Security operations
Security operations | 2 min read
An important update (and apology) on our PoisonSeed blogAn important update and apology on the Expel blog, for a blog we published on PoisonSeed on July 17, 2025.
Security operations | 3 min read
Level up your SIEM strategy with new offerings from Expel MDR & Sumo LogicWe're announcing a cost-effective solution for your MDR, SIEM, and data storage needs with Expel MDR and Sumo Logic's new partnership.
Security operations | 8 min read
How to get started with the NIST Cybersecurity Framework (CSF) 2.0We give you a quick tour of the NIST CSF and describe how you can baseline your efforts in a couple of hours. So check it out.
Security operations | 7 min read
How to identify when you’ve lost control of your SIEM (and how to rein it back in)See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.
Security operations | 8 min read
How much does it cost to build a 24×7 SOC?Not all 24x7 SOCs are created equal. Here we outline four possible security operations centers and an estimate of your costs.
Security operations | 3 min read
Security alert: MOVEit Transfer exploited vulnerabilityAttackers are exploiting a vulnerability affecting all MOVEit Transfer versions to exfiltrate data and deploy ransomware.
Security operations | 3 min read
Expel Quarterly Threat Report Q3: Top 5 takeawaysOur third quarterly (Q3) threat report is here and it’s overflowing with cybersecurity data, trends, and recommendations to help you protect your organization. Here are our top five takeaways from Q3.
Security operations | 3 min read
Top 5 takeaways: Expel Quarterly Threat Report Q2Our second quarterly (Q2) threat report is here and its chock full of cybersecurity data, trends, and recommendations to help you protect your organization. Here are our top five takeaways from Q2.
Security operations | 1 min read
Got workloads in Microsoft Azure? Read thisGot Microsoft Azure? Running Microsoft products in your org? Then you might want to get a free copy of our all-new Azure guidebook.
Security operations | 7 min read
Enhancing phishing protection: analyst & customer securityDiscover how Expel's robust phishing protection measures safeguard our analysts and customers against email threats, providing utmost security and peace of mind.
Security operations | 3 min read
The SolarWinds Orion breach: 6 ideas on what to do next and whyHere are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.
Security operations | 8 min read
How to investigate like an Expel analyst: The Expel Workbench managed alert processEver wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.
Security operations | 6 min read
Evilginx-ing into the cloud: How we detected a red team attack in AWSRed team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.
Security operations | 4 min read
The CISO in 2020 (and beyond): A chat with Bruce PotterIt’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.
Security operations | 2 min read
Introducing a mind map for AWS investigationsWe’ve been doing a lot of investigations in AWS using CloudTrail logs and have been noticing some interesting things along the way. So we created an AWS mind map for our team (and you). Check it out!
Security operations | 9 min read
Performance metrics, part 2: Keeping things under controlIn this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.
Security operations | 8 min read
Why don’t you integrate with [foo]?You’ve heard that Expel integrates with your tech. But not YOUR tech. What gives? Well, sometimes it doesn’t always make sense. Expel’s COO explains why and what this means when working with us.
Security operations | 8 min read
Is Microsoft Defender for Endpoint good?Expel has integrated Microsoft Microsoft Defender for Endpoint into our platform and we’re impressed! Our SOC analysts share why they love it and how they use it to triage alerts.
Security operations | 5 min read
The myth of co-managed SIEMsThink you can get a co-managed SIEM and then step away to let the magic happen? Not so fast. Our CISO shares some common myths and the realities you should consider before making a decision.
Security operations | 8 min read
Behind the scenes in the Expel SOC: Alert-to-fix in AWSWonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.
Security operations | 8 min read
Spotting suspicious logins at scale: (Alert) pathways to successFind out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.
Security operations | 9 min read
Obfuscation, reflective injection and domain fronting; oh my!During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.
Security operations | 7 min read
Managed Detection & Response for AWSLearn how Expel detected and responded to an Amazon Web Services access key crisis with Amazon GuardDuty & CloudTrails logs securing cloud insecurities.
Security operations | 4 min read
Thinking about Zoom and riskFor many of us, Zoom is the app that’s keeping us connected. But recent news about security concerns has a lot of us wondering if it’s too risky. So... is it? Our CISO shares his thoughts.
Security operations | 3 min read
Election security: Why to care and what to do about itWhether you work in security or are an informed voter (or both!), the security of our election ecosystem is everybody’s business. Here are the challenges our system faces and what we can do about them.
Security operations | 5 min read
7 habits of highly effective (remote) SOCsSecurity ops is a team sport … but how do you “play” together when your company’s working 100% remotely? Jon’s got some advice.
Security operations | 2 min read
NIST CSF: A new interactive tool to track your progressThere’s lots to like about the NIST CSF. Here are our practical tips for how to use it, plus a preview of a new NIST feature we introduced in Expel Workbench™.
Security operations | 5 min read
Creating data-driven detections with DataDog and JupyterHubCreating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.
Security operations | 6 min read
Exabeam: an incident investigator’s cheat codeWe love EDR tools too, but here are our best tips and tricks for combining EDR data with other (equally) important security signals.
Security operations | 8 min read
Why the cloud is probably more secure than your on-prem environmentIs your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.
Security operations | 3 min read
Where does Amazon Detective fit in your AWS security landscape?If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.
Security operations | 8 min read
Using JupyterHub for threat hunting? Then you should know these 8 tricks.Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.
Security operations | 5 min read
Making sense of Amazon GuardDuty alertsIf you’re running workloads on AWS, then you’d better be running GuardDuty. But what is it and how can you make sense of all the signals? Here are our pro tips.
Security operations | 5 min read
Better web shell detections with Signal Sciences WAFIs Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.
Security operations | 5 min read
MFA is not a silver bullet to secure your cloud emailLearn how dual or multi-factor authentication (MFA) are not an entirely secure solution for cloud email security on the Expel blog.
Security operations | 10 min read
Applying the NIST CSF to U.S. election securityNIST isn’t only useful for corporations -- it’s helpful for guiding security activities around processes like our national elections. Our CISO’s got some thoughts on exactly how to apply NIST to election security.
Security operations | 7 min read
Generate Strong Security Signals with Sumo Logic & AWS CloudtrailLooking to get more or better security signals from AWS Cloudtrail? Learn how with Expel.io. See how we use the Sumo Logic SIEM for actionable data.
Security operations | 6 min read
Five things law firms can do now to improve their security for tomorrowRelativity CSO Amanda Fennell shares the top five, easy-to-get-started things she sees forward-thinking law firms doing to improve their security.
Security operations | 8 min read
Our journey to JupyterHub and beyondIf you use or are considering trying JupyterHub, it’s your lucky day -- we’re sharing configuration tips and tricks, how we’re using it to make technical research easier, and much more.
Security operations | 4 min read
3 must-dos when you’re starting a threat hunting programSo you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.
Security operations
Here’s what you need to know about business email compromise (BEC)How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.
Security operations | 6 min read
How to make your org more resilient to common Mac OS attacksGot Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.
Security operations | 8 min read
The top five pitfalls to avoid when implementing SOARSOAR isn’t really about “orchestration and response.” It’s an engineering problem at its core. Here’s why.
Security operations | 6 min read
How to find anomalous process relationships in threat huntingFinding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.
Security operations | 5 min read
This is how you should be thinking about cloud security challengesYour IT team isn’t racking and stacking servers like they used to, but cracking the cloud security code is easier than you think. Get our pro tips for doing just that.
Security operations | 7 min read
How to choose the right security tech for threat huntingHow do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.
Security operations | 4 min read
Don’t blow it — 5 ways to make the most of the chance to revamp your security postureIf you’ve got a blank canvas with the opportunity to build a security program from scratch, here’s how to get started and make the most of your new program.
Security operations | 4 min read
NIST’s new framework: Riding the wave of re-imagining privacyThe NIST Privacy Framework will revolutionize how we think about privacy. Here’s how your org might use it.
Security operations | 3 min read
Four habits of highly effective security teamsPractice these habits consistently and you’ll have an engaged, talented and all-around awesome security team.
Security operations | 4 min read
How to get your security tool chest in order when you’re growing like crazyNeed to expand your security tool chest? Our CISO’s got some tips to consider when thinking about what tech to keep or buy.
Security operations | 4 min read
Does your MSSP or MDR provider know how to manage your signals?How well is your MSSP or MDR going to manage your fleet of security signals over time? Here’s how to figure out whether they’re up for the challenge.
Security operations | 7 min read
How to build a useful (and entertaining) threat emulation exercise for AWSWant to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.
Security operations | 9 min read
12 ways to tell if your managed security provider won’t suck next yearHow can you figure out if the quality of the service you’re about to sign up for will improve over time? Our COO Yanek Korff’s got some tips for making sure you choose a service that’ll last.
Security operations | 4 min read
How to start a cybersecurity program (or restart one that lapsed)If you're left holding the hot potato of a legacy lackluster security program, or are suddenly forced to protect your org and its data with less, here are a few quick steps to take to get cybersecurity efforts back on track.
Security operations | 3 min read
Three tips for getting started with cloud application securityIf you're feeling like your SaaS security knowledge is a bit cloudy, these three pro tips will get you started on the right path.
Security operations | 3 min read
Office 365 security best practices: five things to do right now to keep attackers outHere are five Office 365 security best practices to check out right now.
Security operations | 5 min read
Reaching (all the way to) your NIST 800-171 compliance goalsClose common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.
Security operations | 7 min read
Getting a grip on your cloud security strategyUnderstanding how to think about cloud security differently is half the battle. At Expel, we've thought a lot about it, and we’ve identified three key points that should inform your cloud strategy.
Security operations | 12 min read
A common sense approach for assessing third-party riskLet us walk you through our third-party assessment process. We think it's lightweight but still achieves the objective - determining if a vendor can be trusted. And, as a bonus, we're providing the third-party questionnaire and emails we use so you can download it and get going right away.
Security operations | 7 min read
Lessons learned from a CISO’s first 100 daysIn this guest post, Amanda Fennell, CSO at Relativity reflects on what she’s learned -- I recently finished my first 100 days as Chief Security Officer (CSO) of Relativity. I’ve learned a lot. And while every new CSO faces unique challenges, I’ve come up with some recommendations to help new CSOs.
Security operations | 4 min read
What’s new in the NIST Cybersecurity Framework (CSF) v1.1In case doing a “stare-and-compare” of the original and updated NIST frameworks isn’t your idea of fun, I’ve highlighted three important changes here.
Security operations | 5 min read
What is (cyber) threat hunting and where do you start?We want to demystify what threat hunting is and what it’s not. So here goes nothin’ ...
Security operations | 8 min read
What “I Love Lucy” teaches us about SOC performanceA little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation.
Security operations | 5 min read
Managed detection and response (MDR): symptom or solution?An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.
Security operations | 3 min read
Decoded: new changes to NIST’s Cybersecurity FrameworkNIST has polished up their Cybersecurity Framework. Our CISO, Bruce Potter, highlights three of the most significant (and practical) changes.
Security operations | 3 min read
What’s endpoint detection and response (EDR) and when should you care?We cut through the hype to explain what Endpoint Detection and Response (EDR) tools can do for you. (3 min read)
Security operations | 7 min read
Warning signs that your MSSP isn’t the right fitLook out for these 5 indicators that it's probably time to start considering alternatives to your managed security services provider (MSSP). 8 min read.
Security operations | 4 min read
Budget planning: determining your security spendGuidance and a short list of things you can do to help you answer the common question "how much should I spend on cybersecurity?" (5 min read)