FIRST ‌Security ‌Operations ‌Center (SOC) SIG Update

The goal of the FIRST Security Operations Center (SOC) Special Interest Group (SIG) is to strengthen Security Operations through collaboration, shared experiences, and practical guidance for the FIRST community.

FIRST has a long history of publishing useful standards, frameworks, and best practices for the global security community. Still, day-to-day SOC operations brings its own set of operational challenges, that’s why the SOC SIG was formed, to focus on the problems modern SOCs experience in practice. The SOC SIG focuses on resources that help organizations build, run, and grow an effective SOC, regardless of the organization’s size, sector, or mission.

SOCs continue to evolve as organizations face complex threat landscapes, expanding attack surfaces, and ever growing volumes of security telemetry. Even with all this progress, many teams still lack community-built operational guidance that’s grounded in what actually happens in a SOC. By turning real operational experience into usable material, the SOC SIG aims to help organizations raise SOC maturity, sharpen monitoring and response, and improve how SOC teams and incident response teams coordinate.

Current Areas of Focus

Currently, the SOC SIG is collecting the challenges that arise across many environments and converting those lessons into guidance that organizations can apply. Current work includes:

  • Identifying common SOC operational hurdles, including staffing pressures, analyst burnout, alert fatigue, workflow improvements, and tool integration.
  • Writing guidance that separates SOC and Incident Response Team roles and responsibilities clearly, while also showing how they connect across the full incident management lifecycle.
  • Building a standardized SOC framework and ontology, with shared terminology, common capabilities, services, and operational functions, so that organizations can communicate and collaborate with fewer misunderstandings.

SOC SIG work is intended to complement, not replace, existing FIRST frameworks by adding a dedicated knowledge base that’s focused on Security Operations.

Community Collaboration

Contributors come from government, academia, critical infrastructure, and the private sector, bringing different operating contexts so the resulting guidance isn’t narrow or overly idealized. One example, a public webinar hosted by the Protect BT Group CERT on how threat intelligence is used in SOC operations:

“BT Group Cyber Operations are fundamentally threat‑intelligence led, shifting the organization from a reactive security posture to one that is proactive, prioritized, and adversary‑focused.

At the core of this threat led model is the use of actionable threat intelligence to inform every stage of the security lifecycle—from detection engineering and alert triage through to incident response.

Rather than treating threats as isolated alerts, BT Cyber Operations focuses on understanding its adversaries, their behavior, potential intent, and capability. Intelligence is continuously ingested, enriched, and operationalized to ensure that analysts are responding to real and relevant threats, not noise. This approach allows BT to:

  • Priorities security effort based on active campaigns targeting BT and its customers
  • Detect earlier in the attack lifecycle, before impact occurs
  • Continuously adapt detection and response as the threat landscape evolves

Threat intelligence is embedded across people, processes, and technology, enabling Cyber Operations to act as a proactive defense capability, not just an alert-handling function. The result is improved resilience and stronger protection of BT’s networks, services, and customers.”

As the SOC SIG continues its work, participation from the FIRST community is important. Sharing operational experience, offering specialist input, reviewing draft content, and helping shape deliverables all make the guidance stronger and more useful to the broader FIRST community.

Looking Ahead

The SOC SIG has more community events planned over the next few months. Work will continue on the framework, the ontology, and the guidance documents, along with new ways to support Security Operations professionals within the FIRST community. If you’re standing up a new SOC, updating a mature operation, or simply would like to exchange hard-earned lessons with peers, you’re invited to become a member of the SOC SIG.

Published on FIRST POST: Apr-Jun 2026