D-02 · Cybersecurity Operations
SOC posture that survives a real day.
Security is the domain most often advised by people who have never operated under fire. Subnet345's cybersecurity practice is led by practitioners with eighteen-plus years inside security-product engineering and enterprise SOC delivery. They have run the console, written the playbook, and defended the incident.
A security program is not a control catalog. It is whether the people on call at 2 a.m. can see what is happening, decide, and act using tooling that was engineered for the work rather than for the procurement cycle that bought it.
The pattern most regulated organizations inherit is familiar: a SIEM that logs everything and correlates nothing, a SOAR book that has never been dry-run, a zero-trust roadmap that arrives as a slide deck, and an incident history the executive team learns about from the press release. The tools were not the problem. The operator layer on top of them was.
Subnet345's cybersecurity practice is built from the other side of that dynamic. Practitioner lineage includes security-product engineering at vendors whose platforms are now operated inside enterprise SOCs, SOC-floor leadership across regulated-industry programs, and open-source research contributions under review by external maintainers.
We deliver what a security program actually needs to survive: a SOC operating model your people can execute, detection engineering grounded in your real telemetry, zero-trust architecture implemented rather than promised, and an incident-response discipline that has been rehearsed, not just diagrammed.
§ Capability
What a cybersecurity engagement delivers.
Cap I
SOC design and modernization
Tiered SOC operating models, detection engineering against your actual telemetry, SIEM and SOAR tuning from the platform level, and escalation discipline that shows up on a real incident day.
- · Tiered SOC operating model design
- · Detection engineering and use-case mapping
- · SIEM and SOAR platform tuning
Cap II
Zero-trust and identity architecture
Identity-first architecture implemented rather than narrated. Segmentation, access fabric, device posture, secrets discipline. Cut-over sequencing that can be reversed when a phase gate does not close.
- · Identity-first access architecture
- · Segmentation and east-west controls
- · Cut-over sequencing with rollback
Cap III
Threat program and IR
Threat-modeling anchored to the business, red-team readiness exercises conducted under production conditions, and incident-response programs with rehearsed playbooks and named executive communications paths.
- · Threat modeling tied to business objectives
- · Red-team readiness under production posture
- · Rehearsed IR playbooks and escalation
Cap IV
Governance and audit posture
Control mapping to SOC 2, HIPAA, and GDPR. Written to survive an audit rather than to narrate one. Policy that is executable by operators, not only legible to attestation firms.
- · Control mapping to operated frameworks
- · Policy drafted to be executable
- · Audit-posture engineering, not narration
§ Capability surface
Operator-grade technology posture.
Each line below is a system we have operated. Security tooling is only as credible as the people configuring, tuning, and running it on a live floor.
Endpoint
SIEM and log
SOAR and automation
Network and perimeter
Identity and access
Threat and IR
Observability and forensics
Compliance frameworks
§ Engagement
How a cybersecurity engagement unfolds.
Same method cadence as every Subnet345 engagement, applied to the physics of operational security. No control is claimed that has not been operated; no posture is shipped without rehearsal.
01 / Start
What business risk does this program retire? Which audit, which threat model, which operator maturity? Commercial objective before control catalog.
02 / Immerse
Current SOC, telemetry fidelity, detection coverage, identity fabric, and incident history. Reviewed on the floor and in the tooling, not from a deck.
03 / Map
SOC operating model, detection engineering plan, zero-trust architecture, IR playbooks, audit-posture mapping, phase gates, and exit conditions. All written before the statement of work is signed.
04 / Prove
Bounded pilot: SOC use-case dry-runs, red-team readiness exercises, IR rehearsal. We scale only after the program has survived honest attempts to break it.
05 / Launch
Production SOC stand-up with seniors at the keyboard. Telemetry wired to SLAs. Playbooks live from day one, not at audit.
06 / Evolve
Documentation, role-based training, measured competency gates for L1 / L2 / L3 analysts. You run the SOC after we leave. That is the condition we prove before exit.
§ Proof
What stands behind the work.
Practitioner lineage
Eighteen-plus years across security-product engineering at vendors whose platforms are now operated inside enterprise SOCs, and SOC-floor delivery for regulated-industry programs. Named U.S. patents in the security lineage of this practice.
Open-source research
Founding practitioners are contributors to open-source security research tooling and an open-source intelligence platform. Production code, reviewed by external maintainers, operating in the public research ecosystem. Names withheld at practitioner request; available for qualified inquiries.
SOC operating history
Tiered SOC design and modernization across regulated-industry clientele. Detection engineering built against live telemetry; SOAR playbooks dry-run before adoption; red-team readiness exercised under production conditions rather than in lab.
Posture
U.S.-based operations. Enterprise-regulated compliance baseline: SOC 2, HIPAA, GDPR. Industry-standard architecture frameworks applied to design. Federal-adjacent delivery history. Where an engagement exceeds operated posture, such as active clearance or regulated attestation, we say so at scoping.
Cybersecurity is implemented on infrastructure and increasingly defends AI. We operate all three.
Engage the cybersecurity practice