// soc investigation workflows

Same alert.
Two analysts.
Different conclusions.

Most SOC teams have the tools. What's missing is a consistent process. Structured investigation workflows for phishing, credential dumping, PowerShell, identity compromise, and more.

Pick a workflow paste into ChatGPT or Claude get structured output

[ Start Investigating ] Stay Updated

No signup required·Used by SOC analysts in 10+ countries·Built for real investigations

Tested by a SOC analyst
Built for real security tasks
Guided input, not random prompts
Works with ChatGPT, Claude & Gemini
Free to use

// how it works

From alert to verdict in minutes

[01]

Pick a workflow for your alert type

Select the workflow that matches what you're investigating — phishing, PowerShell, identity, network, ransomware, and more.

[02]

Follow the structured investigation steps

Each workflow gives you a step-by-step process: what to check, what to decode, and what questions to ask — the same way an experienced analyst would.

[03]

Reach a confident verdict faster

Produce a structured SOC summary with severity, MITRE mapping, IOCs, and recommended actions — ready to paste into your ticket or escalate.

// investigation workflows

Browse Workflows

Phishing AWS VPC Alert Triage
workflow / investigation sequence
Phishing Email Investigation 🔥 most used
analyze email extract headers verify sender verdict
Beginner
SOC Alert Triage 🔥 most used
classify alert check context correlate prioritize
Beginner
AWS VPC Flow Log Analysis
pull flow logs filter anomalies map IPs verdict
Cloud
Suspicious PowerShell Investigation 🔥 most used
decode command check parent process review execution verdict
Advanced
Identity Compromise Investigation
review login events check MFA correlate geo verdict
Advanced
Phishing URL Analysis
expand URL check reputation sandbox verdict
Intermediate
Ransomware Triage
isolate host identify IOCs check lateral movement contain
IR
Credential Dumping
identify tool check privileges review access logs verdict
Advanced
Explain This Security Alert
parse alert map to MITRE assess severity recommend
Beginner

// faq

Common questions

> Do I need to sign up?
// No. Pick a workflow and start immediately. No account, no email, no friction.
> Is this for beginners or experts?
// Both. Junior analysts follow the steps to build confidence. Senior analysts use it to move faster and document better.
> How is this different from Google?
// Structured investigation workflows, not search results. Each one tells you exactly what to check and in what order — built around real SOC scenarios.
> Is it free?
// Yes, completely free. Always will be for defenders.

Built by a defender, for defenders.

SOC.Workflows started from a simple frustration — AI tools are powerful, but most security analysts don't know how to prompt them effectively for real investigation work.

These workflows are different. Each one is structured, step-by-step, and built around real SOC scenarios. Not generic prompts. Not marketing fluff. Just guided inputs that help you investigate faster and document better.

Currently free. Always will be for defenders.

Get in Touch

Questions, feedback, or just want to say hello — reach us at gauravkundu12@gmail.com

Stay updated

Stay Updated

Get notified when new workflows are added. No spam. Unsubscribe anytime.

Free forever New workflows monthly No spam

Get new workflows in your inbox

Stay updated when new SOC workflows drop. No spam, unsubscribe anytime.