BlackSOC customer stories · Real hunts. Real outcomes.

Protecting mid-market teams across four sectors

Fintech480 EE · 2 yrs

Healthcare920 EE · 3 yrs

Manufacturing610 EE · 1 yr

SaaS240 EE · 2 yrs

Logistics350 EE · 1 yr

Identities withheld under NDA · sector + size disclosed with consent

// Featured · financial services · 480 employees

A weekend identity attack, contained before Monday.

SAT 02:14:07 DETECT Impossible-travel sign-in · admin@fin
SAT 02:14:39 HUNT @maria correlates new OAuth grant
SAT 02:15:22 HUNT match: T1098 — Account Manipulation
SAT 02:18:50 CONTAIN sessions revoked · MFA reset · app blocked
SAT 02:25:11 ERADICATE rogue grant removed · tenant hardened
MON 08:30:00 → signed report + hardening plan delivered

The hunt

An impossible-travel sign-in on a finance admin fired at 02:14 on a Saturday. The on-shift analyst pivoted to the identity layer, found a freshly-minted OAuth grant, and recognized a token-theft persistence play before any data moved.

Sessions were revoked, MFA reset and the malicious application blocked under the customer's pre-approved runbook. By Monday morning, the customer had a signed report — not an incident.

11min

Time to containment

0

Records exfiltrated

0h

Business downtime

Request the full PDF →

// More stories

Different sectors. Same discipline.

Healthcare · 920 EE

Ransomware staged on a file server — stopped at deployment.

A scheduled task tried to push an encryptor across SMB shares. The hunt killed it before a single file locked.

MTTR 09 min · 0 files lost · 0h down

Manufacturing · 610 EE

OT-adjacent foothold cut before lateral movement.

A phished engineering laptop became a beachhead. Containment isolated it before it reached the plant network.

MTTR 14 min · 1 host · 0h down

SaaS · 240 EE

Leaked CI token caught the moment it was used.

A secret leaked in a public commit. BlackSOC flagged its first malicious use and rotated it within minutes.

MTTR 06 min · 0 data · 0h down

// From the SOC floor

What our hunters learn.

"

Every kill-chain teaches the next one. We feed every contained incident back into the runbooks — your defense gets sharper each month.

@maria · Lead analyst · GCFA

"

The hard part isn't detection — it's deciding fast and acting cleanly. That's why a human verifies before we ever isolate a host.

@lukas · Threat hunter · OSCP

"

Identity is the new perimeter. Most of the weekend pages I take are token theft, not malware. Watch the grants.

@dev · IR specialist · GCIH

// Your turn

Want to be the next quiet Monday?

Book a walkthrough → Become a case study

Real hunts.Real outcomes.