaps"]
D --> E["Improve Process Monthly"]1. Start Here¶
- Confirm the SOC service scope, staffing model, and escalation authority.
- Confirm which use cases, log sources, and playbooks are in active production.
- Confirm shift coverage, queue ownership, and manager-on-call expectations.
2. Read These Documents First¶
- Review SOC Team Structure to confirm role boundaries.
- Review Shift Handoff to standardize shift turnover.
- Review SOC Checklists to enforce minimum operational quality.
- Review SOC Metrics to align on measurement and review cadence.
3. Decisions You Own¶
- Decide queue priorities, staffing allocation, and escalation duty coverage.
- Decide when recurring false positives justify tuning work or engineering backlog.
- Decide when an alert handling issue becomes a process failure instead of a single-case error.
- Decide which unresolved gaps need executive escalation, additional training, or staffing changes.
4. Minimum Outputs Expected From the Team¶
- A complete shift handoff with open cases, risks, blockers, and owner changes.
- A weekly review of missed alerts, delayed escalations, and alert quality trends.
- A monthly action list for tuning, onboarding, and process improvements.
- Updated training status for every analyst not yet ready for independent shift work.
5. Operating Rhythm¶
- Review priority queues and aging cases daily.
- Review detection quality, handoff quality, and telemetry gaps weekly.
- Review staffing capacity, escalation quality, and roadmap blockers monthly.
- Review service scope and stakeholder satisfaction quarterly.
6. Operating Reviews You Should Run¶
| Review | Cadence | Why You Run It | What You Should Decide |
|---|---|---|---|
| Weekly Detection Review | Weekly | Keep detection backlog, tuning, and missed detections under control | Tune, deploy, defer, or escalate |
| Weekly Telemetry Review | Weekly | Keep telemetry health and onboarding aligned with detection needs | Fix, reprioritize, workaround, or escalate |
| Monthly Remediation Review | Monthly | Keep incident and audit actions moving to closure | Reassign, reopen, accept risk path, or escalate |
| Monthly Governance Review | Monthly | Present service quality, overdue actions, and decisions needing leadership | Approve recovery plan, escalation, or executive decision |
7. Metrics You Should Watch¶
| Metric or Signal | Why It Matters | Escalate When |
|---|---|---|
| Queue aging and unowned cases | Shows whether analysts can keep up with live workload | Aging exceeds internal threshold for two review cycles |
| False positive pressure | Shows whether analyst time is being wasted | Same use case drives repeated weekly disruption |
| Delayed escalations / missed alerts | Shows workflow or quality failure | Pattern appears across multiple shifts or incident types |
| Telemetry blockers | Shows whether engineering gaps are slowing operations | Critical source or parser issue blocks priority detections |
| Analyst readiness / staffing utilization | Shows burnout and coverage risk | Utilization stays high or skill gap blocks shift independence |
8. Decisions You Personally Own¶
- Approve queue reprioritization, tuning urgency, and staffing reallocations.
- Decide when a recurring issue becomes an engineering, process, or training problem.
- Decide which operational gaps move into governance review instead of staying inside the team.
- Decide when to request executive support for headcount, tooling, or service-scope change.
Related Documents¶
- Shift Handoff
- SOC Checklists
- SOC Metrics
- SOC Onboarding
- Weekly Detection Review Pack
- Weekly Telemetry Review Pack
- Monthly Governance Review Pack