SOC Leadership
Purple-Team Tabletops for SIEM Operators
Program narrative
Facilitators rotate roles between defender, attacker proxy, and scribe. You will practice time caps, evidence selection, and post-exercise activity log entries that engineers respect.
What is included
- Tabletop timer scripts
- Evidence selection rubric
- Scribe checklist for activity logs
- Warm debrief prompts
Outcomes you can evidence
- Run a 60-minute tabletop with clear evidence packets
- Capture decisions in an activity log format engineering accepts
- Identify two SIEM views that speed—not slow—discussion
Course questions
No live offensive operations. We use scripted attacker cards.
Cohort voices
The evidence rubric stopped our tabletops from becoming slide shows.