How SOCAutomation Helps

SOCAutomation employs unique learning technology to deliver continuous improvement for your security operations.

This ground-breaking mechanisation feeds incident response data back into the triage subsystem to allow detection of noise and false positives, whilst crucially delivering clear visibility of high priority attacks.

Key Findings

A recent survey of incident responders by the SANS Institute has found that:

  • Report a dwell time of 2 to 7 days

  • Report a remediation time of 2 to 7 days

  • See a skills shortage as an impediment to incident response effots

  • Say corporate-owned assets are involved in investigations

  • Do not currently assess their incident response program

The Solution

The SOCAutomation platform seamlessly plugs into all SIEMs and then rapidly adds the much needed context to incidents, making the security analysts job far ‘slicker’ by delivering knowledge to his/her fingertips.

  • Device type and application

  • Device application IT owner and business owner

  • Device/app last logged on user list

  • Threat intelligence data relevant to alert

  • Device/app system admins

  • Importance of asset to business pulled from CMDB and GRC systems

  • Vulnerability and patch data relevant to asset

  • Useful data from other security monitoring tools

Once an analyst has this rich compendium of information, they can then quickly decide to escalate the alert to an incident. The automation delivers time saving to the SOC to get to this stage, which means the volume of alerts can all be fully handled and increases the SOC’s processing power hugely.


SOCAutomation is able to automate almost any task your SOC team is faced with, decreasing the response time dramatically.

SOCAutomation also allows you to fully control the level of automation applied to a task. There are some tasks that may require approval or review, SOCAutomation allows you to set a trigger for these so the responsible stakeholder can respond accordingly.


SOCAutomation also suggests a proposed Run-Book to remediate an incident, the analyst can simply accept this or can customise it to suit.

These Run-Books contain step-by-step guides on how each user should best respond to incidents, and includes both manual and automated tasks.

Example Malware Run-Book

Automated Security Modelling

A huge library of automation use cases, fully and easily customisable to fit specific security and IT environments and technologies. SOCAutomation’s advanced Automated Security Modelling can cater for any automation use case, and crucially includes a comprehensive set of common security use cases out-of-the-box.

Example Phishing Campaign Use Case

KPIs and Reporting

SOCAutomation offers fully customisable dashboards, giving each user a personalised graphical representation of the data, as well as incidens and alerts relevant to them. Using a fully distributed and automated reporting engine, SOCAutomation is able to generate and deliver reports, graphs, tables, summaries and statistics to any number of stakeholders.

Personnel from different areas of your organisation can receive specific reports relevant to their role via email, and reports are able to be automatically distributed to all stakeholders involved in an incident as soon as it is resolved. Some of the reports that can be generated are listed below:

  • Incidents handled by severity
  • Incident response timeliness
  • Open incidents
  • Closed incidents
  • Incidents utilising most resources
  • Incidents requiring further investigation
  • Incident handling satisfaction
  • Damage from an incident
  • Process workflow
  • General mission success
  • Fire drill results
  • Lessons learned
  • Incident response performance
  • Incident costs

View Integrations