The way most managed security services handle client contact in a crisis is through a ticket queue. An alert fires, an automated notification goes to the client, and if the client wants to understand what happened, they raise a support ticket. The ticket is assigned to whichever analyst is available. That analyst reads the ticket, looks at the alert, and responds. The client explains their environment. The analyst tries to understand it. Time passes.
This model exists because it's efficient at scale. It lets a security company serve a large number of clients with a relatively small analyst team. It's also, frankly, inadequate — and we decided from the outset that SOC in a Box would not use it.
The Problem With Ticket Queues
When a genuine security incident occurs, speed matters. The window between initial compromise and significant damage is measured in minutes to hours for many attack types. Ransomware can encrypt a file server in under ten minutes once it has foothold. A credential theft and exfiltration can be complete before a ticket queue processes the initial alert.
More subtly: the quality of the response depends heavily on the analyst's understanding of the environment. An analyst who doesn't know that a particular server is running a legacy application with known vulnerabilities, or that a particular user frequently authenticates from unusual locations for legitimate business reasons, is making decisions with incomplete information. That incomplete information leads to slower response times and, occasionally, to missed escalations.
The named analyst model is our answer to both problems.
What a Named Analyst Actually Means
Every SOC in a Box deployment is assigned a specific analyst from our CREST-certified team. This assignment happens on Day 1 — the analyst is introduced to the client during the scoping call and begins learning the environment from that conversation onwards.
The named analyst is responsible for:
- Detection rule authorship: Custom rules specific to the client's infrastructure — their particular software stack, their known benign traffic patterns, their sector-specific threat profile.
- Baseline establishment: Working with EmilyAI to build an accurate behavioural baseline for the environment during the first 30 days of deployment.
- Direct escalation: When a confirmed incident occurs, the named analyst contacts the client directly using their preferred method — phone, email, or secure messaging — not a ticket. They call from a number the client recognises. They've already spoken to the client. They already know who the incident response decision-maker is.
- Monthly reporting: The board-ready report authored each month is written by the named analyst, not generated by a template. It reflects what has actually happened in the client's environment that month.
- Ongoing tuning: As the environment evolves — new systems, new users, new cloud services — the named analyst updates detection rules and baselines to match.
How It Works at 3am
The question we get most often from sceptical prospects is: "What actually happens when something triggers at 3am?" It's the right question. 3am is when the difference between a real SOC and a checkbox exercise becomes apparent.
The answer: the analyst on shift is not the named analyst — the named analyst isn't expected to work 24/7. But they are one of the same team, working from the same case management system, with full access to the client's environment history and documentation. The escalation protocol is documented by the named analyst and is immediately available to whoever is on shift. Escalation preferences — who to call, in what order, for which event types — are recorded and followed.
When the named analyst returns to their shift, they receive a full handover on everything that occurred overnight. They remain the client's primary point of contact and are responsible for the follow-up.
The Relationship as a Security Asset
There's a dimension to this model that doesn't appear on a feature list but matters enormously in practice: the relationship between the named analyst and the client develops over time, and that relationship becomes a genuine security asset.
A client who has spoken to their analyst regularly is more likely to call when something feels off — before it escalates into an incident. A client who trusts their analyst is more likely to share context that improves detection: "we've just taken on a new contractor who'll be accessing the file server remotely" is information that changes the alert profile for that client. A client who knows their analyst by name and voice is more likely to follow escalation instructions quickly during an incident, when stress is high and time is short.
"Cyber Defence sent us a box. It arrived on a Tuesday. By Thursday, we were being monitored 24/7 by a named analyst who already knew our network. We've never slept better."
We've heard variations on that quote several times now. It captures something that's hard to put in a data sheet: the value of knowing that there's a specific person, with a specific name, watching your network tonight.
Next week: the Confidence Score dashboard — what it is, why we built it, and why we designed it to be read by a business owner rather than a security engineer.
Further Reading
A Named Analyst, Not a Ticket Queue
From day one of your SOC in a Box deployment, you have a named analyst who knows your environment. Your scoping call is where that relationship starts.
Meet your analyst team