Use Case
After-hours triage without opening a laptop.
After-hours triage is the workflow of assessing a security alert that fires outside business hours — typically a 2 AM page — and deciding whether it warrants immediate response or can wait until morning. PocketSOC lets the on-call analyst view full detection context, severity, and affected hosts from a phone, then escalate, dismiss, or hand off without ever opening a laptop or connecting to VPN.
The problem
An on-call SOC analyst gets paged at 2:14 AM. The alert is from CrowdStrike Falcon. Is it a real intrusion attempt or another false positive from the new EDR policy? Without context, the analyst has to fire up a laptop, connect to VPN, log into the Falcon console, and dig through the detection — five minutes of friction before the first useful decision. Multiply that by every after-hours page, and the cost is sleep, false-positive fatigue, and slower real responses.
The PocketSOC workflow
- Push notification arrives with severity, host, and detection type
- Tap the notification — the app opens directly to the detection details
- Review the process tree, command line arguments, affected user, and Falcon score
- Decide: escalate (assign to a teammate), close as benign, or take immediate action
- If escalation needed, assign the detection and add a comment — the analyst who picks it up sees full context
Outcomes
- Decision in under 90 seconds instead of 5–10 minutes
- No laptop boot, no VPN connect, no console navigation
- Lower false-positive fatigue — analysts can dismiss obvious benign alerts without ceremony
- Better sleep, fewer after-hours escalations to senior staff
Supported vendors for this workflow
- CrowdStrike Falcon
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud
- AWS GuardDuty