Coding Skills In A SOC Environment

5 min readNov 26, 2023

Over the years I have worked in, and around, lots of security Operation Centres (SOCs). One observation that I’ve made in my time with those SOCs is a lack of coding or development skills within engineering and analyst teams. I’ve always felt that this missing piece of the puzzle often doesn’t give those teams the flexibility to achieve the best outcomes based on their budgets and existing toolsets they have available to them.

I wanted to take the time to share my own experiences with learning and writing code and how they have added value in my SOC analyst, engineer, architect, and business leader roles. I hope by writing these experiences others in similar trajectories are inspired and see the value in developing these skills.

I want to be transparent though, I’m not an amazing developer but I also don’t think you have to be to leverage these skills.

What are the benefits of being able to code?

Learning more about how systems work

Part of being a SOC analyst (and even an engineer) is having to work with and understand complex IT systems. Understanding what “normal” looks the for that system can go a long way in helping to spot abnormalities during investigations.

As a student, during my Computer Forensics degree, I took a module in Web development. Now this seemed like a bit of a weird segway at the time; when was I going to be making PHP websites during my security career?!

Well, the answer was a few times actually! But the biggest benefit to me was learning and understanding how web applications really worked. This ranged from managing sessions (baskets, logins, etc) or how they typically communicated with back-end databases such as MySQL.

Why did this help? When I began my analyst career, concepts such as SQL injection or the analysis/hunting through web-based traffic made a lot more sense to me because I understood what it was meant to do and what looked out of place.

Taking real world problems and solving them

I love solving problems, to me it’s one of the biggest joys in life.

As an analyst I remember a time when I was working in an internal SecOps team. This organisation had a very tight budget so affording new tools to solve the real cyber challenges we faced was out of the question.

One such challenge was an issue around visibility; it was a large multinational company and regularly different divisions of the business would commission new projects, infrastructure, and software often without the Security teams input or knowledge. This meant that we couldn’t help by giving input to the designs to ensure security was baked in from the get-go, nor did we have visibility to monitor these systems for signs of compromise.

To combat this the SecOps team built themselves a system of scanners (using Nmap and other open-source tools) to write to a MySQL database with a PHP front end to draw insights from the data.

This is the first time I wrote Python. With the support of some more experienced colleagues, I expanded this system to pull information from Active Directory and store it within our MySQL database. I then added to the front-end application to show metrics and detect oddities (good job I did that University module after all!).

And you know what? It worked! We spotted the creation of a new physical site with hundreds of staff, none of which had even been mentioned to us, from just reviewing the output at my code.

Perform tasks quicker and more accurately

While happy being an engineer in a SOC, I recall a bug in a brand of firewalls that my colleagues managed. They immediately sprang into action to manually verity which of the hundreds of firewalls were affected. Given the steer volume of assets to check, their ability to patch item in a timely manner would have been impaired.

To help them out, I used my Python skills to write a small script to scan (if I recall it was relating to a certificate expiring) the list of firewalls in under a minute, returning an empirical list of ones that needed patching.

It was a small script, but saved a lot of manual effort and ultimately enabled my colleagues to spend time fixing the problem and not just finding it.

Gluing systems together

While being an architect for a SOC provider I used my coding skills a lot. Often, I was faced with gluing systems together which had no supported native integrations into the other tools we already used. Usefully, most modern tools now come with a documented API which can be used to pull and push information between technologies.

While I’ve built numerous SOAR playbooks in my time (regularly with my own code to glue bits together), I also spent time making novel integrations that made teams have more capability. For example, I once prototyped a custom Splunk command that pulled in data from an EDR product at search time. The benefit? Analysts were able to query the EDR data with no ingestion cost but had the benefit of Splunk’s SPL language.

Business Statistics with Jupyter Notebooks

Coding isn’t just reserved for the pure techies! Most business leaders will do their analysis (cost modelling, service statistics, etc) via Microsoft Excel. There’s nothing wrong with Excel but I found great flexibility in using my existing coding skills to perform the same tasks.

As an example, I built myself a comprehensive Jupyter Notebook (https://jupyter.org/) to collect information from our SIEM and ITSM to determine empirically correct statistics such as false positive rates, the “Mean Time to Detect” and even the cost of running our services. Because I could write code, it was trivial to collect the data from the APIs, normalise it and then draw the statistics out that I needed in real time.

Its now even easier than ever!

With the rise of Large Language Models (LLMs) now is a great time to begin your coding journey. Tools like ChatGPT can be useful to both create code examples and to explain code that others has done in a simple fashion. I use them a lot to accelerate my development, taking away what I would call the “grunt” work.

A word of warning though, if you want to undertake this journey make sure you spend the time learning the underlying skills and not just relying on LLMs — they aren’t always correct and aren’t all knowing. If you become dependent on them, you won’t get all of the benefits that learning development skills has to offer.

Hopefully this gives you some good examples of how learning some basic coding can give you some extra tools in your tool bag for solving some challenges you may come across in your career.

Let me know what you think, and I’m interested to hear the sorts of SOC based challenges you’ve solved with your own code!