SOC

A Security Operations Centre (SOC) is the nerve centre of enterprise cyber defence. The SOC team monitors network traffic, endpoint telemetry, and security logs around the clock, looking for indicators of compromise (IOCs) - file hashes, IP addresses, and domain names associated with known malicious activity. When an IOC matches something in the network, the SOC team launches Incident Response, isolating the affected systems. The model assumes that bad traffic is detectable and that blocklists can be updated faster than attackers move. This worked for tactical and opportunistic attacks; against nation-state actors, the model is reaching its limits.

On 23 April 2026, sixteen national cyber agencies jointly signed an advisory formally accepting that 'indicators of compromise are now disappearing as fast as defenders publish them' . The admission reframes the SOC's job. Rather than asking 'what bad IOCs are in my network?' the question becomes 'how long was the attacker inside before I found them?' This shift from indicator-based detection to dwell-time measurement is a KPI reframe that affects how SOCs are staffed, what tooling gets funded, and what metrics matter to leadership. SOC teams defending against nation-state actors must now invest in baselining normal device behaviour, detecting anomalous dwell, and planning for device-level eviction rather than blocklist-based containment.