Case study — Detection engineering
Building an AI-native SOC from scratch
The starting point
When I joined the National Audubon Society in 2024, there was no SOC, no formal detection program, and security tooling spread across disconnected point solutions. The organization runs a hybrid cloud environment serving more than a thousand staff. I was the sole security engineer and architect responsible for all of it. Whatever architecture I chose had to deliver enterprise-grade detection and response without enterprise-grade headcount.
The decision: MDR vs. AI-native
The first architectural decision was the SOC model. Traditional MDR requires analyst headcount to triage, a model that fails on cost for a single-person team before it fails on coverage. I evaluated both and selected an AI-native SOC platform that could maintain detection fidelity without the analyst-to-alert ratio MDR requires at scale.
MDR fails on cost before it fails on coverage for a single-person security team.
That proved out: 99.2% detection fidelity, a 95% reduction in false positives, mean time to detect down 65%. Traditional MDR with human triage rarely hits those numbers at comparable cost. I later turned the evaluation framework into a published piece, How to Decide: AI SOC vs MDR.
Detection coverage, ATT&CK-first
Detection coverage was built MITRE ATT&CK-first, starting with the highest-probability attack paths for a hybrid cloud environment: identity-based attacks, credential stuffing, OAuth abuse, and business email compromise. ATT&CK was the working method for deciding what to build next, not a reporting checkbox. Existing coverage was mapped against enterprise TTPs, gaps identified, and the gaps worked into the detection backlog.
Multi-cloud monitoring covered AWS, Azure, and GCP with centralized threat intelligence integration. Each provider has a distinct attack surface and needed detection patterns built against its own log sources.
Identity as the perimeter
Okta is the enterprise IdP, and identity was where the highest-probability threats lived. I led phishing-resistant MFA rollout across 1,000+ users to 100% adoption, which removed the credential-theft vector email compromise campaigns depend on while cutting authentication time 90%. The Okta architecture across a hybrid Okta/M365 environment included risk-based IAM controls and automated joiner-mover-leaver workflows for employees and third parties. Org-wide SAML and OAuth integrations hardened access and gave the SOC detection visibility into identity-based lateral movement that endpoint telemetry alone misses.
Email security followed the same approach: migrating to an AI-powered platform cut business email compromise incidents 99%.
Reinvesting the savings
Replacing the MDR contract freed $32,000 annually. Instead of booking that as savings, I put it into Tenable One to build a net-new vulnerability management program across endpoint, cloud, web application, and attack surface management. Detection coverage can't be prioritized correctly without visibility into the full attack surface. The same period produced an AI governance roadmap for controlled GenAI adoption, getting ahead of unsanctioned AI use before it surfaced as a data classification or compliance incident.
What this case demonstrates
A solo security function doesn't get to separate strategy from hands-on engineering. This build required architectural judgment to pick the right SOC model, detection engineering depth to make coverage real, and budget discipline to fund what came next. If your organization is facing a SOC build-out, an MDR-to-AI-SOC evaluation, or a detection program that needs to improve without adding analyst headcount, that's the work I do.