Welcome to Stories from the SOC, a new series providing monthly insights from our Cyber Defence Team at CyberOne. Each month, we’ll take you behind the scenes of our 24×7 Security Operations Centre (SOC), where we share real incidents, real decisions and real outcomes. These stories highlight how we respond, what we learn, and how we transform threat data into proactive defence — all while making cyber security clear and actionable for business leaders.
What you do in the first hour defines your security posture. The right response, at speed, is the difference between an incident and an incident headline. In this first Stories from the SOC, I want to give you a real glimpse into how we work, through the lens of a real cyber incident that unfolded at the end of last month.
What began as a few “odd” emails escalated into a full-scale coordinated response. This isn’t a dramatisation but a factual retelling of the events, showing how our SOC team responded with speed, collaboration and depth. It’s how we deliver our real-time defence — and why our clients trust us to support them 24x7x365.
This is a classic example of where human intuition meets expert escalation. When something feels off, our clients know they can reach us directly and get any issues promptly addressed.
By early afternoon, our Darren in the Customer Success team flagged that more users were receiving these emails. Then, our Hannah, Head of Delivery, discovered that multiple clients had raised concerns. A pattern was forming.
Think of it like junk mail with a hidden purpose — it might include strange formatting, unexpected attachments or links that redirect through unfamiliar websites, emails that create a sense of urgency (e.g. “click now to avoid lockout”) or messages that appear to come from a trusted source — but aren’t.
Hannah quickly escalated it to me. The behaviour wasn’t isolated and it wasn’t random. I knew we needed eyes on this fast.
Credential phishing occurs when an attacker sends a seemingly innocent email trying to trick the recipient into revealing login details, usually by pretending to be Microsoft, IT or HR. These emails are often disguised as “action required” messages from trusted sources or internal systems. The goal is simple: gain access and move quietly.
The atmosphere was focused, but calm. This is what we train for.
IR stands for Incident Response. It’s our elite team of cyber specialists trained to:
They work like a digital emergency response unit — always on, always ready.
At this stage, a full rundown of the incident is provided to all present IR team members. This ensures everyone is working from the same page, has clear objectives aligned with the overarching response procedure and that our workloads are non-conflicting, ensuring the timeliest response.
The CIRT investigated the email metadata, links, sender profiles and attachment behaviour. This wasn’t spray-and-pray phishing. It was targeted and potentially linked to an attacker using reconnaissance tactics or pre-staging a larger attack.
We act decisively in potential breach scenarios. A soft delete lets us move quickly without disrupting the investigation. A hard delete ensures full removal when malicious content is confirmed, eliminating the risk of accidental clicks or data leaks from the user’s side.
Behind every email is a digital trail — who sent it, where it came from, what it’s trying to do. Email metadata includes:
We use this to determine intent and track attacker behaviour.
In cyber security, reconnaissance is the digital version of scouting. Before launching a full attack, threat actors often probe users or systems to:
After a short discussion, we came to a solution:
Bryan implemented tactical mail-flow blocks, stopping any further communication from the domains utilised by the attacker. We reviewed the domains in use and accepted the risk blocking genuine domains would have on the client’s businesses. However, security must come first and we were not prepared to take a risk and wait for the inevitable.
In addition, Joshua reviewed Microsoft Teams configurations to ensure lateral movement couldn’t happen through chat-based channels — a newer tactic we’ve seen in recent campaigns. This was the tactic we suspected would come next.
Think of it like the Royal Mail sorting through your post and sending it through checks or scanners to find anything harmful. Mail flow controls allow you to define who you don’t want to receive mail from.
At 14:35, I issued an internal comms update to all users, helping everyone understand what had happened, what had been done and what to look out for.
Visibility reduces panic. Keeping stakeholders informed builds trust, aids prevention and ensures coordinated behaviour across the organisation.
That’s why CyberOne always keeps stakeholders in the loop.
This is when attackers target people, not just systems. They use manipulation, like fear, urgency or curiosity, to get users to click a link or share info. It’s not a technical hack — it’s a psychological one.
What is Hyperion?
Hyperion is CyberOne’s proprietary detection engine — a constantly evolving library of custom Sentinel rules, SOC playbooks and automated responses built from real-world incident intelligence.
When we detect a new tactic or technique, we don’t just fix it for one client.
We use Hyperion to roll out pre-emptive defences to every environment we manage. It is shared protection at scale — instantly. Because of this approach, what we learned in one tenant now safeguards all other clients automatically.
But communication alone isn’t enough. At CyberOne, we focus on closing the loop — ensuring every incident ends with a complete review, reflection and response plan. This means:
Because of this approach, a single localised threat became a proactive protection point for every client we support — and a powerful learning opportunity for everyone involved. That’s the CyberOne difference: every alert makes us stronger.
End-to-End: from first advisory to full environment-wide protection in under 3 hours.
This included:
Every incident is also an opportunity to strengthen. We treat learning as part of the containment process because resilience isn’t a fixed state; it’s a continual evolution.
This wasn’t just a successful incident response but a real-world demonstration of our cyber defence. Our clients rely on us for more than alerts; they expect:
And with our SLA-backed Assure 365 service, that’s exactly what we deliver — every single day.
Ready to protect your business like this? Let’s talk!
📅 Thursday 1st May | 🕙 10:00–11:00
74% of senior leaders agree that AI-powered threats now pose a significant challenge for their organisation. And in 2025, those threats are evolving at an alarming pace.
AI-driven threats are evolving fast — from deepfake voice scams to real-time spear phishing and adaptive malware. But the same technology can power your defence.
Join CyberOne for a high-impact session on how AI, combined with expert human insight, is transforming cyber defence in 2025.