Active SOC

Traditional third-party Security Operations Centers (SOCs) — in the form of MSSPs and MDRs — appear to have limited effectiveness in protecting organizations. We at Black Hills Information Security (BHIS) know this because it is rare for a third-party SOC to detect our attack activities. To help address these issues, BHIS has developed an Active SOC approach to securing our customers.

BHIS’s Active SOC Includes:

MONITORING: CONTINUOUS MONITORING AND ALERTING

Active SOC customers get comprehensive SOC monitoring which encompasses host, cloud, and network traffic analysis & alerting. We provide advanced detection capabilities through Risk-Based Alerting (RBA), along with Zeek sensor deployment for enhanced network visibility. Our service also includes active threat hunting, weekly threat intelligence updates, and access to custom dashboards for event visualization and metrics tracking, while our expert team continuously develops new detection methods for emerging threats. Our service has no preset data limit, and we provide an agent that can be installed via GPO or RMM tool along with our custom logging configs.

DEFENSE: CYBER DECEPTION

Active SOC customers have access to our cyber deception service which provides strategic deployment of decoy assets to act as an early warning system. These deception assets are integrated with our SIEM for comprehensive monitoring and alerting, providing valuable intelligence on attacker movements through detailed activity logging and analysis.

ATTACK: ATTACK SURFACE MONITORING

Active SOC customers get comprehensive attack surface monitoring that includes an initial assessment of external-facing assets, continuous monitoring with real-time alerts for new vulnerabilities and exposed assets, and access to a detailed dashboard visualizing your attack surface.

RED TEAM: ADVERSARIAL EMULATION

Active SOC customers get comprehensive adversarial emulation services which provides a thorough security assessment including an evaluation of the existing security stack, Active Directory environment review, outbound TCP port scanning, and workstation privilege escalation testing.

BEST: BHIS EXPERT SUPPORT TEAM

TRAINING: ANTISYPHON CYBER RANGE

SOC: DETECTING AI ATTACKS
Preparing for the Reality of AI-Driven Attacks

One of the biggest challenges facing organizations right now is a simple but critical question: what are we going to do about automated AI penetration testing?

We are already seeing tools emerge that can identify, chain, and exploit vulnerabilities at a speed that simply was not possible before. Platforms like Mythos and others are pushing this forward, and it is only the beginning. AI is changing the pace of offensive security in a very real way.

At Black Hills Information Security, we have been building toward this moment for quite some time. Our Security Operations Center was not designed just for yesterday’s threats. It is built with the expectation that AI-driven attacks are going to become the norm.

There are three core components of our SOC approach that position us for this shift.

1. Continuous Attack Surface Monitoring

The first area we focus on is attack surface monitoring. This is part of our continuous monitoring capabilities included in our SOC services.

We are constantly scanning the external edge of our clients’ environments. That includes identifying vulnerable software, exposed services, leaked credentials, and misconfigurations.

The goal is straightforward. We want to remove as much low-hanging fruit as possible before an attacker ever shows up. If AI-driven tools are scanning your environment, they are going to prioritize speed and opportunity. By shrinking the available attack surface, we force those tools to work harder and give defenders more time to respond.

Less exposure means fewer easy wins for automated attackers.

2. Cyber Deception as a Defensive Layer

The second component is cyber deception. At BHIS, deception has been a core focus for over a decade. It is something we teach, implement, and rely on because it consistently frustrates attackers.

This becomes even more valuable in an AI-driven threat landscape. AI does not hesitate. It scans, exploits, and pivots faster than a human ever could. That speed can overwhelm traditional detection methods.

Deception changes that dynamic. By placing controlled traps throughout an environment such as services, credentials, systems, or files, we create tripwires. When those tripwires are triggered, it gives defenders visibility into activity that would otherwise go unnoticed.

This is especially important in areas where traditional visibility is weak or nonexistent. Think about unmanaged devices, shadow IT, IoT, or bring-your-own-device scenarios. In those spaces, deception can be the first and sometimes only indicator that something is wrong.

If AI is going to move fast, we need ways to reliably catch it in the act. Deception provides that capability.

3. Network Threat Hunting and Behavioral Analysis

The third pillar is network threat hunting.

This has always been an area we have believed in strongly. Like deception, it adds friction for attackers and increases the defender’s chances of identifying malicious activity early.

We approach this using our AC-Hunter platform, which focuses heavily on beaconing and behavioral analysis.

Rather than relying solely on signatures or lists of known bad IP addresses and domains, we focus on how systems communicate. We look for patterns that indicate non-human behavior, such as regular beaconing intervals or unusual connection characteristics leaving an environment.

This approach is critical because many modern attacks do not rely on obviously malicious infrastructure. Supply chain attacks, for example, often come from trusted sources that bypass traditional detection methods.

If your detection strategy depends entirely on known bad indicators, you will miss those threats.

Behavioral analysis fills that gap. This capability is also reflected in RITA, our Real Intelligence Threat Analytics platform. It is something we believe in strongly enough to make available in open source form and continue teaching to the community.

Bringing It All Together

Each of these components is powerful on its own. Together, they form a layered defense that is designed for the realities of modern attacks.

Attack surface management reduces exposure.

Cyber deception creates visibility where none exists.

Network threat hunting identifies behavior that bypasses traditional detection.

When combined, they provide a more complete picture of what is happening inside an environment and give defenders the ability to respond effectively, even as AI-driven attacks continue to evolve.

At BHIS, this is not a future concern. It is something we are actively preparing for today.

Active SOC

BHIS’s Active SOC Includes:

MONITORING: CONTINUOUS MONITORING AND ALERTING

Active SOC customers get comprehensive SOC monitoring which encompasses host, cloud, and network traffic analysis & alerting. We provide advanced detection capabilities through Risk-Based Alerting (RBA), along with Zeek sensor deployment for enhanced network visibility. Our service also includes active threat hunting, weekly threat intelligence updates, and access to custom dashboards for event visualization and metrics tracking, while our expert team continuously develops new detection methods for emerging threats. Our service has no preset data limit, and we provide an agent that can be installed via GPO or RMM tool along with our custom logging configs.

DEFENSE: CYBER DECEPTION

Active SOC customers have access to our cyber deception service which provides strategic deployment of decoy assets to act as an early warning system. These deception assets are integrated with our SIEM for comprehensive monitoring and alerting, providing valuable intelligence on attacker movements through detailed activity logging and analysis.

ATTACK: ATTACK SURFACE MONITORING

Active SOC customers get comprehensive attack surface monitoring that includes an initial assessment of external-facing assets, continuous monitoring with real-time alerts for new vulnerabilities and exposed assets, and access to a detailed dashboard visualizing your attack surface.

RED TEAM: ADVERSARIAL EMULATION

Active SOC customers get comprehensive adversarial emulation services which provides a thorough security assessment including an evaluation of the existing security stack, Active Directory environment review, outbound TCP port scanning, and workstation privilege escalation testing.

BEST: BHIS EXPERT SUPPORT TEAM

TRAINING: ANTISYPHON CYBER RANGE

SOC: DETECTING AI ATTACKS
Preparing for the Reality of AI-Driven Attacks

One of the biggest challenges facing organizations right now is a simple but critical question: what are we going to do about automated AI penetration testing?

We are already seeing tools emerge that can identify, chain, and exploit vulnerabilities at a speed that simply was not possible before. Platforms like Mythos and others are pushing this forward, and it is only the beginning. AI is changing the pace of offensive security in a very real way.

At Black Hills Information Security, we have been building toward this moment for quite some time. Our Security Operations Center was not designed just for yesterday’s threats. It is built with the expectation that AI-driven attacks are going to become the norm.

There are three core components of our SOC approach that position us for this shift.

1. Continuous Attack Surface Monitoring

The first area we focus on is attack surface monitoring. This is part of our continuous monitoring capabilities included in our SOC services.

We are constantly scanning the external edge of our clients’ environments. That includes identifying vulnerable software, exposed services, leaked credentials, and misconfigurations.

The goal is straightforward. We want to remove as much low-hanging fruit as possible before an attacker ever shows up. If AI-driven tools are scanning your environment, they are going to prioritize speed and opportunity. By shrinking the available attack surface, we force those tools to work harder and give defenders more time to respond.

Less exposure means fewer easy wins for automated attackers.

2. Cyber Deception as a Defensive Layer

The second component is cyber deception. At BHIS, deception has been a core focus for over a decade. It is something we teach, implement, and rely on because it consistently frustrates attackers.

This becomes even more valuable in an AI-driven threat landscape. AI does not hesitate. It scans, exploits, and pivots faster than a human ever could. That speed can overwhelm traditional detection methods.

Deception changes that dynamic. By placing controlled traps throughout an environment such as services, credentials, systems, or files, we create tripwires. When those tripwires are triggered, it gives defenders visibility into activity that would otherwise go unnoticed.

This is especially important in areas where traditional visibility is weak or nonexistent. Think about unmanaged devices, shadow IT, IoT, or bring-your-own-device scenarios. In those spaces, deception can be the first and sometimes only indicator that something is wrong.

If AI is going to move fast, we need ways to reliably catch it in the act. Deception provides that capability.

3. Network Threat Hunting and Behavioral Analysis

The third pillar is network threat hunting.

This has always been an area we have believed in strongly. Like deception, it adds friction for attackers and increases the defender’s chances of identifying malicious activity early.

We approach this using our AC-Hunter platform, which focuses heavily on beaconing and behavioral analysis.

Rather than relying solely on signatures or lists of known bad IP addresses and domains, we focus on how systems communicate. We look for patterns that indicate non-human behavior, such as regular beaconing intervals or unusual connection characteristics leaving an environment.

This approach is critical because many modern attacks do not rely on obviously malicious infrastructure. Supply chain attacks, for example, often come from trusted sources that bypass traditional detection methods.

If your detection strategy depends entirely on known bad indicators, you will miss those threats.

Behavioral analysis fills that gap. This capability is also reflected in RITA, our Real Intelligence Threat Analytics platform. It is something we believe in strongly enough to make available in open source form and continue teaching to the community.

Bringing It All Together

Each of these components is powerful on its own. Together, they form a layered defense that is designed for the realities of modern attacks.

Attack surface management reduces exposure.

Cyber deception creates visibility where none exists.

Network threat hunting identifies behavior that bypasses traditional detection.

When combined, they provide a more complete picture of what is happening inside an environment and give defenders the ability to respond effectively, even as AI-driven attacks continue to evolve.

At BHIS, this is not a future concern. It is something we are actively preparing for today.

Active SOC

Interested in learning more? Contact us using the form below

Active SOC

Interested in learning more? Contact us using the form below