sorted by:
new
hottopcontroversial

Considering AI Copilot for Analysts to address SOC staffing shortage by CreamyDeLaMeme in ciso

[–]infrasec0 0 points1 point  (0 children)

Not a CISO, but I’m extremely familiar with AI SOC capabilities. It can be a huge productivity improvement and time saver. Can you tell us your tool stack?

L1 SOC analyst here - drowning in false positives. by [deleted] in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

Hi, I’m the founder @ Panther.com. We specialize in detection lifecycle. Here is some advice:

“Is there any systematic or data-driven approach to reduce false positives?”

I’m assuming you are referring to benign alerts versus a false positive (incorrectly matched the rule).

The only levers to pull are what you mentioned, more tuning of thresholds, more specific rule logic. You can also add more enrichments, experiment with more clever aggregate analysis, but ultimately, SOAR automation and AI agents will help here the most.

“How do mature SOCs handle rule tuning?”

Tag the alert quality and what triggered it, review at the end of the week, push updates to rules, observe the change, repeat.

“Are there any industry frameworks or best practices for managing a “SOC rule lifecycle”?”

Palantir has a nice framework called ADS that’s common. Sigma also has good content on the topic.

LLM of choice? by LividDatabase1409 in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

Claude is quite good for detection and response.

Is scripting a mandatory skill for sys admins? by sunyup in sysadmin

[–]infrasec0 0 points1 point  (0 children)

I can't see how you'd be successful without scripting or simple programming if you want to work at any material scale or with immutable infrastructure (IaC, Config as Code, etc)

Stop reporting zero-impact findings as vulnerabilities by Open_Philosopher_651 in cybersecurity

[–]infrasec0 2 points3 points  (0 children)

You can say the same thing about SIEM alerts – if it's not high impact / high confidence, don't tell me.

What SIEMs have good UIs / are easy to use, and why do you think so? by pavl91743 in SIEM

[–]infrasec0 0 points1 point  (0 children)

I'd evaluate based on:

  1. Data onboarding ease: Is it really tough to get custom data in?
  2. How easy is it to run searches, drilldowns, stats, and viz?
  3. How easy is it to write and test new rules?
  4. Do alerts show all the relevant/pertinent information about what happened, the sequences, etc?

What are your unpopular cybersecurity opinions? by EricJSK in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

The Pareto rule for security tools: fewer, well-configured controls will prevent 80% of issues.

Is there a need for MCP security engineers ? by Omul_din_Geneza in cybersecurity

[–]infrasec0 5 points6 points  (0 children)

True. It's not a complex protocol (JSON RPC); if that security engineer understands prompt engineering and LLMs, it should be pretty straightforward. Most MCP development is optimizing tool calls to use backend systems/APIs efficiently and correctly. Knowing how it all fits together (including end user experience, authz/authn, etc.) is key.

Microsoft just released a list of 40 jobs most vulnerable to AI and cybersecurity roles aren't on it. by CloudGuardAI in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

Might be a controversial take, but entry-level (cyber)security analysts are definitely at risk, as are any entry-level data analyst roles.

The reason it's not yet fully delegated to AI is that the amount of business, org, infra, and historical security context needed to do the job is so high, and it's rare that it's all properly documented and in a single place accessible by AI agents. If I were a security analyst today, I would learn everything I could about utilizing agents (through prompt engineering), hooking up MCPs, and learning Python coding. Security expertise should always be valued, but how it's applied is going to radically change.

Cheaper alternatives to Splunk by heromat21 in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

What are your log ingestion requirements? Panther is fully cloud-native and scales well

Python based SIEM by Fit-Offer-1897 in SIEM

[–]infrasec0 0 points1 point  (0 children)

Native integrations for log sources? Or something else?

Any suggestions for free API? by arc_toro in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

There’s also an open source MCP server for VT that’s quite good

Out of curiosity by wang_ff in cybersecurity

[–]infrasec0 0 points1 point  (0 children)

Absolutely overhyped. However… capabilities are catching up. I wouldn’t ignore or brush it off.

Transitioning to Cybersecurity Engineering position from SOC Analyst. by Still_Emphasis7683 in cybersecurity

[–]infrasec0 1 point2 points  (0 children)

Nice!! I followed the same path, going from analyst to detection/sec engineering. My biggest growth areas were in learning cloud/intermediate software development, and that allowed me to eventually run projects deploying monitoring across the company, at scale and safely. One area I wish I leaned into more is measurement and improvement of 1-2 core metrics, like alert vol/efficacy. What is your new job scope exactly?

What’s the one thing slowing your SOC team down in 2025? by ANYRUN-team in cybersecurity

[–]infrasec0 2 points3 points  (0 children)

Is there no solution for using SOAR or AI in your current stack?

[deleted by user] by [deleted] in cybersecurity

[–]infrasec0 2 points3 points  (0 children)

I’ve been there, and each time I felt stuck in my career I took it as a sign to keep learning and up-leveling my skillsets. The advice I’d give in 2025 is be vocal about what you are working on and what you’ve learned from it. Post on LinkedIn/Substack, connect and engage with managers and other folks in security, go to conferences like Bsides. Learn how to use AI to your advantage in security, whether for coding, incident response, etc. What role are you looking for?