Security Operations leader. SOC Shift Lead building detection programs and the tools that run them.https://sanchezonsecurity.com/https://sanchezonsecurity.com/blog/how-i-built-carl-deterministic-soc-assistant/https://sanchezonsecurity.com/blog/how-i-built-carl-deterministic-soc-assistant/Most AI-in-the-SOC pitches start with an LLM and try to make it safe. I started with the compliance constraint and worked backward — here's the architecture.Wed, 06 May 2026 00:00:00 GMThttps://sanchezonsecurity.com/blog/why-i-built-a-deterministic-soc-assistant/https://sanchezonsecurity.com/blog/why-i-built-a-deterministic-soc-assistant/LLM assistants are useful. They're also wrong sometimes, in ways that are hard to audit. Here's why I went the other direction.Sun, 05 Apr 2026 00:00:00 GMThttps://sanchezonsecurity.com/blog/what-ive-learned-running-a-shift-handoff/https://sanchezonsecurity.com/blog/what-ive-learned-running-a-shift-handoff/A shift handoff in an MSSP context is harder than it looks. Four behaviors that separate handoffs that help from handoffs that just transfer anxiety.Sun, 22 Mar 2026 00:00:00 GMThttps://sanchezonsecurity.com/blog/noisy-signin-triage-the-small-joins-that-matter/https://sanchezonsecurity.com/blog/noisy-signin-triage-the-small-joins-that-matter/A KQL pattern that cuts false-positive volume on sign-in alerts by joining SigninLogs with identity context — and why the naive filter falls short.Sun, 08 Mar 2026 00:00:00 GMT