Building an automated SOC that triages 99% of alerts without human review

Cycops processed authentication events for over 300 enterprise clients, handling more than 15 million login requests per day. The security implications of a breach were existential — a compromised authentication layer would expose the internal systems of all 300 downstream organisations simultaneously. Yet their security posture was dangerously thin: a single junior developer managed security part-time alongside their regular engineering duties.

Their SIEM was generating over 2,000 alerts per day, the vast majority of which were false positives or low-severity noise. Alert fatigue had set in completely — the part-time security resource was acknowledging alerts in bulk without investigation, effectively rendering the detection system useless. An external penetration test commissioned by a prospective enterprise client found three critical vulnerabilities in Cycops' authentication API, including an authentication bypass that could allow credential stuffing at scale. The pen test finding was close to ending a ₹4 crore ARR contract.

Several of Cycops' largest enterprise prospects were now requiring SOC 2 Type II certification as a prerequisite for contract signature. Without certification, the sales pipeline worth over ₹8 crore was stalled. Building an internal security function from scratch was neither fast enough nor economically viable. They needed a partner who could both fix the immediate critical vulnerabilities and build a sustainable, scalable security programme.

We began by treating the three critical vulnerabilities as a P0 incident. Within 72 hours of engagement start, patches were deployed to production: the authentication bypass was closed via input validation hardening and rate-limiting at the API gateway, a SQL injection vector in the user provisioning endpoint was parameterised, and an exposed administrative endpoint was placed behind multi-factor authentication. The enterprise contract was saved.

With the immediate fire extinguished, we designed a long-term SOC architecture appropriate for Cycops' scale and team structure. We chose Splunk as the SIEM foundation, with custom detection rules written specifically for Cycops' authentication traffic patterns rather than generic rulebooks. Six months of historical event logs were ingested and used to train an ML classifier to separate genuine threats from benign anomalies — distinguishing, for example, a legitimate user travelling internationally from a credential stuffing attack originating from the same geography.

The SOC 2 Type II programme was run in parallel with the technical implementation. We worked with Cycops' legal and engineering leadership to map their existing controls against the SOC 2 Trust Services Criteria, identified 34 control gaps, and built a remediation roadmap with ownership assigned for each. A customer-facing security status page was launched to give enterprise clients real-time visibility into platform health — a significant trust signal in the sales process.

The deployed SOC architecture processes every authentication event in real time against 140 custom detection rules tuned to Cycops' specific application behaviour. The ML triage layer reduces analyst-reviewed alerts from over 2,000 per day to fewer than 80 — a 96% reduction in noise — while maintaining a false negative rate below 0.3%. Security analysts now spend their time on genuine investigations rather than alert acknowledgement.

Automated response playbooks handle the 20 most common alert scenarios without human intervention. A brute-force attempt on an enterprise client's authentication endpoint, for example, triggers an automatic IP block at the WAF layer, a Slack notification to the client's security team, and an incident record in the SOC dashboard — all within 45 seconds of detection. Incident response time for the scenarios covered by playbooks dropped from hours to under a minute.

Cycops achieved SOC 2 Type II certification six months after engagement start — faster than any comparable engagement our team had previously delivered. The certification unlocked the stalled enterprise pipeline, with three contracts totalling ₹6.2 crore signed within eight weeks of the certification letter being issued. Cycops' security posture has since become a sales differentiator rather than a liability, featured prominently in their enterprise sales decks.