Most managed security feels loud because the console is noisy, not because you’re being attacked. Our Memphis SOC runs human-staffed around the clock, tunes your SIEM until the noise drops 80 percent in the first ninety days, and escalates with a phone call — not a ticket — when something actually matters. Vendor-agnostic EDR, BYO-SIEM welcome, tied to our 24/7 physical dispatch for incidents that leave the network and end up at a door.
Every vendor wants to show you a wall of blinking red lights, because blinking red lights look like value. They’re not. Blinking red lights mean your SIEM is broken and your analysts are drowning.
Our first ninety days on every new client tightens detections, kills the false positives, and leaves a console that only lights up when a human should actually be looking — which is rare, and that’s the point.
Every client we onboard already owns security tools — EDR licenses, a SIEM or two, a firewall console, sometimes a full suite. The tools aren’t the gap. The gap is the analyst who reads the alert at 3 AM on a Sunday and decides whether to wake somebody up. Four problems a managed SOC actually solves.
Unturned SIEMs generate 300–2,000 alerts per week on a mid-sized fleet. Every alert is a tax on your internal team’s attention. After two weeks nobody reads them, and the one alert that actually mattered gets lost in the chaff. Our first 90 days are a named tuning sprint: we get you to under 40 actionable alerts a week, with written suppression justifications for every rule we silence.
CrowdStrike, SentinelOne, and Defender for Endpoint are exceptional sensors. But a sensor without a human to interpret it is a siren in an empty building. We consume your existing EDR alerts alongside identity, email, cloud, and network telemetry, correlate across sources, and page a human when the pattern actually means something. If you already own the license, we plug in; no rip-and-replace.
HIPAA wants six years. PCI-DSS wants one year hot plus three archive. CMMC Level 2 wants logs queryable for active incidents and archived for audit. Most clients cobble this together across three storage tiers and two vendors, and nobody is confident the chain-of-custody holds under audit. Our retention is native: 12 months hot, 7 years cold, integrity-hashed, FedRAMP-Moderate archive available for CMMC-regulated work.
The badge anomaly at 2 AM is a rogue access-point plugged in overnight. The VPN login from an impossible location is because the laptop was stolen from a parked truck. Pure-cyber SOCs file a ticket and hope facilities handles it by morning. We dispatch a licensed officer from the Memphis center to walk the site, pull the device, and secure the scene — usually within the same hour as the alert.
Three contracted tiers, three risk profiles. Small offices with one IT person and a Defender license belong on Lite. Most mid-market clients run Core — full 24/7 analyst coverage with pre-authorized containment. Regulated environments, DIB contractors, and targeted-industry clients need Advanced — a named analyst, hypothesis-driven hunts, and an MTTD that starts with a single digit.
| What you get | SOC LiteSmall office / SMB fallback | SOC CoreMost mid-market clients | SOC AdvancedRegulated & targeted |
|---|---|---|---|
| Coverage windowWhen humans are watching | Biz hours + after-hours alert | 24 / 7 / 365 | 24 / 7 / 365 |
| MTTD SLAAlert to analyst eyes-on | 30 min | 10 min | 5 min |
| MTTR SLA (P1)Engagement to first containment | 2 hr · manual | 30 min · pre-auth | 15 min · pre-auth |
| Analyst modelWho actually sees your alerts | Shared pool | Shared pool · 1:24 ratio | Named lead · 1:8 ratio |
| EDR / MDR integrationCrowdStrike · SentinelOne · Defender | 1 platform | All supported | All supported |
| SIEM managementLogRhythm · Splunk · Sentinel · Wazuh | Wazuh included | BYO or managed | BYO or managed |
| Threat huntingHypothesis-driven · MITRE ATT&CK | — | Monthly themed | Weekly custom |
| False-positive tuning90-day reduction commitment | Quarterly | Continuous · 90-day sprint | Continuous · named engineer |
| Log retentionHot queryable + compliance archive | 3 mo hot · 1 yr archive | 12 mo hot · 7 yr archive | 12 mo hot · 7 yr FedRAMP |
| Physical dispatch tie-inOfficer rolls on cyber incident | — | Included · metro | Included · statewide |
| Quarterly posture reviewWith COO & SOC lead · 90-min session | — | Quarterly | Monthly |
| Starts atPer endpoint / month · 50+ endpoint min | $18/endpt/mo | $32/endpt/mo | $58/endpt/mo |
A good SIEM is a correlation engine, not a log bucket. We ingest six telemetry planes on every Core and Advanced client, then write detections that cross planes — because the real attacks never live on one plane alone. A compromised identity shows up in endpoint, network, and SaaS logs simultaneously; the job is to connect them before the adversary connects them.
EDR telemetry from CrowdStrike, SentinelOne, Defender, Sophos, Carbon Black, Cortex XDR, Huntress. Process execution, file-system activity, registry, command-line arguments, parent-child chains, PowerShell and shell logs. Windows, macOS, Linux, server and workstation.
Firewall logs (Palo Alto, Fortinet, Cisco, Meraki, pfSense), NetFlow, Zeek / Suricata IDS, DNS queries, proxy and web-filter logs, VPN authentication, NAC events, wireless controller telemetry. East-west and north-south, with behavioral baselines per VLAN.
AWS CloudTrail & GuardDuty, Azure Activity & Defender for Cloud, GCP Audit Logs & Security Command Center, Kubernetes audit logs, container runtime telemetry, IaC-drift events. Identity-plane and data-plane separated for proper blast-radius correlation.
Microsoft Entra ID (Azure AD) sign-ins, conditional-access decisions, Okta System Log, Google Workspace Admin Audit, on-prem Active Directory 4xxx events, Duo or Cisco ISE MFA logs. Impossible-travel, session-anomaly, privilege-escalation, dormant-account-awakening detections.
Microsoft Defender for Office 365 / Exchange Online, Google Workspace Gmail audit, Proofpoint, Mimecast, Abnormal Security. Phishing-click detonation, malicious-attachment sandboxing, BEC / impersonation patterns, outbound-exfil and reply-chain-hijack detection.
Microsoft 365 Unified Audit Log, Google Workspace, Salesforce, Slack, GitHub & GitLab audit, Atlassian admin logs, Dropbox / Box / ShareFile, Zoom, any SaaS that emits an audit stream. OAuth-grant abuse, data-exfil via third-party app, anomalous admin role changes.
Every alert that crosses our SOC queue runs the same five-stage playbook. Each stage is timestamped, every decision is captured, every escalation is documented. Stages 01 and 02 are automated-assisted triage; 03 onward requires a human analyst by policy. We don’t close incidents from dashboards alone.
Alert fires in SIEM, EDR, cloud-native control, or email-security platform. Normalized into our common schema within 60 seconds, correlated against sibling events across the six telemetry planes, enriched with asset ownership, criticality tier, known-vulnerability state, and recent change-management history. First auto-disposition pass runs — known-good is suppressed with justification; everything else queues.
Human analyst picks up within the tier SLA (10 min Core, 5 min Advanced). Alert gets a severity assignment — P1 active compromise, P2 suspicious but unconfirmed, P3 informational anomaly, P4 tuning candidate. Every triage call records the analyst’s reasoning, not just the outcome, so disposition decisions are auditable and reviewable in our weekly case-review.
Analyst pivots across the 12 months of hot-tier log data to determine scope. How many endpoints? Which identities? What persistence? What data was touched? Investigation artifacts are written into a live case file — queries run, hypotheses tested, evidence captured — with every action time-stamped. If the investigation upgrades severity (P2 becomes P1), stage 04 auto-kicks in parallel.
On P1 confirmed, analyst executes pre-authorized containment under the runbook you signed during onboarding: isolate endpoint via EDR, disable identity, block IOC at firewall, kill mail-flow rule, revoke OAuth token, dispatch a physical officer if a device or location is involved. Every action is reversible and logged. Containment runs in parallel with notification; we don’t wait for your callback to stop the bleeding when the runbook covers it.
Designated incident contact called within 15 minutes of P1 confirmation — not a ticket, not an email, a phone call from the analyst who worked it. Slack or Teams incident channel opened within 30 minutes with the case file, evidence, and actions taken. Written incident timeline with full evidence chain delivered within 24 hours of close, plus regulatory-notification-clock assessment if the incident triggers HIPAA, PCI, or state-level breach reporting thresholds.
We take no kickbacks, hold no preferred-partner quotas, and will never push you onto a tool because it’s easier for us to manage. Our named-analyst depth is strongest in the stacks below; we’ll work with whatever you already own, or stand up a fresh deployment on a stack that matches your fleet, your budget, and your compliance obligations. If you’re already paying for Sentinel on an E5 license, we’re not going to sell you Splunk.
Our analyst team holds named-platform certifications across all four preferred SIEMs. We run our internal detection content as code, portable across platforms — a detection written once deploys to LogRhythm, Splunk, Sentinel, and Wazuh in parallel with platform-specific query translation.
We deploy into whatever EDR you already own and operate it as part of the SOC service. No license-lock, no vendor quota, no “switch to our preferred” pressure. The only thing we won’t operate is pure legacy AV with no behavioral component — those we’ll help you replace, on your timeline.
Retention is not a checkbox. It’s the difference between being able to hunt across a year of history on a Thursday afternoon, and paying a vendor six figures to restore logs during the one week you actually need them. Our hot tier stays queryable; the cold tier stays trustworthy.
Hunts are hypothesis-driven, not “let’s see what’s interesting.” Every hunt starts with a written hypothesis tied to a specific MITRE ATT&CK technique and a specific threat model for your industry; every hunt produces a written finding, even when the finding is “no evidence observed” — which is itself a useful audit artifact.
Every alert on your account gets seen by a named analyst — not a tier-1 outsource cycling through 800 clients a shift. On Core you’re in a shared pool at a 1-to-24 analyst-to-client ratio; on Advanced you get a named lead and a 1-to-8 ratio. You know who triaged your alert, and you can get them on a call if the written timeline needs a human voice behind it.
The real questions from RFPs, vendor due-diligence calls, and security-committee meetings. Answered specifically for TN and MS operating environments. If yours isn’t here, call (202) 222-2225 — a senior SOC lead will answer in real time.
A senior SOC lead will review your current tooling, your compliance obligations, and your alert volume, then deliver a written SOC proposal with tier recommendation and tuning-sprint plan inside five business days. No cost, no pitch, no rip-and-replace required on your existing security stack.
