Quality is the SOC Metric that matters the most.
But the one no one can measure
Now there’s a scorecard — and a tool that applies it the same way, every time across all your cases.
Get the Scoring Tool
Read "Why the Quality Matters" white paper
Anatomy of a Quality Case
A quality case turns messy telemetry into a decision you can trust - and a next step you can take.
Triggered Alert
What really happened?
Is this benign or malicious?
What additional questions do I need to answer to make the above decision with high accuracy?
Make a decision – is it benign or malicious?
Actions
Questions that a good investigation should answer
9
Are the flagged AWS API calls actually first-time actions for this user account based on historical CloudTrail data?
Weight: 5
Partially Answered
Critical Gap
What is the user’s typical pattern of AWS API usage and administrative responsibilities?
Weight: 5
Not Answered
Critical Gap
Is the source IP address and geolocation consistent with the user’s expected access patterns?
Weight: 3
Partially Answered
Critical Gap
Does the user have legitimate business justification and appropriate permissions for the AWS services accessed?
Weight: 3
Not Answered
Critical Gap
Are there any threat intelligence indicators associated with the source IP, user agent, or API call patterns?
Weight: 1
Partially Answered
Critical Gap
Is the user account showing any indicators of compromise in recent activity logs?
Weight: 5
Partially Answered
Are there any anomalies in the authentication method, MFA status, or session characteristics?
Weight: 3
Partially Answered
What specific AWS resources and data did the user access or enumerate through these API calls?
Weight: 3
Partially Answered
Did the first-seen API calls occur in rapid succession or follow any suspicious timing patterns?
Weight: 3
Partially Answered
Ready to Grade a SOC Case?
AI-Powered Security Operations
Get an instant case-quality score and actionable feedback using a transparent rubric.