Part V: Security Operations

"Logs are the ground truth. Everything else is opinion."

You have built defenses through four parts — network controls, hardened systems, identity. Part V answers the question that decides whether any of it works in practice: when an attacker gets in anyway, will you know, and what will you do? This is the operational heart of the book, the part that lives Theme 4 most directly. We assume breach not as a slogan but as a daily operating posture. Defenses fail; the measure of a security program is not whether it is ever breached but how fast it detects, how cleanly it responds, and how much it learns. Security operations is where that capability is built and run.

The asymmetry that has shaped the whole book reaches its sharpest point here. Attackers need to be right once; defenders need to be right every time — which is impossible, so instead defenders aim to be fast. The entire discipline of security operations is an answer to inevitable failure: collect the telemetry, correlate it into signal, hunt for what the alerts miss, respond under uncertainty when an incident is confirmed, and investigate rigorously afterward so the next one is caught sooner. These five chapters walk that loop end to end, in the order an analyst lives it.

We begin with the SIEM — the central nervous system that ingests and correlates the logs from everything you built in Parts II–IV. Then threat detection and hunting, which turns intelligence and ATT&CK into detections and goes looking for the adversary who hasn't tripped an alarm. Vulnerability management closes the windows attackers exploit, prioritizing ruthlessly because you can never patch everything. Incident response is the playbook for the worst day — preparation through containment, eradication, recovery, and a blameless post-mortem. And digital forensics preserves the evidence and reconstructs the timeline that tells you what actually happened and how far it went.

Two anchors come due in this part. SolarWinds-style beaconing becomes a concrete detection-and-hunting exercise in Chapter 22, and the Colonial Pipeline-style ransomware scenario is run as a full Meridian tabletop in Chapter 24 — the single most realistic rehearsal in the book.

What you will learn

Chapter 21 — SIEM. Design log collection and normalization at scale, write correlation rules and detection use cases, tame alert fatigue, and query logs with SQL/SPL/KQL.
Chapter 22 — Threat Detection and Hunting. Turn threat intelligence and MITRE ATT&CK into detections, run hypothesis-driven hunts, distinguish IoCs from behavioral detection (the pyramid of pain), and measure detection coverage.
Chapter 23 — Vulnerability Management. Run the vulnerability-management lifecycle, prioritize with CVSS plus EPSS, KEV, and asset context, set risk-based patch SLAs, and report trend metrics — including the vulnerability that never gets fixed.
Chapter 24 — Incident Response. Run the NIST SP 800-61 lifecycle, build IR plans and playbooks, make containment decisions under uncertainty, run a tabletop, and conduct a blameless post-incident review.
Chapter 25 — Digital Forensics for Defenders. Preserve evidence and chain of custody, acquire disk and memory soundly, build timelines from artifacts, scope a breach, and respect forensics' legal limits.

Advancing the Meridian program

Part V stands up Meridian's living defense. Chapter 21 deploys the bank's SIEM and writes its first ten detection use cases, drawing log sources from every prior part. Chapter 22 builds a detection-and-hunting program and hunts for SolarWinds-style beaconing across Meridian's environment. Chapter 23 establishes vulnerability-management policy and SLAs and triages a Log4Shell-class emergency under pressure. Chapter 24 produces the bank's incident-response plan and playbooks — and rehearses them in a ransomware tabletop. Chapter 25 builds forensic readiness and investigates the aftermath of that scenario. The bluekit toolkit gains its operations modules: siem.py (normalize, correlate), detect.py (ioc_match, attack_technique), vulnmgmt.py (priority, patch_sla), ir.py (triage, containment), and forensics.py (evidence_hash, merge_timeline).

Prerequisites

This part assumes the whole book to date, and especially Part II Chapter 10 (network monitoring feeds the SIEM) and Part I Chapter 2 (the threat actors and kill chain you now detect). Within Part V the order is strict and cumulative: Chapter 22 builds on the SIEM of Chapter 21; Chapter 24 builds on the detection of Chapter 22; Chapter 25 follows directly from incident response in Chapter 24. Do not start here cold — security operations only makes sense once you know what you are collecting telemetry about.

Time investment

Chapter	Title	Estimated hours
21	SIEM	6–7
22	Threat Detection and Hunting	6–7
23	Vulnerability Management	6
24	Incident Response	7
25	Digital Forensics for Defenders	6
Part V total		31–33

This is the SOC-analyst track's home; SOC readers should work through all five chapters hands-on and treat the Chapter 24 tabletop as a rehearsal, not a reading. GRC-track readers will want Chapters 23 and 24 (the policy and reporting dimensions). Chapter 25 is the most advanced in the part — budget extra time for the forensic acquisition and timeline material.

Where this leads

You can now detect, respond to, and investigate attacks. But operations without governance does not scale, does not survive an audit, and cannot justify its budget to a board. Part VI rises from the SOC floor to the program level — the policies, risk management, compliance frameworks, vendor risk, and security culture that make all of this defensible, fundable, and sustainable.