Socwise logo


We brought up building SIEM systems and developing SOCs for very different companies. As advanced SIEMs are central elements of the defense infrastructure, we learned the technology and gathered real life practice. Those were financial institutions, critical infrastructure companies and public organizations all over the EMEA region.

Building is a SOC is complex procedure, specific people skillset, complex processes and state of the art technology are all crucial components. That is why our team incorporates solid engineering and consulting expertise. We used the combination of technical skillset, GRC knowledge and practical experience to formulate the most efficient and effective methodology.
Based on this unique value we offer implementation and support of next generation SIEM systems and the same for advanced SOCs at our customers.

Detect & response service

For customers with an existing SIEM system we provide Detect & response services. In this case our expert team will utilize the persistent technology at customer premises. As also detailed in ‘SOC as a service’ section we provide several levels.

The least complex option amoing the offerings is an efficient detection package, which includes continuous human monitoring of events, alerts and their prioritization. The team also privides regular reporting and escalative communication based on incident priorities.
The 'high end' of the variations incorporates the whole incident response chain coordination activity, malware- and forensic analysis of threats and ongoing defense consulting for continuous improvement of defense content setup. We work with a proven methodology where the cybersecurity incident coordination is done by a service manager on duty and the analyst and response work is tailored by the senior cyber defense advisory team.

defense architecture support

The effectivity of the whole defense capabilty is based on the reliability of the security systems. These systems nowadays are more complex than ever before.
One of the competitive advantages of SOCWISE is that we are mastered in building holistic defense systems for our customers. We acquired experience at financial institutes, governmental organizations and critical infrastructure operating industry players in design of proactive, active and passive system architecture. 

Firstly our engineering team is analyzing the current status of defense toolset and capabilities governed by the appropriate methodology. Then – based on the cyber security strategy and the current risk assessment – plans and implements the architecture components of an advanced security toolset.
We consider the organizational network architecture, the system hosts and the user characteristics. Based on next generation possibilities and the necessities of the company we design the architecture and then create a detailed plan of needed systems and its setup.
Our experts for perimeter security, endpoint and cloud protection suites, behavioral analysis tools and complex SIEM systems can design, implement and support these systems. We build up prevention, detection and response capability enabler solutions.
It is crucial that during a new customer engagement process this team must analyze the current monitoring capabilities, identify the gaps and risks and this way the SOC team can rely on the data and information provided by the net of these systems.

siem augmentation

There  is a dramatic development happening in the area of SIEM solutions. At cases where the SIEM implementation is done and system could perform much better it makes sense to keep it and make it advanced. To keep up with the changes we provide consulting and engineering for development - thus augmenting - the existing SIEM systems.

Augmentation include major system upgrades, analyzing and fine tuning current system setup and integrating new features or applications to the installed system. New features can be user and system behavior analytics, network analysis or ingesting endpoint data for processing and hunting. Another important development direction is SOAR integration, where the SIEM is the basis and several tools along with defense procedures can be integrated. Integration of advanced threat intelligence feeds to support analyst work is also a major step towards a mature, complex and advanced SIEM.


Automation can be is a great aid for the analyst team these days. Our approach driven by the real life work of SOC teams. We build process orchestration and system automation playbooks based on the steps of a cyber security incident process. 

First of all the whole process workflow can be orchestrated so that the users, the SIEM and other tools like the ticketing system of an IT are all recognized and integrated under the umbrella of a mature SOAR solution. Secondly the analyst work is supported with automated data collection and threat intelligence service so that least possible human worktime is wasted on searching and preprocessing of contextual data during triage.
The third main area to be considered is automation of response mechanism within the SIEM or by the help of integrated defense tools and network components. These can be containment or remediation type of procedures executed by system operations devices or simply IT administrators manually based on automatically opened request tickets. Also end user automatic wernings setup can be a very useful  playbook.

threat and vulnerability management

On demand vulnerability scans and case by case hardening projects are considered as basic cyber security drills. But implementing and operating the threat intelligence and vulnerability system set and also managing the regular process is a serious challenge.

Our approach aims to establish a central risk register, including the vulnerability status of the system elements and execute auditable, system aided workflow processes for patching. For this work we provide the consulting and appropriate system implementation.
Other type of threat vectors should also be managed including IoCs generated by external or internal sources. CTI management systems are also designed and implemented by our cyber defense experts.

cyber defense advisory services

The defense consultant team provides the hereby following range of services to our customers. The specialty in this expert area is that consultants have extensive background both in systems and network engineering, practical defense skills and regulatory compliance frameworks.

Detect & Respond Maturity Assessment

After evaluating the information source and reliability of IoCs, they are analyzed through rigorous and structured techniques, and then commented by those with expertise and access to all sources. Using CTI as a service or building up an own both requires analysts to discover and identify a vast amount of information accurately and timely.
When properly implemented, threat information updates can help you maintaining the quality of your detection and response capabilities.

SOC process development

As described in SIEM implementation service description we mastered in building SOC processes for our customers and also do this practice within our own SOC organization. We share this expertise with our kind partners targeting all relevant organizational processes.


Based on an assessment of security operations and technology our consultant team designs and plans the roadmap of SOC development journey. The order of these steps must be carried out in a prudent manner, to take into consideration the skillset level of analysts, human aspects and the complexity of systems and current process map.


The biggest challenge for organizations - whenever new or old - is to find out how well they are performing. A wise first step is to set up a measurement system. Our balance scorecard methodology is based on utilizing a KPI tree and a decision matrix. This method supports how to select key metrics to evaluate organizational performance.
The consultants provide well-aggregated, visualized and easy-to-read numbers which can be generated automatically. Reach out to our experts who will help you to find the most suitable KPI metrics.

Defense team development

One crucial aspect of a well performing security team is to have the latest knowledge on the new technics and tactics. What we provide is a practical experience based-, and role specific capability development for professionals.


Up-to-date dynamic training course for engineers and analysts operating, and using the SIEM systems. We train professionals to have a better understanding of detection and response tools, dive deep into a number of use cases to analyze different types of threats and attacks.
Reporting, dashboard design, event source and content tuning are also subject of this course. 


We organize several types of cyber security situational games for training and capability testing. These games are typically red team - blue team campaigns, capture the flag and SOC awareness testing by simulative attacks.


An APT (advanced persistent threat) simulation system is a next-generation network security tool that execute a real attack-like operation whilst giving the ability to measure the detection and response time, and by providing detailed reports it helps learning from the attack and further developing the defense processes and systems.
Several testing tools are available to regularly test the tooling or the team processes.

CTI service & consultation

By CTI (Cyber threat intelligence) consulting we help you to find and build in the right model of external CTI knowledge or create your own, specific IoC database and procedures.
After evaluating the information source and reliability of IoCs, they are analyzed through rigorous and structured techniques, and then commented by those with expertise and access to all sources. Using CTI as a service or building up an own both requires analysts to identify discover a vast amount of information, accurately and, timely.
When properly implemented, threat information updates can help you maintaining the quality your detection and response capabilities.

Incident response service

During the response chain several tasks can be provided or supported by the SOCWISE expert team. Firstly the response coordination is an important role provided based on methodological and technical background. Secondly the analysis - including sandboxing and forensic analysis - can also be provided by SOCWISE. Let that be a critical level incident or an OT network related threat is to be analyzed, then we offer our OT or the IT advanced malware sandbox lab environment to make forensic analysis and understand the key characteristics of the detected malicous component.

Offensive testing services

Regular preparedness testing by ethical offensive forces can be a compliance necessity, but in most of the cases gives very useful feedback for the defense team. We design and execute several active defense testing activities as follows.


Wholistic penetration tests are performed in several different levels. Black-, grey or white box testing can be run under well designed and securely realized circumstances. It is always run in accordance with strictly defined conditions, where target area can be external IP addresses, private network segments or specific business applications.
The found vulnerabilities, threats and the unprotected attack surfaces are reported in a detailed documentation including suggested fix actions.


Vulnerability testing can be performed separately on IT and OT networks by the manual work of cyber defense engineers. In these projects we build on several scanner and analysis tools.
Wholistic vulnerability analysis is carried out with a professional caution to the productive IT environment, so that operation must not be harmed, and also strong cooperation is prepared with the customer IT team.
The testing result is fed back in a detailed digital report, with guidance for the operations teams to be able patch the vulnerable system components or redesign the affected system architecture.


By the use of a fully passive network based OT network analysis tool we provide on-demand or regular assessments.
The first result of the assessment is a precise inventory list of the devices communicating on network - including computers, network components, PLCs, HMIs or others. We attach to each item a vulnerability status, based on their current firmware / OS status.
We determine the network connections and sessions between all communicating entities, drawing and providing layer 2 and layer 3 topology maps. Based on an automatically built baseline traffic pattern the unusual, suspicious behavior can be highlighted. On the basis of pre defined and tailored rules the threats or adversarial activities on the OT network can be pinpointed and we propose the response steps to be taken.

Malware analysis

We offer in 7x27 service hours our malware analysis service based on our sandboxing and malware laboratory. Depending on the specific requirements we provide quick and deep analysis of the suspicous elements.
The received data is subjected to a scanning process, which ultimately determines the actual threat posed to the system. The investigation will provide information that can help you uncover details and possibly identify adversary sources that may help in further develop the defense. We provide forensics, malware analysis at onsite or remote locations depending on the necessary and available sandboxing capabilities.