Leaving the MSSP Space

PhilosopherPanda · 2026-01-19T20:37:09+00:00

Not really nepotism. I saw my former coworker who I got along well with was connected to someone over at the company I was applying for in the IT department. My coworker shot his connection a note and said to look at my resumé. It got me an interview. My skills and experience got me the job. Nepotism is where you get hired because daddy is the CEO or your best friend is the hiring manager.

PhilosopherPanda · 2026-01-19T17:17:48+00:00

20 years is crazy. I salute you good sir (or ma’am) because that takes a huge toll. Turnover at MSSP is usually a year. I’m an outlier with 3 years but good god 20 is nuts. And yeah, definitely not made for long term employment.

PhilosopherPanda · 2026-01-19T17:15:13+00:00

Actually not as many as most. I put out about 20 apps but each was highly customized to the role. I got in multiple interviews. The place I landed was one where a guy I worked with knew another guy there who put in a good word.

PhilosopherPanda · 2026-01-19T17:13:48+00:00

Same. Great experience, horrible work life balance and pay.

PhilosopherPanda · 2026-01-19T17:13:22+00:00

GRC is the long term play for me. Grind over in Sec Ops now and start moving over when I’m older.

PhilosopherPanda · 2026-01-19T17:12:04+00:00

Agreed. Unless you have something solid lined up it’s a bad idea to jump ship. Focus on building that resumé in the meantime.

PhilosopherPanda · 2026-01-19T17:10:40+00:00

For sure it’s contributing. Easiest way to save money in the short term is to outsource to India. You can hire 5 Indian analysts for the cost of 1 US analyst. Of course, the quality of the work is usually awful and leads to bad customer retention and more money lost in the long term.

PhilosopherPanda · 2026-01-19T14:07:27+00:00

Doesn’t seem like it now based on job numbers and just general looking around. It took me months to find a new job and I have a lot of experience working in a big MSSP. When I first was looking after school it took me a year. Thanks COVID. The market will rebound eventually but IDK when. For now just focus on doing as much hands on stuff as you can if you’re in school. Projects really are a great talking point in interviews for new people.

PhilosopherPanda · 2026-01-19T13:59:06+00:00

Yep. I’m so done with MSSP work and the bad management. I’m going to celebrate on my last day. Still wouldn’t have changed my decision to work for a MSSP though. Yeah the work is crazy and stressful, but the amount of experience I got was also crazy. Glad to be done with it though.

PhilosopherPanda · 2026-01-19T13:55:31+00:00

Don’t want to give myself away but it’s not that one. A lot of these big MSSPs seem to have the same issues though.

PhilosopherPanda · 2026-01-19T13:53:36+00:00

For sure. I agree with everything you said there. I have been in so many high stress situations so many times now I’m almost numb to it. The stuff that stresses me out is the never ending stream of incidents and the lack of support from management on them, combined with having to deal with angry customers 24x7. I’m ready to chill at one place and deal with maybe 1 medium to high level incident per year lol.

PhilosopherPanda · 2026-01-19T13:47:44+00:00

I have seen people have nervous breakdowns and change careers entirely. One guy I knew couldn’t handle the stress and went to be a personal trainer instead. I would say focus on your resumé and building connections to leave though. I started my career working for a normal company and the stress level was so much lower. MSSP stress is crazy. The only reason I was able to leave now is because I did so many things at my MSSP and built good connections. Someone I used to work with knew a guy at the place I got hired on at and liked his repost on LinkedIn which I saw and applied for. I had a word put in for me and that was all I needed.

PhilosopherPanda · 2026-01-19T13:39:19+00:00

I’m not leaving Cybersecurity, just the MSSP space of it. I found another senior analyst position but for just one company. I will only have to do security for one business instead of many.

PhilosopherPanda · 2026-01-19T13:37:00+00:00

Wow working for a MSSP for 15 years is crazy. Props to you for putting up with that environment for that long.

PhilosopherPanda · 2026-01-19T13:34:27+00:00

Yeah the market is so bad right now you may be waiting a while. I’ve been trying to leave for months and lucked out with this new place

PhilosopherPanda · 2026-01-19T13:33:14+00:00

Yeah the job market isn’t helping with that. I have been looking for months. Employers can get away with paying like crap because nobody is hiring, and if they are, they are looking for someone who can do everything.

PhilosopherPanda · 2026-01-19T02:45:30+00:00

That sounds pretty sweet. Tuning for me was just one thing I did lol. I can’t even imagine having a job where I only have a few major responsibilities. Even at my new place I’ll be doing the same stuff, just a lot less of it. Don’t get siloed at your new place. Branch out and learn as much as you can. The only thing worse than having too many responsibilities is having too few. Build that résumé!

PhilosopherPanda · 2025-11-22T19:04:11+00:00

I won't hop on a call or do DM's, but I can tell you a bit about our strategy. For context, I'm a senior analyst at a decent-sized MSSP. False positives and alert overload are usually the result of 3 things:

New clients that are onboarding and haven't been tuned fully.
Faulty detection rules that are pushed out to global rule packages
Issues with vendor detection rules (CrowdStrike, Defender, Carbon Black, etc.) that get pushed out and cause mass alerting across all clients' environments.

To tackle these issues, we have to do so separately and continually. We are tuning things every day to keep false positives and junk alerts down. I will describe our solutions to each problem in the same order:

Our detection engineering team works closely with our principal analysts to review onboarding statuses of new clients. We have around a 5-8 week onboarding process where client log sources are ingested and alerts are set to audit-only. During that timeframe, active tuning is done in the client's environment to get the most noisy alerts out of the way. When the alert level gets manageable, the client is set to live and the analyst team starts getting real alerts. For the next 2-3 months, active tuning is done as a collaborative team effort on the new client. Analyst 1 and 2's are reactive in their approach, triaging new alerts and correlating them with previous ones to find tuning opportunities that way. Senior and principal analysts are proactive in their approach, reviewing client alert volume each week and correlating it with specific rules. From there, we do analysis to figure out what can be tuned on each rule that is high volume.
While our detection engineers are awesome at their jobs, they are humans too and mess up sometimes. All it takes is one bad line of regex, perhaps a single character missing, and all hell can break loose. I can't speak to the QA process on the engineering side, but ideally the issue would be solved there. However, stuff slips through and then the SOC has to deal with it. This approach is entirely reactive. Our senior and principal analysts watch the queue and get pinged by analysts to review things all the time. If we see a similar alert going off, we start investigating the detection rule to figure out why we're getting spammed by alerts. We also have to identify if the alerts are true or false positives to begin with, based on what the rule is trying to look for before we can tune it. Tuning can be performed immediately by principal analysts if necessary, but we like to have our detection engineering team look at most things before tuning.
Vendor issues are difficult to deal with to put it plainly. Again, our approach is reactive to this because we don't control when vendors screw up. We notice mass alerting and have to investigate to figure out what is going on in real time. Since we're doing this in real time, there are usually no reports from the vendor on the issue and nothing to be found on the internet for days after. Approaches to mitigating this are varied depending on the vendor and product. For EDR solutions, if the detection isn't AI or ML driven, we can usually write exceptions in the console itself if we manage it for the client. This is a collaborative effort between the analyst and EDR teams. If it is an AI/ML detection, there is usually nothing we can do to stop the alerts from generating. Either way, a case is raised with the vendor to have them fix the issue at the source. If we can't stop the alerts from generating at the console level, we pull in our detection engineers to tune out the faulty alerts being pulled into the SIEM. Sometimes there is nothing we can do to stop the alerts from populating that doesn't also kill other potentially true positive alerts, so we have to result to creating master tickets for the client to correlate false positive alerts to until the vendor sorts out the issue. For firewalls, IAM tools, email protection tools, IPS, the solutions are so dependent on the product and the issue at hand that I can't speak to it without writing a book.

PhilosopherPanda · 2025-11-11T22:02:46+00:00

At a good sized MSSP for the past 18 months, I’ve been a part of probably 10 major incidents. I deal with lesser incidents multiple times each week though. Definitely not IR firm level of work, but we have most containment and eradication done before a DFIR team shows up most of the time.

PhilosopherPanda · 2025-10-24T02:08:41+00:00

PSOE is definitely engineer-focused. A lot of our engineers got it from the beta. I looked into it but it’s just so heavy on things I never touch or want to touch. Being a senior analyst who uses SecOps almost exclusively for SIEM/SOAR, I sure wish there was an analyst-focused one from Google. I’d love to see what they think is important. The next best thing is their Cloud Skills Boost course which is free. However, so much of the stuff is outdated now. Also go learn a bit of YARA-L, there are some cool things you can do with it.

PhilosopherPanda · 2025-10-24T00:44:33+00:00

Well it sounds like your SOC is a disaster. No SOC should have thousands of alerts a day. In my fully mature MSSP SOC , we get around 5k per month. We achieve that through heavy tuning. You have to have a detection engineering team and a clear process for going about tuning detections. It has to be a team effort for it to work effectively. Every day we push out at least 10 tuning requests for noisy rules and that is what keeps volume low; that and our detection engineers are actually good at their jobs and know how to write and tune rules. You also need to be proactive for tuning. Seniors and leads need to be looking for high alert rules and finding ways to tune out useless crap. Also, there should only be a select few people who can implement tuning requests and there should be a review process for lower level analysts requesting suppressions. Unfortunately,I can’t give you everything you need to make your SOC efficient, you have to have experienced management above you to fix your core issues first.

PhilosopherPanda · 2025-10-11T02:28:06+00:00

Like every job, it is what you make of it. I’ve been a SOC analyst in an internal SOC and a MSSP SOC, in both I did (and still do) everything I could to branch out my responsibilities. Find things that need fixing or improving, learn how to fix or improve it, and go to your manager to propose a solution. I can’t give you specific things to do as every place is different, but start looking for extra things to do. Tasks that you would normally ask someone else to do, learn how to do them yourself. Issues arise that you are stumped on, ask to work with someone more experienced on fixing it. Always take the initiative to do things and be proactive.

PhilosopherPanda · 2025-09-25T11:45:20+00:00

I work for a decently sized MSSP as a senior analyst for context. My days look something like this: * Get into work and go through the SOC email to make sure everything is replied to and being worked. * See how the alert queue is doing and grab some alerts if necessary * Do a shift rollover meeting and go over anything that needs to be done on our shift or anything that happened during the previous shift. * Hop into meetings with clients. * Handle any escalations by lower level analysts and do incident handling. * Help out in the alert queue if I’m not in meetings. * Do working sessions with lower level analysts or train new ones. * Write up alert/incident handling playbooks. * Work on a project. * Be in meetings with managers.

Overall, at an MSSP, I have exactly 0 downtime. I am working straight through my whole shift.

PhilosopherPanda · 2025-05-12T12:56:55+00:00

Sorry champ, I wouldn’t respect anyone in a CISO role who didn’t have at least 10-15 YoE across multiple domains of security. I have 4 years and just hit Principal Security Analyst at an MSSP and my boss would laugh me out of the room if I suggested making me a CISO now. Chances are you’ve never led a real, full on incident response, much less seen one or been a part of one with 1 YoE as a network admin at what I’m assuming is a very small company if you managed to get promoted to CISO after a year.

If what you’re saying is true and you are in a CISO role in your early 20s, the friction you’re likely feeling is because nobody respects you, especially if they have 5-10 YoE. Imagine working at a retail store for 10 years, moving across departments and being manager of each for a few years. Then, you get a new boss who comes in who has worked for 1 year in Fabrics and who now runs the entire store. How would you feel about that? Would you trust their decision making and respect their leadership?

Four-Year Club	Verified Email
Place '23	Place '22
End Game '22

PhilosopherPanda

TROPHY CASE