SOC Manager

Define and operationalize the SOC mission, scope, and service boundaries

Establish a clear roles, responsibilities, and escalation hierarchy

Build and maintain a RACI model across internal teams and Managed SOC Provider

Own the effectiveness and maturity of Iru’s hybrid SOC model

Clearly define and enforce ownership across:

Detection engineering

Threat intelligence

Tier 1 alert triage

24/7 monitoring

Incident response leadership

Threat hunting

Escalation investigations

Establish and manage the “first call” model for security incidents at Iru

Serve as incident commander for high-severity events or delegate appropriately

Own the operational relationship with Managed SOC Provider

Ensure alignment on:

Alert triage quality and consistency

Escalation thresholds and timelines

Detection coverage across environments

Incident response coordination

Hold Managed SOC Provider accountable to defined SLAs and performance expectations

Continuously improve MDR effectiveness through feedback loops and tuning

Build and maintain a central detection catalog

Align detections to MITRE ATT&CK where applicable

Partner with internal teams and Managed SOC Provider to:

Develop new detections

Tune and optimize existing rules

Reduce false positives and noise

Ensure detection coverage across:

Identity (Iru Identity, Entra)

Endpoint (EM / EDR)

Cloud (AWS)

SaaS and integrations

Maintain a complete inventory of all telemetry sources across:

Endpoint, Identity, Cloud, Network, SaaS

For each data source:

Define system owner

Confirm ingestion into Panther SIEM

Validate data quality and coverage

Drive onboarding of new log sources to close visibility gaps

Design and maintain Iru’s incident response framework, including:

Incident classification and severity model

Evidence collection standards

Containment and remediation procedures

Recovery processes

Post-incident review and lessons learned

Ensure consistent execution across internal teams and Managed SOC Provider

Develop and maintain:

Alert triage procedures

Investigation runbooks

Incident response playbooks

Ensure all runbooks are actionable, tested, and continuously improved

Integrate threat intelligence into detection and response workflows

Define ownership model for threat intelligence (internal vs MDR)

Establish proactive threat hunting capabilities

Evaluate and integrate external threat hunting services as needed

Define and track key SOC KPIs:

Mean Time to Detect (MTTD)

Mean Time to Respond (MTTR)

Alert volume and trends

False positive rates

Detection coverage and gaps

Provide regular reporting to Security Leadership and executive stakeholders

Use metrics to drive SOC maturity and continuous improvement