Managed SIEM · Deep dive 03

A triage workflow a two-person SOC can actually run

Automation and a tight playbook let a small in-house team punch well above its headcount. Here is the alert-to-action flow we deploy.

Draft outline · Productivity lens
The anchor

Small agency teams cannot staff a 24x7 tiered SOC, and 2025 research on automated and LLM-assisted triage (for example the CORTEX work) shows how much of tier-1 can be safely automated. The question is not how to hire an army, it is how two people cover the ground of ten.

Sources we build on
Journalism
arXiv: LLM-assisted alert triage research (CORTEX and similar)

Academic, vendor-neutral work on automating high-stakes alert triage and where automation is safe.

Primary
SANS 2025 SOC Survey

Primary data on how real small teams structure triage and where the time actually goes.

Article outline
  1. The two-person constraint. Designing for the team you have, not the SOC you wish you had.
  2. Auto-close the benign. SOAR playbooks that clear known false positives before a human sees them.
  3. Enrich before escalate. Context attached automatically so triage is fast.
  4. The human decision points. What must stay human, and why.
  5. Handover and on-call. A workflow that survives leave and after-hours.
How it aligns to what we do

A productivity piece that matches the persona precisely: the small, accountable team that has to do more with less. It positions our managed service as an amplifier of an in-house team, not a replacement that creates lock-in.

Points to hit
Control it ratifies
ISM / E8 Supports ISM incident-management guidelines by making detection-to-response repeatable for a small team.