Role playbook · SOC_ANALYST
SOC Analyst
Tier-1 and Tier-2 SOC analysts working an alert queue across one or more aviation customers.
Audience: SOC tier-1 / tier-2Time to first value: end of first shift (≈ day 2)
Why CyViation matters in your role
You already work an alert queue. CyViation gives you the aviation context that turns a generic detection into an operational decision:
- The asset is a specific tail in a specific phase of flight — that changes both severity and time-to-respond.
- The threat picture is GNSS-integrity, avionics supply chain and ground-systems campaigns tracked in Overwatch — not generic ATT&CK.
- Your escalation path includes dispatchers, MROs and pilots, whose clocks differ from IT ops.
Daily playbook
- Triage the queue by severity × asset criticality × customer SLA. Tail-in-flight beats a parked sim.
[SkyRay → Alert Queue] - Investigate high-confidence detections in the workbench — telemetry, asset, recent CMBs and the related Overwatch campaign in one pane.
[SkyRay → Incident Workbench] - Close false positives with reason codes — empty closures are the biggest tuning blocker.
- Sync with the on-call dispatcher for any alert that could affect a flight in the next 4 hours.
- End-of-shift handover — short written note in the workbench thread, not chat.
Weekly playbook
- Author a weekly threat brief — 1 page, written for pilots and dispatchers.
- Tune detection rules; low-precision rules go on a review list with a deadline.
- Threat-hunt one campaign hypothesis from the Overwatch feed against your fleets.
[Overwatch → Campaign View] - Review escalations to CISO — what could have been resolved without escalation? what should have escalated sooner?
- Tabletop or live-fire at least once a month, even if short.
First 30 days
- Shadowed a senior analyst for at least one full shift
- Owned the alert queue and end-of-shift handover for 5 shifts
- Investigated and closed 10 alerts with documented reasoning
- Wrote 1 weekly threat brief
- Ran or joined 1 tabletop with the dispatcher team
- Tuned at least 2 rules and proposed retirement of at least 1
- Walked through the Cortex RE assistant on one real binary / sample
- Met the MRO and CISO contacts you'll escalate to (names, not mailboxes)
Key screens
| Use case | Screen |
|---|---|
| Triage the queue | [SkyRay → Alert Queue] |
| Investigate an incident | [SkyRay → Incident Workbench] |
| External threat context | [Overwatch → Threat Intel Feed] |
| Campaign / actor view | [Overwatch → Campaign View] |
| Reverse-engineering assistance | [Cortex → RE Assistant] |
| Live operational picture | Dispatcher OCC |
When to escalate
| Situation | Who | How |
|---|---|---|
| Alert could affect a flight in the next 4 hours | Dispatcher on-call | Phone, then workbench note — not chat-only |
| Credible spoofing / jamming in active corridor | Dispatcher + Fleet Manager | Live alert in workbench, then call |
| Suspected avionics supply-chain compromise | CISO + MRO duty manager | Workbench escalation, no public chat |
| Detection logic looks broken (mass FPs) | SOC lead → detection engineering | Pause the rule, don't just silence it |
Glossary
Full list on the Glossary page. Key terms here: tail, phase of flight, CMB, tabletop, risk acceptance.