How we built it: the Expel SOC-in-the-Sky


This February, over 400 Expletives flocked from all over to convene in Miami for our first-ever company kickoff (CKO) celebration. It was a week of laughs, collaboration, excitement, and, for some of us, in-person introductions to co-workers we’ve only ever met via Zoom.

But with great events come great logistical challenges, particularly for a 24×7 service like ours.

So the question became: how do we ensure the hardworking folks in the Expel security operations center (SOC), who so often devote their nights and weekends to our customers, can also come to Miami and benefit from in-person camaraderie?

Turns out, the answer was a “SOC-in-the-Sky.”

This meant converting a multi-purpose room on the top floor of the hotel hosting CKO (S/O to the Hyatt Regency, Miami) into an around-the-clock mobile SOC—which we called SOC-in-the-Sky because how cool does that sound? The team touched down the Saturday before the festivities and got to work outfitting the space with the necessary infrastructure. That included making sure we had things like external monitors, privacy screens, redundant power supplies, fast internet connections, and just the right amount of physical security to protect the space. And of course, the requisite amount of energy drinks.

Now, it’s a SOC.

All of these details set up our SOC for success to do what they do: monitor and defend more than 300 customers and their entities from cyber attacks. To put that into perspective, over 300 customers and their entities means continuously:

  • monitoring millions of endpoints, identities, cloud resources and workloads distributed across five different continents, and
  • providing phishing expertise to hundreds of thousands of people around the world.

Over the course of a typical day in our SOC-in-the-Sky, we processed around 2.5-3.5 billion events from 100+ tech integrations with our platform. Those events were all processed through Josie™, our detection bot, who filtered and passed better than a thousand events to the Expel team for human judgment.

Those filtered events were then picked up in mere minutes by our SOC analysts. The SOC team runs hundreds of investigative actions through Expel Workbench™, our security operations platform, and in the process they identify somewhere between 10-15 security incidents for multiple customers. These security incidents are a mix of account takeover activity, deployment of malware to gain initial access by ransomware operators, abuse of cloud misconfigurations, and authorized red teams.

Ruxie™, our orchestration bot, runs thousands of investigative actions on behalf of our analysts. Ruxie is also smart enough to make triage decisions—it closes around 5% of the alerts sent to the Expel SOC for review and handles about a third of all investigations performed in any given day.

Let’s see, what else? Oh, right. We investigate around 1,000 suspicious email submissions from our customers each day.

How the heck do we do it? We put information and people in the exact right place at the exact right moment. The net of it all is we’re able to take billions of events, use the right mix of people and technology to find the things that matter quickly, figure out what happened, and take action to reduce risk.

This is what happened in the SOC-in-the-Sky. It was the physical representation of the intersection of our platform and our people, each doing what they do best.

Want a deeper dive into the patterns and trends our SOC identified last year? Check out our annual threat report, Great eXpeltations, for a behind-the-scenes peak.