.svg)
.png)
Does the SOC have a Memory Problem?? A better approach to your field notes feat. K.C Yerrid
February 17, 2026
Get the GiveawayKC Yerrid joins Detection Dispatch to break down SCOUT — a local-first, open-source analyst cockpit built around atomic notes, entity relationships, and structured investigation memory.
The SCOUT Project Github: https://github.com/kcyerrid/SCOUT
In this episode, we explore:
- Why static investigation notes rarely get referenced again and why tribal knowledge evaporates after every incident
- Why “everything is an entity” is a massive shift for analysts
- How graph-based sensemaking helps visualize relationships, dashboards can’t
- Why brittle SOAR playbooks fail (investigations aren’t linear — you can’t pre-plan every branch)
- Why investigations don’t fit neatly into tickets and timelines
- And how better documentation makes AI actually useful later
Plus: junior analysts can level up faster with entity-based thinking.
If you have to keep re-learning the same lessons every quarter… this one’s for you.
Detection Engineering Dispatch features candid conversations with security teams at top companies on how they build, measure, and scale world-class detection programs.
.png)
Does the SOC have a Memory Problem?? A better approach to your field notes feat. K.C Yerrid
Alex (00:02)
What’s up, everyone? Welcome back to Detection Dispatch — the show where we talk detection engineering, SOC life, incident response (IR), and all the stuff we’re all feeling… but rarely documenting.
I’m your host, Alex Hurtado, and today we’re leaning into the community again — specifically the open source SecOps projects that are building real leverage for security teams. Not another shiny tool pitch. Not consulting-as-a-service. This one’s about something way more foundational:
How analysts think. How memory works. How continuity breaks in the modern SOC.
Because honestly? The modern SOC can feel like an over-engineered mess of alert volume, detection debt, and tribal knowledge evaporating the second someone changes teams.
So I’m hyped to introduce K.C. Yerrid. Casey, thanks for coming on. Can you tell us your story — and how you made it through the trenches of security operations?
K.C. Yerrid (01:18)
Absolutely. Thanks for having me, Alex. I’ve watched your work for a long time, so it’s great to be here.
I came up through traditional IT — systems admin work in manufacturing, running everything from AS/400s to Windows NT back in the 90s. But my shift into security came after hearing Jack Wiles speak at an IT user group. He broke down social engineering in a way that felt like street magic — played recordings of real social engineering calls, and I was instantly hooked.
After 9/11, our organization needed stronger business continuity capabilities, which pulled me deeper into operational resilience. Eventually I landed in security operations at Amazon, where I was a technical program manager supporting the CERT — improving SOC programs, analyst productivity, and operational capability.
Today I lead teams and focus on helping analysts do what they do best — investigate, make decisions, and reduce time-to-triage. I’m basically a servant leader to a group of people who are smarter than me and work unbelievably hard.
Alex (04:03)
“Street magic” is such a perfect way to describe security. Chris Angel, but make it InfoSec.
And real talk: this is why the community matters. I was just at ChyberCon in Chicago — local, non-vendor, community-driven — and it reminded me how security has always been: find other people fighting the same fire, sit in a room, compare notes, and figure it out together.
That’s the essence of the InfoSec community — and there’s a local group in basically every city.
Now, you’re building something that blends threat intelligence, SOC investigations, and human sense-making into one workflow. We’re talking ITID, Cypher, and Scout. I know what you’re working on, but tell the audience: what is Scout… and what is it not?
K.C. Yerrid (06:41)
Scout started from a need for personal knowledge management (PKM) in security operations. I was using Obsidian, and I realized there was an opportunity to bring in threat intelligence and investigations in a way that’s consumable for individual analysts.
Not every team needs a six-figure TIP. Some analysts just need a way to understand threat actors, TTPs, observables, incidents, and how those things relate — in a way that supports daily work.
Scout is designed for individual workflow and documentation, not multi-user note collisions. It’s personal notes that can be shared when appropriate, but it’s built for analyst continuity and productivity.
- Cypher is the threat intelligence side
- Scout is the security operations side
- And the foundation is ITID — Incident Type Identification Digits, a standardized taxonomy with four tiers (from general to specific), so you can track patterns across incident types over time.
Alex (09:31)
So, for anyone who hasn’t used it: Obsidian is like a note-taking system — but it’s local, modular, and built around relationships. You own the vault. You own the data. No vendor dependency. No “good luck exporting that later.”
And what I love here is the “free dollars” factor: you’re making something accessible to analysts who don’t have big budgets, but still need modern investigation workflows.
Tell us more about the structure — why does this entity-based approach matter so much?
K.C. Yerrid (12:14)
The key idea is: everything is an entity.
A TTP is a TTP. An IOC is an IOC. A threat actor is a threat actor. Incidents are incidents. By separating everything into atomic notes, you can map relationships between them — and Obsidian visualizes that as a graph automatically.
So if you open something like Scattered Spider, you can immediately see the connected TTPs, incidents, campaigns — everything you’ve documented that relates. You can zoom out, see second-order relationships, or zoom in to focus on one campaign.
Investigations aren’t linear. A ticketing system forces linearity. But investigations are recursive and messy — rabbit holes included. Scout makes those rabbit holes reusable instead of wasted.
Alex (14:58)
YES. Tickets and folders force a fake linear story. But investigations are chaos in a trench coat. And chaos doesn’t live neatly in folders.
So talk to me about efficiency. Does Scout reduce duplicate work? Does it speed up triage? Does it help junior analysts ramp faster?
K.C. Yerrid (16:13)
We’re seeing efficiencies, but there’s a learning curve because it’s a paradigm shift.
Once analysts get into the habit — daily notes, structured YAML, launching incidents through Scout — it becomes natural. Then it’s powerful:
- You can search for an IOC and pivot instantly
- You can prevent duplicate investigations
- You can reuse “negative work” (failed paths)
- And you can discover hidden dependencies between entities
Alex (27:04)
And you also track burnout factors — which is honestly so real. Alert fatigue is the villain origin story of every SOC analyst.
Also: you touched on something important — Microsoft Sentinel limitations. For example: screenshots. Auditors want them. SIEM workflows don’t make that easy. Scout gives you a local place to keep investigation context, notes, and artifacts together — and build close notes as you go.
But what really stands out is: this isn’t just “documentation.” It’s analyst sense-making.
K.C. Yerrid (33:06)
Exactly. It’s a narrative journal of the incident — but structured around entities and relationships.
And in cloud and identity-centric environments, relationships matter even more. It’s not just “what happened,” it’s “what could reach what,” and “who had access to what.” Scout supports cross-domain correlation as long as analysts capture what they tried and what they found.
Alex (39:36)
This is the kind of work that makes AI more useful later — because you’re building the human context first. AI can’t rescue investigations that weren’t structured for humans. Scout puts the human at the beginning — not as a cleanup step after the automation spits out a summary.
So: how can folks start using Scout?
K.C. Yerrid (40:39)
It’s on Github: https://github.com/kcyerrid/SCOUT Clone the repo, download Obsidian from the official site, create your vault, load the folder structure and scripts, configure paths, and start using it.
It’s platform-independent: Windows, Mac, Linux, Android — anywhere Python runs.
Alex (42:23)
Love it. No vendor dependency. Works whether you’re on Sentinel, Splunk, LogScale, or anything else.
Casey, where can people follow your work, and what do you want more of from the community?
K.C. Yerrid (43:03)
LinkedIn is my only social: KC Yerrid And what I want most is junior folks stepping up with questions — what pain points do you want solved? What would make investigations easier? How should detection engineers and analysts partner better?
We haven’t even fully touched the detection engineering side yet — mapping detection logic into ITIDs, capturing the rules that trigger incident types, and connecting that back into the knowledge base.
Alex (46:55)
Okay, that’s your official invite to come back when you’re ready to go deep on the detection engineering side — because that’s a whole universe.
That’s a wrap for this episode of Detection Dispatch — a true human-thinking episode. Like, subscribe, and share this with the analyst who is so tired of relearning the same incident every quarter because half the team rotated and the tribal knowledge vanished into the void.
Catch you next time.
.png)
.png)