InfoSec Opinion Column #6 (June 23, 2025)

What: Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering

Why it matters: The term "SOC" carries more baggage than ever - modern approaches to security operations are getting new terms of art like "Detection Engineering."

tl;dr:

• The classic tiered SOC model is not just suboptimal, in a modern threat environment it's actually tech debt. The SOC model is built around linear work in a linear ticketing tool, where you get a flow like 1 log source > 1 event > 1 alert > 1 case > 1 playbook > 1 incident assigned to 1 analyst. Threats don't operate in a linear way, so we can never scale our way out of the problem with a tiered SOC approach.
• The modern approach is "detection as code." This doesn't mean you have to write programming languages, but you do need a declarative system where every detection rule is in a version control system and can be deployed independently to the detection system.
• The concept of "response engineering" is still very much emergent and is far less mature than detection engineering. Response engineering is largely still in the SOAR domain, and has been hampered by legacy SOAR limitations.

Matt's view: Even with the rise of AI-based detection systems, there is still an incredibly robust ecosystem for detection engineering, and I don't see that going away any time soon. It will be extremely interesting on the response engineering side of things to see if that mentality also holds true, or if folks skip over "response as code" entirely and move towards agentic AI. My moderate-conviction prediction is that we'll see a bifurcation in approaches, the same way some people are willing to outsource oversight and control over their detection stack to an MSSP/MDR provider in exchange for less maintenance burden. Some folks will want response as code, and some people will want to outsource to AI.