A complete checklist for identifying, monitoring, and responding to cyber threats across an organisation.
[ ] Threat detection strategy documented and approved
[ ] Roles and responsibilities defined (SOC, IT, security leads)
[ ] Threat detection integrated into risk management
[ ] MITRE ATT&CK used as a reference model
[ ] Threat intelligence sources identified and subscribed to
[ ] KPIs and metrics defined (MTTD, MTTR, false positives, coverage)
[ ] Centralised logging enabled (SIEM/SOC platform)
[ ] Logs collected from:
Endpoints
Servers
Firewalls
Cloud services
Identity providers (Azure AD, Okta, etc.)
Applications
Databases
[ ] Logs protected from tampering
[ ] Log retention meets compliance requirements
[ ] Time synchronisation (NTP) configured across all systems
[ ] EDR/XDR deployed on all endpoints
[ ] Behaviour‑based detection enabled
[ ] Alerts for:
Malware
Ransomware behaviour
Privilege escalation
Lateral movement
Suspicious PowerShell or scripting
[ ] Automated isolation capability enabled
[ ] Endpoint policies reviewed regularly
[ ] IDS/IPS deployed and tuned
[ ] Network traffic analysis (NTA/NetFlow) enabled
[ ] Alerts for:
Port scanning
Beaconing to suspicious IPs
Data exfiltration patterns
Lateral movement
Unusual protocol usage
[ ] DNS filtering and DNS logging enabled
[ ] Secure web gateway or proxy in place
[ ] Identity Protection / Risk‑based authentication enabled
[ ] Alerts for:
Impossible travel
MFA fatigue attacks
Multiple failed logins
New admin accounts
Privilege escalation
[ ] Conditional Access policies enforced
[ ] Privileged Access Management (PAM) monitored
[ ] Cloud Security Posture Management (CSPM) enabled
[ ] Cloud logs collected (AWS CloudTrail, Azure Activity Logs, GCP Audit Logs)
[ ] Alerts for:
Public bucket exposure
Key misuse
Suspicious API calls
Unusual region activity
Disabled logging or monitoring
[ ] Cloud WAF and DDoS protection enabled
[ ] Identity‑based access enforced
[ ] Web Application Firewall (WAF) enabled
[ ] API gateway logging enabled
[ ] Alerts for:
SQL injection
XSS
Authentication bypass attempts
High‑volume API calls
Token misuse
[ ] Secure coding practices enforced
[ ] Runtime Application Self‑Protection (RASP) considered
[ ] Advanced email threat protection enabled
[ ] Alerts for:
Phishing
Business Email Compromise (BEC)
Spoofing attempts
Malicious attachments
[ ] DMARC, DKIM, SPF configured
[ ] User‑reported phishing integrated into SOC workflow
[ ] External threat feeds integrated (ISACs, vendors, gov sources)
[ ] Indicators of Compromise (IOCs) automatically ingested
[ ] Threat intel used to tune detection rules
[ ] Dark‑web monitoring enabled (if applicable)
[ ] Regular threat‑hunting exercises conducted
[ ] Alerts triaged using defined severity levels
[ ] Playbooks exist for:
Malware
Ransomware
Insider threat
Cloud compromise
Identity compromise
[ ] Automated response actions configured where safe
[ ] Escalation paths documented
[ ] Post‑incident reviews conducted
[ ] Detection rules reviewed monthly
[ ] False positives analysed and reduced
[ ] New threats mapped to MITRE ATT&CK
[ ] SOC maturity assessed annually
[ ] Staff trained on new threat trends