Beyond the Alert

AmTrust's David Groveman on Why IR Plans Don't Survive First Contact with an Actual Attack

David Groveman [https://www.linkedin.com/in/david-g-120a2341/], Director of Cyber Services, Incident Response at AmTrust [https://amtrustfinancial.com/] has been inside hundreds of ransomware incidents, and the patterns he describes are not what most security teams are preparing for. The first 60 minutes of an attack are less about technical response and almost entirely about psychology: talking boards off ledges, managing the instinct to wait it out, and watching organizations that expressed full confidence in their MSP discover, in real time, where that trust was misplaced. David breaks down how ransom payment decisions actually get made from the carrier side: the interplay between business continuity, reputational exposure, council teams defining market-specific harm, and the moral conviction of a CEO who simply refuses to pay regardless of the business case. About half of cases end in payment, and the factors that tip it are rarely what organizations anticipate. He also covers why unknown threat actors are harder to work with than established ransomware groups, what investigative shortcuts consistently leave organizations exposed months later, and why he never saw a case go more smoothly when the carrier was notified late. Topics Discussed: * Managing the psychological reality of the first 60 minutes of a ransomware attack across organizations of all sizes * How third-party MSP trust erodes during incident response as culpability and inaction come into focus * Carrier-side decision framework for ransom payment covering business continuity, reputational exposure, and moral conviction * Why unknown independent threat actors are less predictable and harder to negotiate with than established ransomware groups * Behavioral patterns of established ransomware groups including demand amounts, price reduction timelines, and operating like a business * What investigative shortcuts leave organizations vulnerable to re-entry months after initial incident response concludes * The role of OSINT and cross-industry intelligence sharing in building threat actor pattern recognition over time * Why carrier notification timing consistently affects incident outcomes and how to communicate security risk to executives Listen to more episodes:  Apple [https://podcasts.apple.com/us/podcast/beyond-the-alert/id1825166903]  Spotify [https://open.spotify.com/show/49amXAmCaEyniDZ6HtD7nB?si=6416f87f6f174f4e]  YouTube [https://youtube.com/playlist?list=PLkBbuaz1Cy9R6UaLtrOl31URWguaGd8So&feature=shared]

Elastic's Darren LaCasse on Why SOC Teams Should Sort Alerts by Volume Before Severity

Darren LaCasse [https://www.linkedin.com/in/dlacasse/], Director of Threat Intelligence, Detection, & Response at Elastic [https://www.elastic.co/], makes a case that most SOC leaders are solving alert fatigue the wrong way. Starting with critical alerts keeps teams treading water. His approach of sorting by volume first, clearing the biggest bucket, then using that momentum to ask why those alerts existed at all separates short-term queue management from the actual tuning work. He also walks through how his team built an in-house AI agent that cross-references threat intelligence against their own vendor lists, software asset inventory, and vulnerability data before it ever reaches a detection engineer, filtering hundreds of daily articles down to what is actually relevant to their environment. Beyond tooling, Darren challenges how the industry frames the talent shortage. He does not think it is a skills problem. He thinks employers do not want to make the long-term investment in junior analysts, and that avoidance is where burnout compounds. He talks about how he leads that differently: sharing his own mistakes openly, encouraging his team to document every decision so he can back them up, and what he actually looks for when hiring (someone who has solved a real business problem creatively, not a polished resume).  Topics Discussed: * Reframing alert prioritization by sorting queues on volume rather than severity to build analyst momentum and reduce backlog * Using historical alert data to identify chronic tuning problems versus one-time spikes in SOC queue volume * Building in-house AI agents that cross-reference threat intelligence against asset inventory and vulnerability data for environment-specific relevance * Translating threat intelligence deliverables into detection rules by running source reports through AI agents and validating against internal data lakes * Evolving detection engineering from static, hand-built rules toward dynamic, AI-assisted scoring systems that aggregate signals into actionable investigations * Reframing the cybersecurity talent shortage as an employer investment problem rather than a pipeline or skills gap * Building team cultures where analysts feel safe to document decisions, admit mistakes, and take time off without guilt * Predicting the SOC analyst role shifting toward agent management, including tuning, output validation, and QA across AI-assisted workflows Listen to more episodes:  Apple [https://podcasts.apple.com/us/podcast/beyond-the-alert/id1825166903]  Spotify [https://open.spotify.com/show/49amXAmCaEyniDZ6HtD7nB?si=6416f87f6f174f4e]  YouTube [https://youtube.com/playlist?list=PLkBbuaz1Cy9R6UaLtrOl31URWguaGd8So&feature=shared]

ECS's Dave Howard & Jesse Mainor on 40% Faster Triage with 12 Analysts & 30K Monthly Alerts

ECS [https://ecstech.com/] now operates with 12 tier-one analysts instead of 14 while triaging 30,000 monthly alerts, achieving a 40% reduction in mean time to triage for Dropzone-handled alerts. Dave Howard [https://www.linkedin.com/in/david-s-howard/], Senior Director of Cyber Operations, and Jesse Mainor [https://www.linkedin.com/in/jessemadridmainor/], SOC Manager, built a hybrid model where alert sources flow to SOAR first for initial enrichment and configured auto-closure patterns, then route remaining alerts to Dropzone for structured investigation before landing in ServiceNow with complete context. Their governance approach required SOC 2 Type 2 certification as a blocking requirement before evaluating any AI vendor to prevent downstream compliance issues.  Dave shares how his leadership philosophy comes from his military background: servant leadership that flips the organizational pyramid upside down, empowering teams to deliver outcomes while removing roadblocks. Jesse prioritizes hiring for curiosity over credentials, looking for investigative instinct and comfort with ambiguous, incomplete data rather than training technical tools. Topics Discussed: * Building leadership buy-in for AI implementation by framing alert volume as unsustainable headcount scaling problem  * Establishing SOC 2 Type 2 compliance as blocking requirement before AI vendor evaluation to prevent downstream governance failures * SOAR-to-Dropzone architecture where SOAR handles initial enrichment before routing alerts for structured AI investigation * Breaking linear MSSP hiring model where new clients traditionally required proportional analyst headcount to handle alert volume * Defining POV success criteria across five operational targets: alert overload, mean time to triage, handling consistency, context enrichment, scalability * Training separate Dropzone tenants per client environment since identical alert types require different triage logic based on context * Reducing analyst burnout by eliminating queue-clearing pressure and enabling deep-dive investigations, threat hunting, and detection engineering upskilling * Applying servant leadership principles from military background to flip organizational hierarchy and empower SOC teams to deliver outcomes * Hiring for curiosity over credentials by prioritizing investigative instinct and comfort with ambiguous, incomplete data in security analysts * Maintaining 3.2% annual attrition rate by empowering analysts, providing space for mistakes, and servant leadership approach Listen to more episodes:  Apple [https://podcasts.apple.com/us/podcast/beyond-the-alert/id1825166903]  Spotify [https://open.spotify.com/show/49amXAmCaEyniDZ6HtD7nB?si=6416f87f6f174f4e]  YouTube [https://youtube.com/playlist?list=PLkBbuaz1Cy9R6UaLtrOl31URWguaGd8So&feature=shared]

How Analyst Feedback Says More Than Any SOC

Austin Amraen [https://www.linkedin.com/in/austin-amraen-a02487179/], SOC Director at CommandLink [https://www.commandlink.com/], has built SOC teams from the ground up multiple times, and his approach challenges some of the field's most accepted assumptions. He rejects the tier-one-to-tier-three analyst model entirely, arguing that the biggest capability gap in most mature stacks isn't endpoint or identity but unmonitored network traffic, and measures SOC effectiveness not by MTTD or MTTR but by whether analysts are surfacing zero-days and proposing detection methods on their own. Austin explains why most organizations have the firewall running but nobody assigned to watch what is actually moving through it and what C2 communications, unusual outbound connections, and open ports look like when someone is finally asking "that's different, what is that?" He also gets into how he handles burnout in practice: mandatory lunch every day, one-on-ones built around career goals rather than company goals, and why process improvements that free up analyst time without reducing workload just move the problem around. Topics Discussed: * Rejecting the tier-one-to-tier-three SOC model in favor of hiring senior analysts who can build and adapt * NDR as the most overlooked capability gap in organizations with mature EDR, SIEM, and identity coverage * Monitoring firewall traffic logs to detect C2 communications, unusual outbound connections, and unauthorized port activity * Measuring SOC effectiveness through analyst-driven threat intelligence and direct customer feedback rather than MTTD and MTTR * Applying micro-macro thinking from military intelligence to widen investigation scope beyond the immediate alert * Preventing burnout through workload ownership, career-goal conversations, and avoiding process improvements that mask headcount gaps * Building executive trust through data-driven options frameworks that give leadership decision authority on security investments * Hiring for non-traditional backgrounds to build analyst teams with diverse problem-solving approaches and thought processes Listen to more episodes:  Apple [https://podcasts.apple.com/us/podcast/beyond-the-alert/id1825166903]  Spotify [https://open.spotify.com/show/49amXAmCaEyniDZ6HtD7nB?si=6416f87f6f174f4e]  YouTube [https://youtube.com/playlist?list=PLkBbuaz1Cy9R6UaLtrOl31URWguaGd8So&feature=shared]

Sneha Regmi on Using Blameless Retros to Enable High-Pressure Decisions

Sneha Regmi [https://www.linkedin.com/in/sneharegmi/], Director of Security Operations & Resilience Engineering at a major Financial Services organization,  has an incident command framework that prioritizes scope and impact determination over immediate containment, even when executives are panicking. Her teams assign ownership in the first 60 seconds, then the lead verbalizes every decision and next three actions aloud, continuous narration that keeps stakeholders aligned and prevents chaos. She pulls subject matter experts into preliminary investigations early, building credibility to make time-sensitive calls later without second-guessing.  On insider threat, Sneha flips the standard monitoring-first approach. Her framework starts with prevention controls around business-critical systems, then layers detection only where prevention blocks legitimate work. Prevention without detection leaves blind spots; detection without prevention means everything looks normal until it's not. Her teams renamed the program from "insider threat" to "insider risk" after realizing the original framing damaged organizational trust. Topics Discussed: * Assigning incident ownership within the first 60 seconds and verbalizing every decision to prevent stakeholder panic * Eliminating traditional tiered SOC structures in favor of engineering-enabled responders who write detections and handle incident response * Prioritizing scope and impact determination over immediate containment to avoid rushing decisions during high-pressure incidents * Building blameless retrospective practices that enable teams to make split-second decisions without fear during future critical situations * Implementing prevention-first insider threat frameworks around business-critical systems before layering detection controls * Pulling subject matter experts into preliminary investigations early to build credibility for time-sensitive containment decisions later * Managing security operations burnout by setting clear escalation criteria for weekend pages versus business-hours workflows * Leveraging AI and automation for alert backlog triage while reserving human decision-making for high-impact critical investigations