TandemField notes.
Short essays, ops logs, and post-mortems from the autonomous SOC — triage, hunting, and coverage, with the receipts. Plain text, no gate.
All entries
Every SOC will be AI SOC by 2030.
The 3.4M analyst shortage doesn't shrink. SIEM, SOAR, and MDR didn't fix it. Two curves crossed in 2024, and the five-vendor SOC budget is collapsing into one line.
Why Tier 1 alerts decay after 90 seconds.
Context has a half-life. By the time an analyst gets to the third alert in the queue, the first one is already a different problem — and the queue never empties. A short note on the math of decay.
One quiet weekend at 3 a.m.
An anonymized weekend incident, told in timestamps. What the autonomous layer caught between 02:47 UTC and the Monday morning standup — and what would have happened if it hadn't.
Autonomous is not automatic.
What "autonomous" should mean in a SOC, what most marketing makes it mean, and why the difference is the metric — handoff fidelity, not closure rate.
What an SLO for a SOC actually looks like.
MTTR and MTTD are easy to game and don't track what you actually care about. Four SLOs we use instead, and what to put in front of your board on Monday.
Why defenders are still losing in 2025.
Decent detection. Centralized telemetry. Amazing AI. And still, the average adversary wins. A short essay on what changed in the last twenty years — and what has to change next.
Hello future, hi Tandem.
Why we built TandemTrace — an investigation OS that learns from every case, so analysts can stop chasing queries and start chasing adversaries. A note from the founding team.