What it is (plain English)
A structured workspace for the security team to handle security incidents — phishing, malware, breaches — with guided playbooks, automated enrichment, and integration to security tools (SIEM, EDR). It brings the discipline of IT incident management to the SOC, with the CMDB providing asset context.
Problems it solves
- Security incidents handled in email and chat with no consistent process.
- Analysts manually pivoting between disconnected security tools.
- No metrics on response times or incident volume/trends.
- Slow, inconsistent triage without playbooks.
What must exist first
Platform Core Setup and CMDB Foundation (asset context for affected systems). Integrations to security tooling (SIEM/EDR) via Integration Foundation drive most of the value.
What the customer needs to provide
- Your security tool stack (SIEM, EDR, threat feeds) and how it will connect.
- Your current incident response process and severity model.
- Playbook content for common incident types.
- SOC team structure and escalation paths.
Where it can go next
Threat Intelligence enriches investigations; Vulnerability Response (VR) closes the loop on exploited weaknesses; can create/relate IT Incident Management records; orchestration/automation accelerates containment.