Detect better. Stop adversary.

Use Cases

The concept of an Integrated SOC moves beyond the traditional model of simply aggregating logs with a legacy SIEM with a volume or processing-based consumption model (Sentinel, Splunk, etc.). It is defined as a unified, continuously adaptive security hub that converges several critical capabilities:

1. Unified Data Aggregation: It merges traditional SIEM (log collection) with XDR (Extended Detection and Response) powered by CTI (Cyber Threat Intelligence) to ingest telemetry across endpoints, networks, cloud, applications and identity layers into a single pane of glass for threat detection
2. Continuous Exposure Management: It integrates our VOC modules to form a CTEM platform which provide real-time visibility into vulnerabilities and the potential impact of emerging threats, shifting from reactive monitoring to proactive risk reduction.
3. AI-Driven Automation: It leverages AI SOC Agents to automate repetitive tasks like triage, enrichment, and reporting. This allows human analysts to focus on complex investigations and decision-making, addressing talent shortages without sacrificing depth.
4. End-to-End Workflow with SOAR: It creates a cohesive loop from detection to remediation, breaking down silos between different security tools and vendors to enable faster response times in hybrid, multi-vendor environments.

In short, the Integrated SOC is not "just" a monitoring center limited to a set of integrated features (CTI, SIEM, XDR, SOAR), but a full technology stack built as an orchestration engine that blends human expertise with AI automation and broad data visibility to manage the entire security lifecycle from data ingestion up to threat response. This smart engine is enriched with a set of SOC/MDR (Managed Detection and Response) services delivered by Senior analysts and incident responders.

Since 2019, we've been at the heart of the SOC/AI evolution with Secureworks, moving from a traditional SIEM-based approach (legacy CTP platform from 2011), to TDR (2019, Taegis^TM creation as the first XDR) and XDR, up to the ISOC concept (depicted by Gartner in 2026) powered by Taegis^TM SOC platform.

From the SOC services standpoint, we shaped our services according to the platform evolution (and vice versa), moving from traditional (noisy) alerting, to the first MDR v1 in 2016, then MDR v2 in 20

Platform Features

SOC Platform > core

Taegis^TM multi-tenant SaaS open ISOC platform allows agnostic data ingestion and normalization from +350 sources in its SIEM backend, natively. Taegis^TM has the most comprehensive integration with Microsoft product eco-system to offer a complete SOC/MDR for Microsoft, if relevant.

Taegis offers 1 year of hot data retention by default, and up to 5 years as an option. Customers can enable log archiving in their own S3 bucket at no additional cost.

The platform is powered by Secureworks/Sophos CTI and +25 detection engines (IoCs, detection rules, Yara rules, Tactic-Graph^TM multi-source correlation rules, ML engines) to optimize the signal/noise ratio (events grouping, AI scoring based on the local context) and generate alerts/detections that are already enriched by internal and external sources to accelerate the analyst triage.

A case management system is embedded to ease the incident analysis from the genesis alert/detection, allowing evidence collection powered by an advanced search engine (CLI, GUI, AI LLM), drafting the key findings, adding all entities into a full entity graph, and showing the incident timeline. Collaboration between team members and the analyst team (and product support team) is supported by an embedded chat and investigation comments to track and trace all exchanges and decisions taken during the lifetime of the incident.

The automation and orchestration module (SOAR) is providing the notification, enrichment, and response playbooks from +150 templates. SOAR playbooks can be triggerred manually (from alerts or investigations), automatically, or even scheduled, based on your selected criteria.

Last but not least, Taegis^TM provides by default report templates and multiple dashboards (security posture, etc.) as well as a native Power BI and Jupyter integration with open API to build your own integration with external tools.

💡 Commercial Model

• From the licensing standpoint, Taegis SOC platform (and services) are solely based on the size of your IT environment as per the number of endpoints (physical or virtual, equipped with a supported EDR). Network and cloud assets are not licensed, but can be integrated without any constraints related to the processing or storage requirements.

SOC Platform > add-ons

The following modules, described as embedded options from the same technology provider, can be added to the core SOC platform (and services) and managed from a single pane of glass:

• Endpoint Detection & Response (Sophos EDR light and full agent included de facto, most of the other major EDRs supported natively)
• Network Detection & Response (Managed NDR/IDPS appliances up to 10Gbps throughput, inline or monitoring mode)
• Vulnerability Detection & Response (VDR platform)
• Identity Threat Detection & Response (ITDR module)

Additional options can be considered as part of the Abilene SOC solutions portfolio:

• Alternative/Additional Endpoint Detection & Response Agents (specific on-premises EDR or hybrid/dual EDR setup)
• Advanced Network Detection & Response Appliances
• Advanced Network Deception sensors
• Advanced Cloud Detection & Response (Kubernetes/Containers-based IT)
• OT Endpoint and Network Detection sensors (cf. SOC for OT service)
• Integration of our VOC services and technologies, especially
• Alternative/Additional Threat Intelligence IOC feed
• Advanced Brand/VIP Protection and External Attack Surface Management form our VOC pillar

Services Features

SOC/MDR Service > core

We provide 24x7x365 MDR services as a shared SOC service, solely based on Taegis^TM ISOC platform.

🔍 What's included

• Triage/validation of high & critical detections/alerts
• Incident investigation with evidence collection, impacted assets, key findings summary, and remediation plan suggestion
• Proactive response actions to mitigate threats (endpoint isolation, IP flow blocking, Account disablement or password reset, etc.)
• 60-minute SLA (1 mins to detect, 30 mins to investigate, 5 mins to respond SLO)
• Real-time collaboration with the SOC team through the platform-embedded chat
• Unlimited remote incident response for major incidents
• Monthly proactive threat hunting campaign to anticipate emerging threats (175+ threat groups monitored)
• Named customer success manager and monthly to quarterly service performance review
• Same features and business model as our core SOC services
• Coverage beyond Microsoft — endpoints, network, cloud, identity — from a single open platform promoting segregations of duties

SOC/MDR Service > add-ons

Additional services can be considered on top of the SOC/MDR core services:

🧠 Technical Account Manager (TAM)

The TAM is a designated cybersecurity technical advisor and primary point of contact for Taegis customers, offering in-depth expertise on Sophos/Secureworks products and services as well as the major
cybersecurity solutions in the market. The TAM works closely with the customer's team to understand their specific SOC needs and help them optimize their use of the Sophos/Secureworks solution,
interfacing with Sophos/Secureworks service managers as the customer solution architect and advocate. The main roles and responsibilities of a Sophos TAM are as follows:

• Trusted Advisor

The TAM acts as a trusted cybersecurity advisor, providing information and recommendations to help customers maximize the value of their Sophos/Secureworks investment.

• Primary point of contact for technical advisory

The TAM is the primary point of contact for all technical questions related to Sophos products and services, facilitating communication, solution architecture, and problem resolution. The TAM augments the XDR Basic Application Support that you can get through the Taegis live chat and will proactively advise on new product features that might be relevant in the customer context.

• In-depth understanding of the customer's environment

The TAM takes the time to understand the customer's specific security environment, needs, and day-to-day operations, enabling them to provide personalized and relevant advice.
TAM service will complement MDR service by ensuring a close follow-up and continuous improvement of the Taegis solution (platforms and services) against your evolving context and the dynamic threat landscape

TAM scope of work :

• 8x5 (CET time zone) premium support in French and English
• Monthly meeting with the customer-designated Security Operation Manager
• Active participation in the monthly/quarterly service (MDR, IMR, ELITE) review

The TAM is subscribed as a yearly retainer of (10) Service Units (50 hours) and can support additional activities based on in-scope capabilities depiected in the service descripiton (custom parser, response playbook, Taegis healthcheck, Taegis training, vulnerability management operation, etc.).

🛡️ Enterprise Elite Threat Hunting

Assigns a designated threat hunter to proactively identify stealthy threats bypassing automated detection — combining continuous human-led hunts, deep Taegis XDR analytics, and tailored threat hunting missions as a seamless extension of the customer's security team.

🛡️ Enhanced Enterprise SOC Services

Adds a designated 24/7 SOC team (shared by a maximum of 3 customers) on top of the standard core services, providing deeper investigation context across all data sources, phishing investigation, orchestrated remediation, and governance advisory — delivering a fully managed SOC-as-a-service experience for organizations requiring hands-on, specific analysis and incident response workflows. The enhanced SOC team is an extension of your internal SecOps team.

Use Cases

Based on our core SOC/MDR service, it acts as a fully managed SOC layer on top of your existing Microsoft security stack — extracting maximum value from Microsoft licenses you already own, such as Business Premium or E3 (not an exhaustive list), without necessarily moving to E5. It is ideal for organizations heavily invested in the Microsoft ecosystem that lack internal SOC capacity to operationalize Defender fully — getting expert-managed, enterprise-grade coverage without abandoning or duplicating their existing stack.

‍We do NOT operate Sentinel as our core SOC platform, which helps avoid vendor lock-in and strategic independence, while enabling open integration with non-Microsoft sources. The economic model is not based on volume ingested and/or processed and/or stored (Gb/day), which will bring predictive security budget (vs cloud budget) and will avoid segregation of sources (impacting the volume ingested/processed/stored = ++costs) that can be important for the detection of a forensic perspective.

Services Features

🔍 What it ingests

• Microsoft Defender Suite — Defender for Endpoint, Identity, Cloud Apps, Office 365
• Azure — Azure AD, Azure Monitor, cloud workload telemetry
• Microsoft Sentinel — log analytics, SIEM alerts and custom detection rules
• M365 — email, Teams, SharePoint activity and threat signals

🧠 How it works

• All Microsoft telemetry flows into Taegis, where machine learning, behavioral analytics and CTU threat intelligence correlate signals across the full environment — reducing alert noise (by x5) to actionable, high-priority cases in a single-pane of glass (vs multiple Microsoft consoles)
• SOC analysts (supported by Microsoft MVPs) investigate detections 24/7 on the same Taegis console the customer sees — enabling real-time co-investigation via live chat in under 90 seconds.
• No rip-and-replace — enhances Defender (and Sentinel if you wish to keep an Hybrid Scenario or for specific use-cases such as SAP where we recommend Sentinel) rather than replacing them, protecting existing Microsoft license investments.

🛡️ What's included

• Same features and business model as our Enterprise SOC services
• Coverage beyond Microsoft — endpoints, network, cloud, identity — from a single open platform promoting segregations of duties

💡 Commercial Model

• The subscription is based on the number of endpoints only, and not associated with any form of storage or processing consumption (Sentinel or any other SIEM model)

Use Cases

Bring specific and converged IT+OT threat monitoring, detection and investigation under a single platform — delivering 24/7 coverage by OT-specialized security experts, native integrations with OT cybersecurity agents and sensors, NDR appliances between IT and OT landscapes, and providing collaborative SOC escalation playbooks purpose-built for critical environments (OT, IoT, IoMT).

This service is ideal for organizations operating critical infrastructures — manufacturers, energy producers, utilities, transportation operators, hospitals— undergoing IT/OT convergence that need unified threat visibility and expert-managed response across both domains, without the risk of security actions disrupting operational continuity.

Taegis MDR for OT was architected from the ground up as a converged IT/OT solution — with OT-native integrations, specialist analysts and operationally-aware response playbooks that prioritize uptime alongside security.

Service features

🔍 Pre-requisites and approach

• OT agents or network sensors to monitor OT assets and specific OT trafic
• Part of the global Abilene Approach for OT encompassing 5 key elements:
  
  • Defensible architecture
  • ICS security monitoring
  • Secure remote access
  • Risk-based vulnerability management
  • Incident response

🔍 What it monitors

• OT environments — PLCs, HMIs, SCADA systems, industrial controllers and field devices
• IT/OT convergence layer — traffic and telemetry flowing between corporate IT and operational networks
• Endpoints & network — via OT endpoint agents and Taegis NDR for IT/OT traffic inspection
• Leading OT toolsets — native integrations with Nozomi, Seclab (and Dragos, Claroty, SCADAfence) for deep OT visibility

🧠 How it works

• OT and IT telemetry are unified in Taegis XDR, where machine learning and CTU threat intelligence correlate cross-domain signals — detecting threats that pivot between IT and OT networks.
• This service leverages a dedicated Taegis tenant for OT, so it also applies to customers already having a SOC service for IT delivered from another MSSP on a different platform
• A dedicated OT Specialist Team (separate from standard MDR analysts) investigates OT-specific detections, with deep knowledge of industrial protocols, asset behavior and operational context.
• Collaborative escalation playbooks are built jointly with the customer during onboarding, ensuring response actions never inadvertently disrupt production.
• 24/7 access to OT security experts via live chat in under 90 seconds.

🛡️ What's included

• Same features as our Enterprise SOC services
• 24/7 unified IT and OT threat monitoring, detection, and investigation
• OT-specialized security analysts team with industrial expertise
• Collaborative build-out of IT/OT escalation processes and response playbooks
• Quarterly security reviews and access to proactive services (IR planning, adversarial testing)

💡 Commercial Model

• The subscription is based on the number of OT assets

Use Cases

Know where your Security Operations Center stands today — and where it needs to go. Our structured assessment gives you an independent, evidence-based view of your SOC's strengths, gaps, and a clear roadmap for improvement.

Services Features

🚨 Built on SOC-CMM — the industry-standard model for SOC excellence

We use the SOC Capability Maturity Model (SOC-CMM), a globally recognized open framework designed specifically for Security Operations Centers. It evaluates maturity and capability across five domains and 26 aspects, providing a structured, objective, and repeatable measure of SOC performance — aligned with the NIST Cybersecurity Framework.

• Business Governance, strategy, and organizational alignment‍
• People Skills, roles, staffing, and training‍
• Process Detection, triage, response, and escalation procedures‍
• Technology Tooling, integrations, and automation‍
• Services Detection and response service delivery

A clear, six-level scoring model

Each domain is scored on a maturity scale from 0 to 5, from ad hoc and undocumented operations up to a fully optimizing, continuously improving SOC. Capability dimensions are scored separately on a 0–3 scale for technology and services.

0Non-existent > 1Initial / informal > 2Defined / documented > Y3Managed / measured > 4Quantitatively managed > 5Optimizing

🛡️ Designed for SOC operators and service providers alike

Organizations with an internal SOC

• Benchmark your SOC against industry peers
• Justify security investments to leadership
• Prioritize improvement initiatives
• Demonstrate continuous improvement to stakeholders

MSSPs & MDR providers

• Validate and differentiate your service quality
• Identify gaps before clients do
• Build a structured service improvement roadmap
• Demonstrate maturity to prospects and auditors

💡Actionable insight, not just a score

• An independent maturity score across all five SOC-CMM domains and 26 aspects
• A benchmarked view of where you stand relative to industry best practices and peer organizations
• Identification of your SOC's critical strengths and highest-priority gaps
• Tailored recommendations across people, process, and technology with phased quick wins and long-term initiatives
• A NIST CSF mapping of your results for compliance and governance alignment
• An executive-ready report to communicate findings to leadership and stakeholders