One SOC, The Whole SOC, and Nothing But The SOC, So Help Me
Carson Zimmerman
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Carson Zimmerman, architect of Microsoft's Security Operations Center and author of MITRE's *Eleven Strategies of a World-Class Cybersecurity Operations Center*, argues that SOCs fail not from lack of tooling or talent, but from structural mistakes that fragment the functions that must work together. His prescription: keep the SOC atomic, integrate engineering and threat intelligence directly into the operation, build genuine capacity for non-incident work, and make truth-telling — not just threat detection — a first-class SOC function. ---
AI review
Zimmerman wrote the book on SOC design — literally, MITRE's Eleven Strategies — and he delivers the distilled version here with the authority of someone who architected Microsoft's SOC and watched the same structural failures repeat across every organization he's touched. The four-mistake framework is concrete, the prescriptions are specific, and the 20-50% non-incident capacity target is the kind of uncomfortable truth most SOC leaders already know and need to hear again.