Notes

Field notes, cohort retros, and quiet feedback

Posts from instructors and the academy director. Mostly about the unglamorous parts of analyst training — handover writing, false-positive negotiation, and what we change after every cohort.

April 21, 2026
Why most SOC handover tickets fail their first reader

A candid retro on the three failure modes we see most often in cohort handover writing — and the small habits that cure them.

Min-Jun Park SOC operationsWriting
March 29, 2026
Detection-as-code, without the cult

A measured take on the detection-as-code workflow: where it earns its hype, where it adds friction, and what to do about both.

Hannah Bae Detection engineeringProcess
February 13, 2026
How to write a CTI brief that actually gets read

The single most useful skill we teach in the threat-intel track is also the least technical: producing a 2-page brief the duty analyst will read at 03:00.

Joon-Ho Lee Threat intelligenceWriting
January 8, 2026
What we change after every cohort (and what we will not)

A peek at the retrospective process behind our curriculum updates — including the things participants ask for that we deliberately do not change.

Da-Eun Kim Programme designRetrospective
November 17, 2025
The first week of cloud IR feels different. Here is why.

On-prem analysts moving into cloud incident handling describe the same first-week experience: the data is louder and the trail is shorter.

Hannah Bae Cloud securityIncident response

Field notes, cohort retros, and quiet feedback

Why most SOC handover tickets fail their first reader

Detection-as-code, without the cult

How to write a CTI brief that actually gets read

What we change after every cohort (and what we will not)

The first week of cloud IR feels different. Here is why.