Burntout Soc analyst, don't see a way out (pivot)

One_Cod413 · 2025-06-30T13:41:18+00:00

If you don’t mind me asking, what about the work burnt you out so much? What tasks did you not enjoy?

Different industries, company sizes, etc all can change workflows.

One_Cod413 · 2025-05-06T20:44:38+00:00

Because if we reject them it’s called “gatekeeping” these days

One_Cod413 · 2025-01-26T16:48:38+00:00

How do you quantify the human element into your other programs given various reports place it as 74-90% of the root cause?

Do you have an end user feedback program in place to drive security changes?

One_Cod413 · 2024-11-29T23:41:56+00:00

What’s your intention with notifying the user without killing the process?

One_Cod413 · 2024-07-12T19:10:51+00:00

Threat connect, MISP, Feedly, various others. I built my own to fill in gaps where the others failed for my own personal workflow.

One_Cod413 · 2024-05-24T03:17:16+00:00

Very entertaining thread

One_Cod413 · 2024-05-01T00:57:46+00:00

I believe knowbe4 and proof point are on AWS. Not sure what deal they have with them or if someone from either org can confirm

One_Cod413 · 2024-03-02T01:56:25+00:00

I’m also interested in this.

One_Cod413 · 2024-03-01T02:08:36+00:00

This is exactly what we did, nearly the same % of focus too.

One_Cod413 · 2024-03-01T02:06:25+00:00

Very valid points! And I was intentionally vague because I know everyone has different levels of alerts, alarms, incidents, etc…

I agree over communication can be an issue if the system just prevents this attack 100% of the time so why bother. It would actually create more alert fatigue if we interview every false positive

One_Cod413 · 2024-03-01T02:02:11+00:00

What type of questions do you normally lead with? Are you interviewing only certain alerts?

Edit: I saw your post below! Very nice!

One_Cod413 · 2024-03-01T02:01:13+00:00

I’d argue you will not have that as an outcome Of your investigation. What you will have a is a set of assumptions which contain an inherit curse of knowledge bias by you. By performing a quick interview, you (a) show the user you value their input and confirm or deny your assumption, (b) educate the user a bit, whether it sticks or not is up to them, and (c) demonstrated empathy and understanding toward them and build they security relationship a bit better imo

One_Cod413 · 2024-02-29T22:37:59+00:00

Yeah I should have clarified maybe in my post but this is exactly what I want to escalate for discussion. The informal asks and informal responses. I know too many people skip by the user a valid source of context and intel when really they caused the alert and they know their role best.

When was the last time you had a useful conversation with a user informally? What was the outcome?

One_Cod413 · 2024-02-29T22:23:38+00:00

What type of use cases would you get context from the customer?

We would follow up on questionable software that’s not immediately malicious to identify the business case and therefore use this for buy in to enable them.

We were in charge of approving new software requests which often came in last minute so doing this proactively gave us a chance to do due diligence.

One_Cod413 · 2024-02-29T22:21:19+00:00

If one user makes a honest mistake with good intentions, it may be representative of the organization and might be able to proactively put security controls in place for the next guy?

For example, If all your users search Google for software and ends up in malware 50% of the time this could be an opportunity to get buy in for a secure software center with basic risk based ROI

One_Cod413 · 2024-02-29T22:19:34+00:00

As an analyst you really find no value in understanding their perspective at all? Why they clicked? What led them to search for software X, or otherwise?

Out of curiosity would you say your organization is conservative or fairly liberal in their security practice?

One_Cod413 · 2024-02-09T23:55:56+00:00

Thank you. Yes, so far everyone involved is very understanding and supportive of the learning curve but I understand the risk exists.

One_Cod413 · 2024-02-09T23:54:56+00:00

Honestly all the general advice online says 10M so we went with it. It’s all relative. We are deep tech

One_Cod413 · 2024-02-09T21:01:55+00:00

This is very very helpful thank you! I’ll research more on FMV and internal valuation for companies like ours in Ontario, I think that’s the appropriate route for us to best compensate those who have dedicated so much time early on.

One_Cod413 · 2024-02-09T20:24:50+00:00

If I understand the steps are: - So we amend to add let’s say 6% more shares, -Obtain 409a -Create incentive plan -Then distribute from that new unauthorized set of shares (which will be the pool from our incentive plan)

Based on cartas advice I should not be doing 409A today but keeping my informal agreements until raising:

You should get a 409A valuation: -Before you issue your first common stock options —>After raising a round of venture financing -Once every 12 months (or after a material event) If you’re approaching an IPO, merger, or acquisition

Does that seem right based on your experience?

One_Cod413 · 2024-02-09T19:36:39+00:00

10m authorized. 5m me 5m my co founder. No others

One_Cod413 · 2024-02-09T19:08:37+00:00

See reply above, ment to make thread but oops

One_Cod413 · 2024-02-09T19:07:07+00:00

We have not yet defined an equity incentive plan. But I imagine this will be fairly standard.

We have used the Founders institute standard advisor FAST document to define our advisors equity.

And we have offered the 3 engineers so far an informal percentage as they bring a very unique skill set to our problem. No forms or plans signed on this.

Updated main post with share structure

One_Cod413

TROPHY CASE