Your 24/7 Security Operations Centre
Built, Staffed, and Run by Experts.

L1 analyst monitoring covers the SIEM alert queue on a continuous basis across all shifts reviewing each alert in the priority order defined by the organisation's risk classification, performing the initial triage assessment (is this alert generated by legitimate activity, is it a known false positive pattern that can be closed with documentation, or does it require L2 investigation?), documenting the triage decision in the case management system, and escalating to L2 within the SLA time for alerts that cannot be resolved at L1. L1 analysts handle the high-volume, lower-complexity alert categories (threshold-based alerts, known false positive patterns, informational events) that would consume L2 and L3 analyst capacity if not filtered at the L1 level. SourceMash's L1 team operates from standard runbooks for each alert type ensuring consistent triage decisions regardless of shift or analyst.

L2 analysts investigate escalations from L1 gathering additional evidence from the SIEM (searching for related events in the 24-72 hours before and after the alert), querying the EDR for process execution history and network connections on the affected endpoint, checking the identity system for account activity surrounding the alert, and correlating the alert with threat intelligence to assess the likelihood that the observed behaviour is part of an active attack. L2 investigation produces one of three outcomes: confirmed incident (escalate to incident response and contain), suspected incident requiring further investigation (escalate to L3 or continue L2 investigation with extended scope), or confirmed false positive (document and recommend tuning to prevent recurrence). L2 investigations are time-boxed to maintain queue throughput.

L3 threat hunting is proactive threat detection the practice of searching the environment for indicators of compromise that have not yet generated SIEM alerts, based on threat intelligence about TTPs (Tactics, Techniques and Procedures) used by the threat actors most likely to target the organisation. Threat hunting hypotheses are derived from: new intelligence reports about threat actor campaigns, MITRE ATT&CK technique coverage gap analysis (identifying detection blind spots), anomaly investigation (exploring statistically unusual behaviour that does not cross an alert threshold), and the organisation's specific risk profile. L3 hunts are documented with methodology, data sources queried, findings, and recommendations for new detection rules that would automate the detection of any adversarial behaviour identified during the hunt turning hunting findings into permanent SOC capability improvements.

Monthly and quarterly security posture reports providing the board, CISO, and IT leadership with the intelligence to make risk-informed security investment decisions. Monthly report content: alert volume by severity and category, true positive rate (the percentage of alerts that represented actual malicious or high-risk activity), MTTD (Mean Time to Detect the time between initial attacker activity and first SIEM alert generation) and MTTR (Mean Time to Respond the time between alert generation and confirmed containment) trend, top threat categories observed, new vulnerabilities discovered, compliance status, and analyst-level commentary on the most significant security events of the month. Quarterly strategic report: threat landscape evolution, detection coverage gap analysis, recommended security control improvements, and security investment prioritisation recommendations.

Alert fatigue the progressive desensitisation of analysts to alerts when alert volume consistently exceeds the team's investigation capacity is the most common cause of SOC effectiveness degradation over time. SourceMash manages alert fatigue through: Splunk Risk-Based Alerting (RBA) that accumulates risk scores across correlated low-confidence events before surfacing a single high-confidence alert; SOAR-based automated triage of known false positive patterns that removes them from the analyst queue before they are seen; dynamic alert suppression for maintenance windows and planned changes; and the monthly alert quality review that identifies the 20% of rules generating 80% of false positives and tunes them to acceptable rates. Target: analyst sees fewer than 50 actionable alerts per shift, with a true positive rate above 70%.

UEBA deployment for insider threat and account compromise detection the analytics capability that establishes baseline behaviour patterns for each user and entity in the environment (what systems a user normally accesses, at what times, from which locations, with what authentication behaviour) and alerts when observed behaviour deviates significantly from the baseline. UEBA is particularly effective for detecting compromised accounts that are behaving differently from the legitimate user's pattern, lateral movement where an attacker is accessing systems that the account owner never normally accesses, and data exfiltration where a user is downloading volumes of data far exceeding their normal pattern. Microsoft Sentinel UEBA, Splunk UBA, or standalone platforms (Exabeam, Securonix) based on the SIEM environment.

Monthly strategic threat intelligence reports contextualising the global and India-specific threat landscape for the client's industry sector emerging threat actor campaigns targeting the sector, new malware families and ransomware groups active in the region, regulatory intelligence (new CERT-In directives, RBI cybersecurity guidelines updates, SEBI cybersecurity framework changes), and the geopolitical context that influences the threat environment for Indian organisations. Board-level threat briefings translating technical threat intelligence into business-impact language that enables risk-informed security investment decisions.

Tactical threat intelligence covering the specific Indicators of Compromise (IOCs IP addresses, domains, file hashes, URLs) and TTPs (Tactics, Techniques and Procedures the specific attack methods described in MITRE ATT&CK terms) associated with threat actors targeting the client's sector. IOC feeds integrated into the SIEM for automated alerting when any of the client's environment communicates with known-malicious infrastructure. TTP intelligence translated into new detection rule requirements if the intelligence reports that a specific threat actor is using a particular LOLBin (Living Off the Land Binary) technique, a new detection rule is developed to search for that technique pattern in the client's environment.

Dark web monitoring for the client's organisation searching dark web forums, paste sites, Telegram channels, and criminal marketplaces for: leaked or stolen employee credentials (email and password combinations that can be used for credential stuffing attacks against corporate systems); leaked internal documents, source code, or proprietary data; mentions of the organisation in criminal planning discussions; and indicators that the organisation is being actively researched by threat actors as a potential target. Real-time alerts when credentials are discovered in new credential dumps, enabling proactive password reset before the credentials are exploited.

Digital risk protection monitoring for brand abuse and impersonation detecting typosquat domains that impersonate the organisation's brand (acme-bank.in, acmebannk.com) that are used in phishing campaigns targeting the organisation's customers; social media impersonation accounts on LinkedIn, Twitter/X, Facebook, and Instagram that impersonate the organisation or its executives; mobile app stores for counterfeit apps masquerading as the organisation's official app; and the takedown service that requests removal of identified impersonation content from domain registrars, social platforms, and app stores.

MITRE ATT&CK framework operationalisation mapping the SOC's detection rule library to ATT&CK techniques to identify coverage gaps, using ATT&CK to structure threat hunting hypothesis generation, and reporting SOC detection coverage in ATT&CK Navigator format that makes gaps visible to security leadership. ATT&CK for ICS (Industrial Control Systems) coverage for manufacturing, energy, and critical infrastructure clients where OT and ICS environments require specialised threat models that differ from enterprise IT ATT&CK techniques. Threat actor group profiling using ATT&CK group pages to build a priority list of techniques to detect based on the groups most likely to target the organisation.

Threat Intelligence Platform deployment for organisations requiring a structured intelligence management capability MISP (open-source), ThreatConnect, or Anomali ThreatStream for aggregating intelligence from multiple feeds, deduplicating and scoring IOCs, managing the intelligence lifecycle (IOC expiry, confidence scoring), and distributing intelligence to the SIEM, EDR, firewall, and proxy in the formats each system consumes. TIP-to-SIEM integration via STIX/TAXII for automated IOC ingestion. Intelligence sharing with industry sector ISACs and CERT-In for reciprocal threat intelligence exchange.

Web application penetration testing covering the OWASP Top 10 vulnerability categories (Injection, Broken Authentication, Sensitive Data Exposure, XXE, Broken Access Control, Security Misconfiguration, XSS, Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging) and the business logic vulnerabilities that automated scanners cannot identify authentication bypass that requires understanding of the application's intended workflow, insecure direct object reference exploitation, privilege escalation through role manipulation, and payment flow manipulation for e-commerce applications. Manual testing methodology supplemented by automated scanning (Burp Suite Pro, OWASP ZAP) for comprehensive vulnerability identification. CERT-In compliant VAPT report with CVSS-scored vulnerability findings, proof-of-concept evidence, and remediation guidance prioritised by exploitability and business impact.

Network penetration testing for external perimeter (internet-facing assets web servers, VPN gateways, remote access infrastructure, cloud-hosted services) and internal network (assumed-breach scenario starting from a position of internal network access to simulate the lateral movement phase of an attack after initial access has been achieved). External perimeter testing identifies exploitable vulnerabilities in internet-facing services that an attacker can reach without any internal access. Internal testing covers: Active Directory privilege escalation (finding the path from a low-privilege domain user to Domain Admin), network segmentation bypass, exploiting misconfigured network services, and demonstrating the data exfiltration that would be possible from the level of access achieved during the engagement.

API security testing for REST, GraphQL, and SOAP APIs the attack surface that is the most commonly overlooked in traditional VAPT programmes despite APIs now representing the majority of web traffic for modern applications. API-specific vulnerabilities including the OWASP API Security Top 10: Broken Object Level Authorisation (BOLA/IDOR accessing other users' data by manipulating object IDs in API requests), Broken Authentication (weak API key schemes, JWT vulnerabilities, OAuth misconfiguration), Excessive Data Exposure (APIs returning more data than the client needs, with sensitive fields visible in the raw response), Rate Limiting bypass, and Mass Assignment (API endpoints accepting object properties that should not be writeable). GraphQL introspection, query depth and complexity attacks, and batching abuse.

Cloud security assessment for AWS, Azure, and GCP environments identifying the configuration weaknesses, IAM privilege escalation paths, and exposed data stores that represent the most common sources of cloud data breaches. AWS assessment: S3 bucket access controls, IAM policy over-privilege (wildcard permissions, unused permissions, cross-account trust relationships), EC2 instance metadata service (IMDS) exposure, Security Group configuration, CloudTrail logging gaps, and KMS key management. Azure assessment: Azure AD configuration (guest user access, MFA enforcement, privileged identity management), storage account access controls, network security group configuration, Azure Defender coverage gaps, and service principal permission review. Cloud-native penetration testing simulating the exploitation chain from initial access through cloud privilege escalation to data access.

Red team exercises that simulate a realistic, targeted attack against the organisation going beyond the scope of a penetration test (which tests specific systems for known vulnerability classes) to test the organisation's complete detection and response capability against an adversary who uses the same TTPs, evasion techniques, and multi-stage attack chains as real threat actors. Red team objectives are defined in terms of business impact (can the red team access the organisation's core banking system? can they exfiltrate the customer database? can they disrupt production operations?) rather than technical findings. TIBER-EU framework for regulated financial institutions requiring intelligence-led red team testing. Purple team exercises where the red team and blue team (SOC) work together to test and improve the SOC's detection and response capability against specific ATT&CK techniques.

Phishing simulation programmes measuring the organisation's human security posture simulated phishing campaigns sent to the organisation's employees using the same techniques (pretexting, urgency framing, credential harvesting page design, impersonation of trusted brands and internal senders) used by real attackers, measuring click-through rate, credential submission rate, and report rate (the percentage of recipients who reported the simulated phishing email to the IT security team rather than engaging with it). Results used to identify the departments and employee segments with the highest susceptibility, target security awareness training to those populations, and track improvement over successive simulation cycles. Vishing (voice phishing) and smishing (SMS phishing) simulation for organisations with significant exposure to social engineering via phone and mobile.