Mad Irish . net

Introducing Open Source SOC Documentation

21 February 2025

After a decade of building and running Security Operations Centers (SOCs) for dozens of companies, I have encountered a recurring challenge: how to establish a solid foundation for SOC documentation. One of the biggest hurdles in standing up a new SOC, or refining an existing one, is creating a library of playbooks, runbooks, policies, and standard operating procedures (SOPs). Without these foundational documents, SOCs struggle with consistency, efficiency, and repeatability. The best SOC programs I've toured all shared two key traits: teamwork and documentation. I can't help with the first (and the topic is extremely well documented in literature) but the second is a gap that I believe needs to be filled.

To help solve this problem, I'm excited to announce the launch of OSSOCDOS (Open Source Security Operations Center Documents), a new project aimed at building a comprehensive, open-source SOC documentation library. You can check it out today on GitHub!

Why OSSOCDOS?

Most SOCs, regardless of the industry they operate in, face similar challenges and workflows. The technology stacks and tools may differ, but the fundamental investigative approaches, alert management processes, and operational structures remain consistent. However, SOC leadership often struggles to find standardized resources that define baseline best practices. Standardizing your process allows you to measure effectiveness and gather accurate metrics to advertise success. Furthermore, soundly documented process enables automation by tightly defining SOC operations.

OSSOCDOS is designed to kickstart new programs and refine existing ones by providing agnostic, industry-wide SOC documentation that organizations can adapt to their specific environments. Whether you're building a SOC from scratch or refining an existing one, this project provides foundational guidance for defining processes that are transparent, repeatable, measurable, and reliable.

What's Included in OSSOCDOS?

OSSOCDOS aims to be a one-stop documentation resource for SOC teams, covering not only technical processes but also organizational structure and workflows. The project includes:
  1. Playbooks & Runbooks
    1. Standardized investigative processes for handling security alerts
    2. Step-by-step response actions for different types of incidents
    3. Guidelines for forensic analysis and evidence handling
  2. SOC Process & Policy Documentation
    1. SOC structure, staffing models, and communication protocols
    2. Guidelines for shift handoff, escalation, and leadership reporting
    3. Definitions of SOC maturity models and service levels
  3. Alert Management & Investigative SOPs
    1. Standard procedures for investigating suspicious network traffic, phishing emails, and malware detections
    2. Guidelines for threat intelligence integration and log analysis
    3. Best practices for reducing false positives and improving signal-to-noise ratio

The documentation is written in Markdown for easy integration into wikis, documentation platforms, or process automation tools. The goal is to make it modular, adaptable, and easily importable into the tools that organizations already use.

Who Is OSSOCDOS For?

OSSOCDOS is a community-driven initiative meant for:
  1. New SOC leaders looking for a starting point to build operational structure
  2. Veteran SOC managers seeking to refine existing processes or fill in documentation gaps
  3. Security analysts wanting a better understanding of industry best practices
  4. Cybersecurity leadership looking to educate IT teams, executives, and stakeholders on SOC workflows
  5. Anyone interested in SOC transparency and standardization

Why Open Source?

I've been a supporter of Free and Open Source Software (FOSS) for a long time and have always admired the community's ability to produce and support world class products. The cybersecurity community has a lot of parallel principles and support mechanisms. When I started building and designing SOC's I noticed that there wasn't much published on the topic and the situation hasn't much improved since then. This project is designed to create a repository that others can leverage, contribute to, consume, and adapt.

Get Involved & Contribute!

This is just the beginning! OSSOCDOS is meant to be a living project, and I welcome contributions from SOC analysts, engineers, managers, and cybersecurity professionals. If you have ideas, playbooks, or improvements, feel free to submit pull requests, feedback, or new documentation.

Tags