Workshop on SOC Operations and Construction (WOSOC) 2025 Program

While the work force for the field of cybersecurity grows, the supply of trained and experienced individuals lags behind the demand. This issue coupled with a lack of emphasis on secure software design has led to a growth in opportunity for adversarial actors as evidenced by the consistent occurrence of headline-making cyber threat incidences such as data breaches and supply chain attacks. This paper describes the rationale behind a research effort to discover and improve the quality and efficiency of cyber training pedagogies. The development and testing of these pedagogies was guided by initial discussions with practitioners who work in a SOC (Security Operations Center) and had different levels of work experience and responsibilities. These discussions indicated that both critical thinking and technical skills matter to being successful within a SOC. Technical skills were viewed as “perishable”, given how security tools and specific types of attack change over time and how companies use different systems and proprietary programs. Critical thinking skills, in comparison, are viewed as “non-perishable” since they persist despite the changing threat and technology landscape. In the subsequent development of our Mock SOC training scenarios for students, we focus on how critical thinking matters for successfully analyzing and mitigating threats. We perform a case study review of real-world cyber threat incidents to design, build, and collect synthetic incident and attack data. We identify and eliminate where tool-based analysis is needed, thus reducing the need to draw on perishable knowledge during the Mock SOC investigation. Our training scenarios thus emphasize critical thinking in how to analyze and address security breaches. Research on this scenario-based training blends computer science and anthropology expertise to better understand how particular scenarios engage students and how students problem solve within a scenario. We use grounded theory to analyze the scenario data and to refine our hypotheses for what works and what doesn’t through multiple rounds of scenario-based training. Based on these results, we are designing a framework for building scenariobased training modules based on accumulated insights into what is and what is not effective for developing non-perishable critical analysis skills. The overall aim is to be able to train students for industry positions by providing them critical skills that are useful in any given organization’s technology stack. This paper details how we have designed our framework and used it to conduct human-subject research on building effective scenariobased trainings utilizing the concept of a Mock SOC. We discuss preliminary findings behind our initial training sessions using the scenarios designed based on this framework.

The skill set of tier-1 (T1) analysts have a great influence on the day-to-day operations of a Security Operation Center (SOC). Therefore, it is critical for a SOC to be able to evaluate the relevant skill sets of incoming analyst at recruitment and throughout their progress at the SOC. In this short paper, we identify from extant literature the relevant skills an analyst needs, and devise a test to evaluate those in collaboration with a commercial SOC. We conduct a case study of this test with three aspiring analysts at the collaborating SOC over a period of three months. Our case study shows that the test can be used to evaluate different skills of an analyst and can give insights at the SOC on analyst progress and training effectiveness, opening avenues for a full validation of the testing framework in future work. We discuss results, limitations, and future directions of this work.

The increasing complexity and criticality of cybersecurity operations have placed immense cognitive and emotional demands on Security Operation Center (SOC) practitioners. These demands frequently result in burnout, diminished wellbeing, and reduced engagement, which negatively impact both individual performance and overall SOC effectiveness. This paper envisions a transformative approach to SOC productivity and practitioner well-being through targeted interventions that prevent burnout, enhance well-being, and foster engagement. By addressing the psychological challenges inherent in high-stress cybersecurity roles, our work seeks to promote holistic resilience in SOC environments. This study focuses on evaluating the mental health landscape of SOC practitioners using validated psychological scales. Leveraging the Copenhagen Burnout Inventory (CBI), Secure Flourish Index (SFI), and Short Flow Scale (SFS), we quantitatively assess burnout, well-being, and flow states among 19 SOC practitioners. The results highlight alarmingly high levels of personal and work-related burnout among participants (approx. 31-36% of participants met the criteria for high burnout), with considerable deficiencies in mental and physical health, life satisfaction, and social connectedness compared to normative workplace benchmarks. Simultaneously, participants report a sense of meaning and purpose, high financial security and flow experiences, reflecting their ability to engage deeply with challenging tasks and derive intrinsic rewards, despite a reduced sense of control, concentration and increased self-consciousness. The findings underscore the dual-edged nature of SOC roles— practitioners find purpose and fulfillment in their tasks yet face significant risks to their well-being. Broader conclusions from this work reveal the urgent need for structured interventions tailored to SOC environments. Key recommendations include fostering work environments that support mental health, promoting psychological safety, and implementing systems to address chronic stressors and workload imbalances. Moreover, the study highlights the importance of leveraging flow states as a mechanism to enhance practitioner engagement and productivity.

To improve the preparedness of Security Operation Center (SOC), analysts may leverage provenance graphs to deepen their understanding of existing cyberattacks. However, the unknown nature of a cyberattack may result in a provenance graph with incomplete details, thus limiting the comprehensive knowledge of the cyberattack due to partial indicators. Furthermore, using outdated provenance graphs imposes a limit on the understanding of cyberattack trends. This negatively impacts SOC operations that are responsible for detecting and responding to threats and incidents. This paper introduces PROVCON, a framework that constructs a provenance graph representative of a cyberattack. Based on documented cyberattacks, the framework reproduces the cyberattack and generates the corresponding data for attack analysis. The knowledge gained from existing cyberattacks through the constructed provenance graph is instrumental in enhancing the understanding and improving decision-making in SOC. With the use of PROVCON, SOC can improve its cybersecurity posture by aligning its operations based on insights derived from documented observations.

Network packet traces are critical for security tasks which includes longitudinal traffic analysis, system testing, and future workload forecasting. However, storing these traces over extended periods is costly and subject to compliance constraints. Deep Generative Compression (DGC) offers a solution by generating inexact but structurally accurate synthetic traces that preserve essential features without storing full sensitive data. This paper examines key research questions on the feasibility, cost-competitiveness, and scalability of DGC for large-scale, real-world network environments. We investigate the types of applications that benefit from DGC and design a framework to reliably operate for them. Our initial evaluation indicates that DGC can be an alternative to standard storage techniques (such as gzip or sampling) while meeting regulatory needs and resource limits. We further discuss open challenges and future directions, such as improving efficiency in streaming operations, optimizing model scalability, and addressing privacy risks in this scenario.

Security Operations Centers (SOCs) receive thousands of security alerts each day, and analysts are responsible for evaluating each alert and initiating corrective action when necessary. Many of these alerts require consulting user authentication logs, which are notoriously messy and designed for machine use rather than human interpretability. We apply a novel methodology for processing raw logs into interpretable user authentication events in a university SOC dashboard tool. We review steps for data processing and describe views designed for analysts. To illustrate its value, we utilized the dashboard on a 90-day sample of alert logs from a university SOC. We present two representative alerts from the sample as case studies to motivate and demonstrate the generalized workflows. We show that enhanced data from the dashboard could be utilized to completely investigate over 84% of alerts in the sample without additional context or tools, and a further 13% could be partially investigated.

As the cost and frequency of cybersecurity incidents continue to rise, so too has the pressure on security operation centers (SOC) to perform efficiently. This has forced cybersecurity leadership, such as chief information security officers (CISOs), into an arduous balancing act of maintaining a costeffective cybersecurity posture while simultaneously retaining an efficient cybersecurity workforce. To meet both of these goals, SOC leadership will often track key performance indicators (KPIs) related to the daily tasks performed by SOC analysts. While these quantitative metrics allow SOC leadership to monitor certain analyst performance patterns, the evaluation of analysts based on these imperfect measurements may lead to undesirable operant conditioning. As such, it is not immediately obvious how, or even if, these KPIs improve upon the larger goals envisioned by organizational leadership. In this paper, we perform a mixedmethods case study of an academic SOC to determine how well KPIs translate the organizational goals from cybersecurity leadership to SOC analysts. Specifically, we use qualitative surveys and interviews, as well as quantitative KPI measurements from analysts to determine the congruency of CISO and SOC analyst goals. We find that analysts who perform well across KPIs are not necessarily the best at furthering SOC goals, and vice versa. We find that within this specific SOC, analysts appear to be incentivized to deviate from organizational cybersecurity goals in pursuit of better KPI scores.