.svg)
The SOC Then vs Now...a 'Possible Travel' Season 2 Special Feat. Matt Konwiser & Chris Liccardi
January 29, 2026
Get the GiveawayIn this episode, we hop in the time machine with my old friends Matt Konwiser and Chris Liccardi to break down the evolution of the SOC and explore what actually got better, what got worse, and why alert fatigue may be the normalized thing no one wants to do anything about.
What’s inside:
- The ghost of SOCs past: linear, manageable, maybe even… boring?
- IAM, UBA, VPCs, and other buzzwords that broke the workflow also UBA is the bridesmaid of security and why it should include an A for AI behavior.
- UBA’s glow-up potential (or lack thereof)
- Real-life horror stories from the modern alert trenches
.png)
The SOC Then vs Now...a 'Possible Travel' Season 2 Special Feat. Matt Konwiser & Chris Liccardi
KEY MOMENTS & THEMES
1. How it started: The On-Prem Era
- SOCs were physically together, triage was Boolean, and analysts had control over firewalls, endpoints, and networks.
- Visibility was limited but structured. Alert handling was linear.
- Detections were managed by a handful of tools, and teams spoke different dialects of the same language.
Chris: “It was simply complex. You could own the chaos.”
2. When the Cloud Came to Town
- Centralization broke. Logs became expensive. Identity providers exploded. Analysts became pipeline debuggers. Security has a pricing problem.
- Fear of cloud turned into forced adoption, driven by cost, contracts, and convenience.
Matt: “Convenience overcame caution.”
Chris: “We pay for logs five times and still can't answer basic questions.”
3. UBA: The Bridesmaid of Security
- UBA (User Behavior Analytics) never worked well. Why? Because orgs can’t define “who” their users even are.
- Human behavior is unpredictable. AI behavior is logical. We need two tracks: H-UBA and A-UBA.
Alex: “UBA is the bridesmaid of the SOC Shows up late, alerts on everything, still wants an invite.”
Matt: “I’m always anomalous. That’s how I beat UBA.”
Chris: “With trust in the data, UBA could finally be the bride.”
4. Alert Triage: Then vs. Now
- Old triage was rule-based and predictable. Now, alerts trigger tickets, pipelines, AI wrappers and confusion.
- The worst part? We’ve automated broken logic.
Matt: “It wasn’t boring—it was Boolean.”
Chris: “We’re just faster at being wrong.”
5. Detection Horror Stories
- Chris shares a war room story from a major M&A deal involving a social media giant.
- Qradar proved out detections in a simulated purple team attack… and yet, leadership didn’t trust the tools—or the team.
- Post-Log4j burnout, over-reliance on tooling, and zero executive alignment are the new norm.
Chris: “We had the data. We had the detections. But we didn’t have trust.”
6. Culture, Governance, and the Future of the SOC
- Most orgs still run on policies written in 2010. Many tools just amplify outdated thinking.
- Detection engineering today means managing telemetry chaos—not just tuning rules.
- AI helps, but without data fidelity and logic, it’s just faster noise.
Alex: “We’ve gone from two hands and a dream… to LLMs and vibes.”
Matt: “People who know the past and stay current...they’re the ones ahead.”
Chris: “Experience builds instinct. You can’t automate that.”
CLOSING THOUGHTS
UBA needs a rebuild. SOCs need trust. And automation needs better detection logic or it’s just scaling failure. Whether you’re new to detection engineering or burned out by the noise, this episode offers perspective, dark humor, and hard-won wisdom.
Follow the Guests:
- Matt Konwiser: https://www.linkedin.com/in/mattkonwiser/
- Chris Liccardi: Offline, like a real security person
.png)
.png)
.png)