
SOC
Security Operations Centre: team and tooling responsible for monitoring networks for indicators of compromise and threat response.
Last refreshed: 30 April 2026 · Appears in 2 active topics
When IOCs die faster than blocklists update, what becomes a SOC's actual job?
Timeline for SOC
Mentioned in: SMART Stories shows its CRDT working
Media's AI PivotMentioned in: Federal agency stayed compromised six months
Cybersecurity: Threats and DefencesMentioned in: Sixteen agencies put IOC extinction in print
Cybersecurity: Threats and DefencesMentioned in: ENISA scores NIS2 maturity with NCAF 2.0
Cybersecurity: Threats and DefencesWhat does a Security Operations Centre do?
How is SOC KPI changing in 2026?
Background
A Security Operations Centre (SOC) is the nerve centre of enterprise cyber defence. The SOC team monitors network traffic, endpoint telemetry, and security logs around the clock, looking for indicators of compromise (IOCs) - file hashes, IP addresses, and domain names associated with known malicious activity. When an IOC matches something in the network, the SOC team launches Incident Response, isolating the affected systems. The model assumes that bad traffic is detectable and that blocklists can be updated faster than attackers move. This worked for tactical and opportunistic attacks; against nation-state actors, the model is reaching its limits.
On 23 April 2026, sixteen national cyber agencies jointly signed an advisory formally accepting that 'indicators of compromise are now disappearing as fast as defenders publish them' . The admission reframes the SOC's job. Rather than asking 'what bad IOCs are in my network?' the question becomes 'how long was the attacker inside before I found them?' This shift from indicator-based detection to dwell-time measurement is a KPI reframe that affects how SOCs are staffed, what tooling gets funded, and what metrics matter to leadership. SOC teams defending against nation-state actors must now invest in baselining normal device behaviour, detecting anomalous dwell, and planning for device-level eviction rather than blocklist-based containment.