The Evolution of SOC, SOAR & Security Command Centers with StrikeReady - TopShelfTech

Security operations centers are undergoing a fundamental transformation. The days of reactive security teams drowning in alerts while jumping between disparate tools are numbered. As cyber threats grow more sophisticated, so must our approach to detecting, analysing, and responding to them.

In this episode of TopShelfTech, Jeremy Nees sits down with Alex Lanstein, CTO of StrikeReady, to unpack the challenges facing modern security operations and explore emerging solutions. With his extensive background at FireEye and Facebook, Lanstein brings a wealth of experience in threat analysis and security innovation.

From the limitations of traditional SOAR implementations to the power of asset-based views, threat emulation, and AI-augmented analysis, this conversation reveals practical insights for security teams looking to move from reactive to proactive operations. The discussion highlights why many organisations struggle to realise the promised benefits of security automation and how emerging approaches could change that.

The Problem With Traditional SOAR Solutions

Security orchestration, automation, and response (SOAR) platforms have long promised to solve the challenge of disparate security tools and complex workflows. But as Jeremy notes from our own experience implementing first-generation SOAR solutions, many organisations don't see the benefits they expected.

"Three years ago, I was told I wouldn't get the benefits from automation that I thought I'd get," Jeremy shares. "Looking back, that was 100 percent on the money."

Lanstein explains why traditional SOAR approaches often fall short: they function like RPA (Robotic Process Automation) for security, useful for static, standardised workflows but insufficient for the dynamic nature of security investigations.

"In these very flexible, super technical SOAR products, you have to build each integration individually," Lanstein explains. "The SOC operator wants to look at a hundred things before they even dig into an alert—who is this user, what business unit are they in, what workstation is this, vulnerability scans, patches, web browsing, proxy data, DNS data, endpoint telemetry... Every single person wants that information, but with traditional SOAR, you have to build each integration individually."

Another significant challenge is API maintenance. With security vendors constantly updating their APIs, deprecating features, and adding new capabilities, maintaining integrations becomes resource-intensive.

"The APIs change all the time. The functionality is improved, or features you might be using were deprecated. It's multiple full-time jobs to keep up with these APIs," Lanstein points out. This technical debt becomes particularly challenging when organisations want to replace security tools, the development cycles required to confidently transition between vendors can be prohibitive.

A New Approach to Security Operations with Asset-Based Views

One notable shift in security operations is moving from alert-centric to asset-centric views. While traditional SOAR platforms focus on time-series data and alert flows, newer approaches prioritise contextual understanding of identities and devices.

"One of the things from a StrikeReady perspective that I've seen recently is the shift to these asset views," Jeremy observes. "An identity as an asset, being able to look at an identity and see a lot of information collated around that identity or a device."

This approach enables security analysts to quickly understand the full context surrounding an alert, whether an employee has multi-factor authentication enabled, their access privileges, device status, and more, without navigating multiple systems or running repetitive queries.

Lanstein emphasises that this contextual view extends to vulnerability management as well: "We help build software databases for you and vulnerability databases by working with your EDR. We'll profile what's running out of program files, what's installed, so we can give you a consolidated view of your asset, here's the asset, here's the identities logged into it, and here's the actual vulnerability picture."

This holistic approach addresses a common blind spot in security operations: organisations often lack a unified view of assets, identities, and software across their disparate systems. "What shows up in Okta is different than what shows up in Azure, which is different than local accounts, guest users, work-from-home users, VPN people... Many enterprises just don't have a holistic view of assets, identity, and software libraries," Lanstein notes.

Overcoming the Threat Intelligence Challenge

A significant pain point for security teams involves effectively triaging unstructured threat intelligence. SOC analysts frequently receive threat reports through various channels—email, Slack, printed documents—and must manually extract indicators, check logs, and determine relevance.

"Ninety-nine percent of the threat intelligence that you read is not useful to the organisation," Lanstein states. "It didn't happen to you, you weren't vulnerable to it, your sector wasn't targeted, or you just didn't get hit for some reason."

The result is a vicious cycle: analysts invest significant time extracting indicators and searching for evidence, rarely finding anything relevant. This leads to burnout and diminished enthusiasm for thorough investigations. "So you get that one-two punch of burnout plus 'I'm not going to look that hard next time because I probably won't find anything,'" Lanstein explains. "And it takes fairly advanced people to do that work, so you're burning out your best people."

Modern security operations need to quickly filter intelligence to highlight only "threads worth pulling on", actual evidence of suspicious network connections, DNS requests, or process executions that match threat indicators. This shift enables more proactive security operations.

"That kind of element is incredibly valuable," Jeremy notes. "The industry's focused a lot on EDR popping up, sending alerts... as opposed to what can I do before I even potentially get an alert to minimise my risk."

Strikes: Validating Security Controls Through Threat Emulation

One of the most innovative capabilities highlighted in the conversation is StrikeReady's "Strikes" feature—mini threat emulations that test whether an organisation's security tools detect specific threats. Jeremy likens it to testing car safety features: "You've got airbags in your car, but you don't know how well those airbags are going to work in a crash until you test them. Of course, you don't want to crash your car."

How does StrikeReady’s Strike Threat Emulations Work?

Traditional security validation approaches like penetration testing and red team exercises are expensive and infrequent. Strikes offer a lightweight alternative that can be run routinely.

Lanstein explains the origin of this capability: "It came from us at FireEye. Customers would send us threat reports and say, 'Hey, I read this cool thing from CrowdStrike, do you detect it?'"

The process is straightforward:

1. Feed a threat report into the platform
2. The system identifies file hashes, URLs, and other indicators
3. For file hashes, it locates or provides the actual file
4. A virtual machine running your EDR agent and a simulation agent is spun up
5. The file is loaded into the simulation agent while your EDR scans it
6. You can immediately see if your EDR detects the threat and what the alert looks like

"This helps your SOC understand what does my EDR say about this? What does the alert look like? And would they even notice the alert?" Lanstein explains.

This capability extends to network threats as well, simulating malicious communication patterns to test if network security tools can detect and block them. The platform can even temporarily deploy blocking rules for identified threats, then automatically remove these rules after a predefined period to prevent rule bloat.

AI's Role in Enhancing Security Operations

The final segment of the conversation explores how artificial intelligence is revolutionising security operations. StrikeReady's "Cara" virtual SOC analyst, what would now be considered agentic AI, assists analysts in various ways.

StrikeReady’s AI Agent Assistant: CARA - Source: StrikeReady

"It's really useful to understand, to be able to leverage these LLMs to say, okay, it was a PowerShell process with all these switches and command arguments and encoded content," Lanstein explains. "It's really useful just to be able to dump that into a locally hosted LLM and say 'explain this alert to me. What is this thing doing?'"

This capability saves analysts substantial time in decoding obfuscated commands and understanding complex processes. While experts could perform these analyses manually, AI dramatically accelerates the process.

For less experienced team members, AI offers educational value: "For junior people, the ability to just understand how the process is supposed to operate" provides important context and skill development opportunities.

Documentation is another area where AI excels: "So much of the incident response process is documenting all the work you've done, whether or not it actually had a finding at the end or not." AI can create comprehensive summaries of investigation steps, findings, and actions taken.

Lanstein emphasises two critical considerations for AI in security:

1. Data privacy: "One of the big problems is that people want to use these tools and they want to just go on ChatGPT and throw all their alerts into it... your data's gone, there's no more boundary."
2. Hallucination management: "When you could build your LLM around your locally derived data, the hallucination problem goes down dramatically."

Looking ahead, StrikeReady plans to expand its telemetry capabilities: "The next big thing is the ability to really visualise all your telemetry... endpoint telemetry and email-based metadata and Netflow and authentication." This will enable teams to write custom detection rules on incoming telemetry, further enriching the platform's context and detection capabilities.

Conclusion

The evolution of security operations centers reflects broader changes in the cybersecurity landscape. As attacks grow more sophisticated and the volume of data increases, traditional approaches to security monitoring, investigation, and response simply cannot keep pace.

The TopShelfTech episode with StrikeReady's Alex Lanstein highlights several key shifts in modern security operations:

• Moving from alert-centric to asset-centric views that provide richer context
• Transitioning from manual threat intelligence triage to automated relevance assessment
• Validating security controls through routine, lightweight threat emulation
• Augmenting analyst capabilities with purpose-built AI that respects data boundaries

These approaches enable security teams to work more efficiently, focus on high-value activities, and shift from reactive to proactive security postures. The future of security operations involves not just tools that aggregate data, but technologies that provide meaningful context, intelligent assistance, and continuous validation of security controls.

As security threats continue to evolve, so too must our approaches to detecting and responding to them. The most successful security teams will be those that embrace these shifts and leverage emerging technologies to enhance, not replace, human expertise.