Case Study 1: Scaling Meridian's SOC Before It Breaks
"I built a security program with a beautiful dashboard and almost lost the five people who keep it running. The tools were never the problem." — Dana Okafor, CISO, Meridian Regional Bank (constructed)
Executive Summary
Eighteen months into Meridian's security-program maturation, every technical component worked and the team operating them was two resignations from collapse. This case study follows CISO Dana Okafor and SOC manager Marcus Reyes as they redesign Meridian's security operating model — not by buying another tool, but by making a build-versus-buy decision, restructuring the SOC tiers and on-call rotation, fixing a retention problem, and quantifying the whole thing in language the board can act on. You will see this chapter's concepts — org design, the tiered SOC, MSSP versus MDR, runbook-driven operations, on-call and escalation, burnout, and leadership — stop being abstractions and become a survival plan for a real team. The scenario and all figures are constructed for teaching (Tier 3).
Skills applied: security org design and reporting lines; SOC tier modeling; build-vs-buy analysis (in-house / MSSP / MDR / hybrid); staffing-and-SLA calculation; designing an on-call rotation and escalation runbook; diagnosing analyst burnout versus alert fatigue; retention strategy; leading a team through change.
Background
Meridian Regional Bank — ~1,800 employees, ~120 branches, ~2.5 million customers, a hybrid on-prem/AWS environment under GLBA, PCI-DSS, SOX, and FFIEC scrutiny — has spent eighteen months maturing its security program after the Chapter 1 phishing near-miss. The team is the one you know: Dana Okafor (CISO), Marcus Reyes (SOC manager), Priya Nair (IR & threat hunting), Sam Whitfield (engineering), Elena Vasquez (GRC), and Theo Brandt — no longer the brand-new hire of Chapter 1, but a capable Tier 1 analyst eighteen months in, the kind of person who is now expensive to lose.
On paper, the program is a success. The SIEM (Chapter 21) ingests logs bank-wide. Detection use cases (Chapter 22) number in the dozens. Vulnerability management runs on real SLAs (Chapter 23). The IR plan survived a ransomware tabletop (Chapter 24). Governance and policy are board-approved (Chapter 26). The metrics pack (Chapter 36) tells a coherent risk story, and it is green: mean time to detect and respond are within SLA, and detection coverage sits at 78% of the relevant MITRE ATT&CK techniques.
Underneath the green dashboard, the SOC is failing. The new detections generate roughly 400 alerts a day. The on-call rotation has two people on it — Marcus and one analyst — and the analyst has just given notice. Marcus, the best technician on the team, has responded by personally working the deepest tickets and taking most of the 2 a.m. pages himself; he has not had an uninterrupted weekend in two months. Theo has started forwarding recruiter emails to his personal account. The team is closing the large majority of those 400 daily alerts as "false positive" with shrinking investigation time — they are dismissing without truly looking, because five humans cannot carefully examine 400 alerts a day.
Dana, reviewing the quarterly metrics, notices the one thing the dashboard cannot show her: the trend in alert volume per analyst is climbing while investigation time is falling. She does the unscalable thing a leader must sometimes do — she walks over and talks to her people — and learns the truth the dashboard hid. She gives Marcus a mandate: "We are not buying another detection tool. We are fixing how this team works, and we have one quarter to do it."
🔗 Connection: This is Theme 3 — the human is the weakest link and the strongest asset — turned inward on the defenders. Every prior Meridian chapter applied it to end users (the loan officer who clicked; the employee who reported). Here the weakest link is a burned-out analyst reflexively closing the alert that mattered, and the strongest asset is a supported, rested analyst who notices the one anomaly automation missed. The program's risk now lives in its people, not its tools.
The Analysis
Phase 1 — Diagnose the real problem (it is not a tooling problem)
Marcus's first instinct, the engineer's instinct, is to fix the alerts: tune the noisy detections, cut the false positives. That is correct and insufficient. Dana pushes him to separate two problems that feel like one:
- Alert fatigue (Chapter 21's term): the 400 daily alerts contain too much low-quality noise, dulling the team's responses. This is a detection-engineering problem, fixed at the SIEM layer by tuning, enrichment, and suppression of known-benign events.
- Analyst burnout (this chapter's term): the chronic exhaustion and cynicism produced by the volume, monotony, stress, and unsustainable structure — the two-person on-call rotation, the absent career ladder, the endless queue with no variety. This is an organizational problem, fixed at the level of the team and the operating model.
The two are linked — the unmanaged alert fatigue is a leading cause of the burnout — but Marcus
realizes he cannot tune his way out of a staffing-and-structure problem, and he cannot hire his way out
of a noisy-detections problem. He must work both layers. He quantifies the gap honestly using the
staffing.py helpers from the chapter's checkpoint:
Incoming load: ~400 alerts/day -> ~2,800/week
Tier 1 capacity: 5 analysts x ~50 alerts/shift x 5 shifts = ~1,250/week
Verdict: UNDERSTAFFED (2,800 vs 1,250 -> 2.2x over capacity)
⚠️ Common Pitfall: Believing a green metrics dashboard means a healthy function. Meridian's MTTD/MTTR and coverage numbers were genuinely good — because they measured the tools, not the team. A dashboard that does not track alert volume per analyst, investigation time, on-call distribution, and attrition risk can be entirely green while the function quietly collapses. The metric that mattered most was the one no one had put on the slide: can the humans sustain this?
Phase 2 — The build-vs-buy decision
The 2.2× overload will not be solved by asking five people to work harder; that is what is already happening. Meridian needs more capacity, and the headcount math from §37.2 makes the constraint stark: covering a single 24/7 seat in-house takes ~5–7 analysts, and Meridian has five analysts total for the entire function. It cannot build its way to 24/7 in-house coverage on its budget and in its labor market. So Marcus and Dana run the build-versus-buy analysis using the §37.2 factor table:
| Factor | Meridian's situation | Pull |
|---|---|---|
| Size / budget | Mid-size; cannot fund 6+ analysts per 24/7 seat | → buy coverage |
| Environmental complexity | Regulated bank; deep context essential for real incidents | → build judgment |
| Talent market | Midwestern mid-size city; senior analysts scarce and poached | → buy coverage |
| Speed to maturity | Team is breaking now; cannot wait 1–2 years to hire | → buy coverage |
| Data sensitivity | Banking telemetry; must vet any third-party access carefully | → build / vet hard |
| Risk appetite (Ch.27) | Wants to keep incident-command and regulator decisions in-house | → build judgment |
The factors point clearly at a hybrid (co-managed) model, not a binary. The decision:
- Buy the coverage. Engage an MDR provider (Managed Detection and Response) to monitor the alert queue overnight and on weekends and to take first-line response actions on high-confidence detections. Meridian deliberately chooses MDR over a classic MSSP because it wants response, not just "alert shipping" — the MDR contains routine threats at machine speed in the hours the in-house team is asleep.
- Build the judgment. Keep in-house the work that requires deep environmental knowledge and organizational authority: incident command (Priya), threat hunting tailored to banking threats, detection engineering, and the relationships with legal, communications, and the regulators. Meridian buys the clock and builds the brain.
🛡️ Defender's Lens: Granting an MDR provider authority to take actions in the bank's environment — disabling accounts, isolating hosts — is a serious access-governance decision (Chapters 18–19), not a mere procurement. Meridian scopes the MDR's authority tightly (which actions, on which assets, with what approval), logs everything the provider does, and runs a joint runbook so the overnight MDR response hands cleanly to Meridian's morning team. The provider's access is itself a privileged-access problem, and Meridian treats it as one.
The §37.2 war story haunts this decision in a useful way: Marcus refuses to let the new model depend on any one irreplaceable person. The MDR partner removes the single-point-of-failure of "only Marcus can take the overnight page," and the runbook work in Phase 3 ensures the capability survives the loss of any individual.
Phase 3 — Restructure the SOC: tiers, rotation, and runbooks
With the MDR carrying the overnight clock and a tuning effort underway to cut the noisy detections, the human-handled alert load drops to roughly 960/week — and the same five analysts move from 2.2× over capacity to a sustainable 77% utilization (comfortably under the 80% line, with real slack for a sick day or a bad week). Now Marcus rebuilds the operating model around the people:
Clarify the tiers. Meridian formalizes the tier model (Figure 37.2). Theo and the other junior analysts are Tier 1 (triage, runbook-driven, escalate the real ones). Priya anchors Tier 2/3 (investigation, hunting, and — critically — detection engineering, so every alert that reaches her becomes a tuned rule that handles the next occurrence at Tier 1 or in automation). The MDR covers Tier 1 triage during off-hours; Meridian's analysts own escalation and judgment around the clock.
Fix the on-call rotation. The two-person "burnout machine" becomes a six-person Tier 1 rotation (each analyst on-call ~one week in six) and a three-person Tier 2 rotation (Priya plus two designated seniors). The MDR watches the queue overnight, so Meridian's on-call analyst is woken only for genuine escalations, not for routine triage. On-call weeks come with reduced daytime load and time-off-in-lieu — the burden is acknowledged, not treated as invisible overhead.
Write the runbooks. Marcus mandates that the common alert types get documented runbooks owned by Tier 2, refined after every incident (the Chapter 24 lessons-learned loop) and version-controlled like code. The runbooks make the small team resilient (institutional memory that does not quit), onboard new analysts in days, and become the units of automation: each proven runbook is handed to Sam to automate with SOAR. A representative one — the kind of document that turns a stressful 3 a.m. unknown into a checklist a brand-new analyst can follow — reads like this:
RUNBOOK RB-014: Impossible-travel login on the banking platform
Trigger: same user authenticates from two geos too far apart to travel between
in the elapsed time (SIEM correlation rule CR-021).
Severity: SEV-3 (escalate to SEV-2 if the account is privileged or touches the CDE).
ACK: <= 30 min.
Steps:
1. Do NOT close. Pull the two logins: user, source IPs, geos, timestamps, user-agent.
2. Rule out the benign cause: corporate VPN egress? known traveling executive?
cloud service on the user's behalf? (Enrichment auto-added by SOAR.)
3. Check corroboration: failed logins, MFA prompts, new-device registration,
session activity from the foreign geo.
4. Contact the user out-of-band (phone, NOT the possibly-compromised email).
5. DECISION: benign-confirmed -> document + close with reason.
unconfirmed/suspicious -> contain (disable session, force re-auth,
consider account disable) AND escalate per RB-ESC (Fig. 37.3).
Owner: Tier 2 (Priya's group). Last reviewed: post-incident 03-12. Automate: steps 1-2.
The escalation runbook (Figure 37.3, referenced as RB-ESC above) is made explicit so the 3 a.m. analyst never guesses who is next:
ALERT -> severity (Ch.24 matrix)
SEV-4/5 : log / SOAR auto-close / business-hours queue
SEV-3 : on-call Tier 1 investigates per runbook (ACK <=30 min);
unresolved in 30 min -> Tier 2 on-call
SEV-1/2 : on-call Tier 1 ACK <=15 min AND page Tier 2 on-call (ACK <=15 min);
confirmed incident -> SOC Manager (Marcus) declares incident;
SEV-1 / regulatory / > $threshold -> IR Lead (Priya) takes command;
material / breach-clock -> CISO (Dana) -> Legal, Comms, board channel
Off-hours: MDR partner watches queue + first-line response; Meridian on-call owns escalation.
🔄 Check Your Understanding: Meridian dropped the human-handled load from ~2,800 to ~960 alerts/week through two distinct interventions. Name them and classify each as attacking alert fatigue or adding capacity. (Hint: one is a detection-engineering action at the SIEM layer; the other is a sourcing decision. This is exactly why the chapter insists a leader must work both layers.)
Phase 4 — Retention and the leadership shift
Capacity and structure are necessary but not sufficient; Dana knows that a stabilized queue will not, by itself, take Theo's resume down. The retention work:
- Build the career ladder. Marcus writes an explicit path — Tier 1 → Tier 2 → detection engineering / IR / lead — with the skills and milestones for each step. Theo now sees where "next" is and how to reach it. (Chapter 39 maps the broader career landscape; here the ladder is a retention tool.)
- Inject meaningful work. Dana funds a recurring purple-team program (§37.5) and protected learning time. The analysts who spent their days clearing the queue now get to hunt a live (friendly) adversary and immediately build the detection that catches them — the most professionally energizing work in the SOC, and a direct counter to the "futile, monotonous" attrition driver.
- Make Marcus a manager. The hardest change is personal. Dana explicitly tells Marcus to stop working tickets and start managing: own the rotation, the runbooks, the ladder, the load metrics, and — above all — pay human attention to the team. His instinct to "work hardest" by clearing the deepest tickets felt like leadership but was the opposite: heads-down in the queue, he could neither build the structure that lets the team scale nor notice it was failing. Leadership, Dana reminds him, is the work of noticing.
📟 War Story: Constructed. One month into the new model, a SEV-2 fired at 02:40 — a domain-admin login from an unrecognized workstation. Under the old regime, the exhausted two-person rotation might have triaged it slowly or dismissed it. Under the new model: the MDR's analyst caught it in the overnight queue, the escalation runbook routed it to Meridian's Tier 2 on-call within fifteen minutes, Priya took command, the account was disabled and the host isolated by 03:10, and the morning handoff was clean because the joint runbook existed. The post-incident review the next day was blameless — "we are here to fix the system, not find someone to punish" — and produced two new detections. Same bank, same kind of alert that eighteen months of tooling had been quietly mishandling at night; the difference was entirely the operating model and the rested humans running it.
The outcome, one quarter later: Theo took his resume down. Marcus took a weekend off. The detection coverage metric (Chapter 36) climbed as the purple-team program expanded it. And the dashboard stayed green — but now it was telling the truth, because Dana had added the metrics that mattered: alert volume per analyst, on-call distribution, and attrition risk. The program was, for the first time, sustainable.
Phase 5 — Selling it to the board (the money and the risk)
None of this was free, and Dana could not simply announce an MDR contract — the recurring spend had to be justified to the board's Audit Committee, the same committee her dotted line connects to (§37.1). She framed it the way this book frames every security decision: as risk and cost, not fear. The build-vs-buy comparison she put on a single slide:
OPTION YEAR-1 COST (illustrative) 24/7? KEY RISK
------------------------------------------------------------------------------------
Status quo (5 analysts) baseline NO Team collapse; missed
breach (the Vantage risk)
Build to in-house 24/7 + ~4-5 FTE (~5-7/seat math) YES Can't hire/retain in our
market; 1-2 yr ramp; SPOF
Hybrid: keep 5 + MDR + MDR subscription YES 3rd-party action authority
(overnight Tier 1) (< cost of 4-5 FTE) (governed; see Ch.18-19,29)
Fully outsource (MSSP) MSSP subscription YES "Alert shipping"; lose
context, command, regulators
------------------------------------------------------------------------------------
RECOMMENDATION: Hybrid. Buys 24/7 coverage at less than the fully-loaded cost of
hiring 4-5 analysts we cannot reliably hire, while retaining in-house the judgment,
incident command, and regulator relationships a bank cannot outsource.
Dana deliberately did not lead with "we might get breached." She led with the quantified
operational reality: the staffing.py verdict showing the team 2.2× over capacity, the attrition risk
(two of five analysts at flight risk), and the headcount math proving that building to 24/7 in-house was
not merely expensive but infeasible in Meridian's talent market within any acceptable timeframe. The
hybrid recommendation then sold itself as the fiscally responsible option — 24/7 coverage for less than
the loaded cost of analysts the bank could not actually hire.
🔗 Connection: This is the §37.1 reporting-line design paying off in practice. Because Dana has a dotted line to the board Audit Committee, she can make this case to the people who control the budget without it being filtered through a CIO whose own projects her security spend competes with. The org design (Phase implicit) and the operating-model decision (Phases 2–4) are the same story viewed from two ends: structure determines whether the right decision can even be heard, and the decision determines whether the structure can be sustained. A CISO buried three levels down with no board access makes the identical analysis and loses the funding fight anyway.
The committee approved the MDR subscription. The deciding argument was not the threat of a breach — every vendor pitch threatens a breach — but the combination Dana brought that a vendor cannot: a quantified picture of her own team's unsustainable load, a headcount analysis proving the in-house alternative was infeasible, and a clear statement of what would stay in-house and why. That is build-vs-buy argued as a risk-and-cost decision, and it is exactly the kind of evidence-backed tradeoff the Chapter 38 board presentation will assemble across every component of the program.
🔄 Check Your Understanding: Dana led the board with the staffing math and attrition risk rather than with "we might get breached." Why is the quantified-operational framing more persuasive to a board than the threat framing — and how does it differ from the way a vendor would pitch the same MDR? (Hint: the board has heard "you might get breached" from every vendor; what had they not heard before Dana showed them their own team's 2.2× overload?)
Discussion Questions
- Meridian chose a hybrid MDR model rather than building 24/7 coverage in-house or fully outsourcing. Argue the case for one of the two roads not taken, and name the conditions under which it would have been the better choice.
- Dana discovered the real problem only by walking over and talking to her people, because the dashboard was green. What does this say about the limits of metrics, and which specific metrics should she add so the dashboard could have warned her? (Connect to Chapter 36.)
- Marcus's instinct to "work hardest" by personally clearing tickets is extremely common in newly promoted technical leaders. Why is it so tempting, and what is the precise harm it causes a team?
- Granting the MDR provider authority to take response actions is a serious governance decision. Lay out the controls Meridian should put around that third-party access (tie to Chapters 18–19 and 29).
- The §37.2 war story (the hospital whose two analysts both quit) shaped Meridian's decision to avoid single points of failure. Identify every place in Meridian's redesign where this lesson is visibly applied.
Your Turn
Take an organization you know (or invent a mid-size one) whose SOC is overloaded: pick an alert volume, a
team size, and a coverage situation. (1) Use the §37.2 headcount math and the staffing.py logic to
compute whether the team is understaffed, and by what factor. (2) Run the build-vs-buy factor table and
recommend a sourcing model, naming what you keep in-house and what you buy. (3) Design the on-call
rotation and a one-page escalation runbook for one alert type. (4) List three retention actions tied to
specific attrition drivers. Keep the whole thing to two pages. If you cannot justify a staffing number,
that is a signal you need more data — note what you would go measure.
Key Takeaways
- A security program's risk eventually migrates from its tools to its people; a green dashboard can hide a collapsing team if it measures the tools and not the humans operating them.
- Alert fatigue and analyst burnout are different problems at different layers — tune detections to fix the first, change the operating model to fix the second — and a leader must work both at once.
- Build vs buy is rarely binary. Meridian's hybrid bought the coverage (an MDR for the overnight clock and first-line response) and built the judgment (in-house incident command, hunting, detection engineering, regulator relationships).
- The headcount math is the constraint: ~5–7 analysts per 24/7 seat means most mid-size organizations cannot staff continuous monitoring in-house — which is the central force behind the build-vs-buy decision.
- Runbooks, a deep on-call rotation, and an explicit escalation chain turn a fragile small team into a resilient one and eliminate the single-point-of-failure that defense in depth exists to avoid.
- Retention is a risk-management problem. A career ladder, meaningful work (purple teaming), and sane on-call keep scarce talent better than salary alone.
- Leadership is the work of noticing, of being the calm incident commander, and of running the blameless after — and how a leader behaves shapes a security culture more than any policy document.