ai · security · skills

Reskill · SOC

Security Operations

The incident room asks one question first: what did the agent do, and what did the user do?

Attribution is the skill. Until the record separates the two, every autonomous action is unowned.

Start with these skills

  1. Protect audit logs from tamperinggate
  2. Monitor and alert on AI-relevant eventsgate
  3. Control who reads the logs, and log that toogate
  4. Respond to what the logs say, on a clockgate
  5. Keep clocks in sync so timelines holdgate

The rung you have to reach

Security Monitoring

Monitoring and logging of AI applications and activity, including prompts, input/output, service usage, agent actions, data access, and other relevant logs and events useful for security and compliance.

L1 · Initial

No AI-specific monitoring. Reliance on cloud and/or AI provider default logging, if enabled. No visibility into prompts, agent actions, or AI service usage. AI activity untracked and unauditable.

L2 · Repeatable

Basic AI service logs collected (model invocations, API calls) and initial token/cost tracking for major AI platforms. Logs retained in the provider but not regularly analyzed for security. No prompt or response capture. AI usage logs reviewed for billing or troubleshooting but not security.

L3 · Defined

Prompt/response logging implemented for key AI applications (with appropriate data handling/masking). Agent action logging captures tool calls and resource access. Initial AI-specific alerting (e.g., guardrail violations, information disclosure). Logs aggregated into central SIEM. MCP and tool invocations logged.

L4 · Capable

Comprehensive AI telemetry across applications, including prompts, responses, agent actions, delegation chains, and data access. AI-specific threat detection in place (prompt injection, jailbreak attempts, anomalous patterns). Delegation chain auditability for multi-agent workflows. Alerts integrated with SOC workflows. Sensitive data detection in key AI inputs/outputs.

L5 · Efficient

Real-time AI security monitoring with automated response capabilities. Full auditability from user intent through agent actions to resource access. AI behavioral baselines with anomaly detection. Proactive threat hunting for AI attack patterns. AI monitoring integrated with incident response playbooks.

This function also touches: AI Supported Development and Supply Chain Security, Incident Response.

our model · calibrated to SAE J3016

Your syllabus

The plays that climb the rung.

Alert triage & enrichment

Disposition the alert queue: enrich each alert with context, close false positives, escalate what matters.

Moves: Time per alert

Show the exact control IDs (for your security & GRC team)

L2 LOG-01, HRS-15, DSP-17 · L3 LOG-15, LOG-16, GRC-15, TVM-13 · L4 LOG-12, IAM-18, MDS-10

Phishing-report handling

Analyse user-reported emails: verdict, user reply, and containment for the true positives.

Moves: Time per reported email

Show the exact control IDs (for your security & GRC team)

L2 SEF-06, HRS-15, DSP-17 · L3 LOG-15, LOG-16, GRC-15 · L4 SEF-07, IAM-18, LOG-12

Incident summarization & comms

Turn a closed incident into the post-incident report and the stakeholder communications.

Moves: Time per incident report

Show the exact control IDs (for your security & GRC team)

L2 SEF-01, SEF-03, DSP-17 · L3 GRC-15, LOG-16 · L4 SEF-05, LOG-12

Detection-rule engineering

Write, test and tune SIEM detections for new threats and noisy rules.

Moves: Time to new detection

Show the exact control IDs (for your security & GRC team)

L2 LOG-03, TVM-05, HRS-15 · L3 LOG-07, GRC-15, TVM-13 · L4 LOG-14, IAM-18

Threat-intel digestion

Read the feeds and advisories; extract what applies to this org; brief the team and update watchlists.

Moves: Time to actionable intel

Show the exact control IDs (for your security & GRC team)

L2 TVM-04, HRS-15, DSP-17 · L3 LOG-16, GRC-15 · L4 TVM-10, LOG-12

Vulnerability triage & prioritization

Rank the scanner backlog by real exploitability and business context; route fixes to owners.

Moves: Critical-vuln backlog age

Show the exact control IDs (for your security & GRC team)

L2 TVM-09, TVM-03, HRS-15 · L3 TVM-08, GRC-15 · L4 TVM-11, IAM-18

Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →

Baseline Security Operationsopen to run · research access to saveBack to the maturity read