Skip to content

glossary

SecOps

The practice of integrating security operations with IT operations: continuous threat monitoring, detection, and incident response, typically centered on a SOC, SIEM tooling, vulnerability management, and threat intelligence.

In depth

SecOps is the operational arm of security: while DevSecOps focuses on securing the software delivery pipeline, SecOps focuses on defending running systems against active threats. The core workflow runs through a Security Operations Center (SOC), where analysts monitor telemetry aggregated by a SIEM (Security Information and Event Management) platform that correlates logs from endpoints, networks, cloud accounts, and applications into actionable alerts. When a detection fires, analysts triage it, investigate using endpoint detection and response (EDR) tools and threat intelligence, and execute response playbooks, isolating hosts, revoking credentials, blocking indicators, often automated through SOAR platforms. Beyond reactive work, SecOps includes proactive disciplines: vulnerability management with regular scanning and risk-based patching, threat hunting for attackers who evaded automated detection, and purple-team exercises that test defenses. Frameworks such as MITRE ATT&CK give teams a shared vocabulary for adversary behavior. Modern SecOps is increasingly cloud-native, treating cloud control planes and identity systems as the new perimeter.

Why it matters

Attackers operate continuously, and the gap between compromise and detection is where the damage happens; strong SecOps shrinks that gap from months to minutes. With breach costs averaging millions and regulations mandating rapid disclosure, every sizable organization needs this capability.

Real-world example

example.txt

A SIEM rule flags impossible travel: a developer's credentials used from two continents within an hour. The SOC analyst confirms anomalous OAuth grants, triggers the SOAR playbook that disables the account and revokes tokens, and finds a phishing email as the entry point. The incident is contained in 40 minutes, and the postmortem leads to phishing-resistant MFA rollout.

Tools related to SecOps

SplunkMicrosoft SentinelCrowdStrike FalconWazuhElastic SecurityTenable Nessus

Interview questions

  1. What is the difference between SecOps and DevSecOps?
  2. Walk through how you would triage a suspicious-login alert.
  3. What is a SIEM and how does it differ from a SOAR?
  4. How would you prioritize patching across thousands of vulnerabilities?
  5. Explain how the MITRE ATT&CK framework is used in detection engineering.
  6. What is threat hunting and how does it differ from alert-driven response?