Inside the BHIS SOC: A Conversation with Hayden Covington 

Melissa is a content strategist with a 20-year background in writing instruction and editorial work across B2B and B2C industries. She joined the security world five years ago as a BHIS penetration-test report editor, helping her team to sharpen the structure and impact of every client report. Lately, she’s been digging into the stories behind BHIS’s tools, analysts, and culture—capturing narratives of how cybersecurity really works behind the scenes.D

What happens when you ditch the tiered ticket queues and replace them with collaboration, agility, and real-time response? In this interview, Hayden Covington takes us behind the scenes of the BHIS Security Operations Center—where analysts don’t escalate tickets, they solve them. Learn how this small, high-trust team works smarter, moves faster, and stops threats cold. 

What is a SOC? 

Melissa: For someone new to the world of cybersecurity, can you start by explaining what a SOC is? 

Hayden: Sure. A SOC, or Security Operations Center, is like the nerve center for security monitoring. Traditionally, it functions kind of like a help desk with multiple tiers of analysts who escalate issues from one level to the next. Tier 1 handles the basic stuff, then passes anything complicated up to Tier 2 or Tier 3 if needed. 

How is BHIS’s SOC different from other SOCs? 

Melissa: So what makes BHIS’s SOC different? 

Hayden: We don’t use that traditional tiered structure. Instead, any analyst can take a look at an alert and, if they need help, they reach out directly to someone more experienced. There’s no formal handoff process. And we’re deeply collaborative. Our analysts stay on calls with customers, even through full-blown incident responses, because they already have context. We’re more than just alert responders; we help customers solve the problem in real time. 

Melissa: So it’s less about passing the buck and more about owning the issue? 

Hayden: Exactly. We’re not just sending alerts. We’re partnering with our clients to respond quickly and thoroughly. It’s really a white-glove service, and I can say that what we offer is unmatched peace of mind. 

How does the BHIS SOC get access to logs and stuff?

Melissa: How do you get the information that you need to actually make it all work?

Hayden: That’s a great question. The last SOC I worked at was all in one room, and if things got really bad, we could literally go downstairs and unplug a server. That was a government org, and that kind of break-glass emergency protocol was actually in the playbook. BHIS is a totally different model. If we bring down a customer server, we could be costing them money, so containment has to be smarter. Our SOC pulls everything into a centralized SIEM, so we can search logs from all our customers in one view. That means we don’t have to hop around between servers and organizations. It also helps us spot patterns across environments. In one case, we caught a piece of malware and then realized another customer had a very similar beacon, so we got to them early too. 

Where do you, Hayden, sit in the BHIS SOC? 

Melissa: What’s your role in the SOC? 

Hayden: I run the operations side of the SOC. We recently restructured into two sides: engineering and operations. Engineering handles infrastructure—keeping everything running smoothly. Operations is where the alerts, detection engineering, and incident response live. I lead that team. We also have subgroups focused on things like threat hunting and automation. 

Melissa: And who else is part of that structure? 

Hayden: We’ve got an engineering lead and someone who channels customer communication, and also a couple of other SOC leads, so it’s a tight-knit and evolving team. 

What is the typical process for a ticket? 

Melissa: Walk me through what happens when a new alert or ticket comes in. 

Hayden: An analyst sees an alert, usually triggered by one of our custom detection rules. If something feels off, they’ll ask for a second set of eyes in our group chat. If it’s serious, we move fast. We jump on a call, bring in the customer, loop in incident response, and start containment. 

Melissa: And you do that all live? 

Hayden: Yep. We’ve even had calls with multiple team members and the client’s security team all working through the issue in real time. 

I hear you have some tricky tickets on occasion. Tell me about one. 

Melissa: Can you share a particularly memorable incident? 

Hayden: One recent alert came through one of our risk-based rules. One of our analysts saw it and got the feeling that something wasn’t right. He checked the user only to find it was a domain admin. This is often a red flag. Then he noticed some really strange behavior: repeated PowerShell executions were being triggered by scheduled tasks. I mean, this is super weird stuff. The kicker was when he noticed a DLL with an offensive name —#profanity—haha—and that’s the moment he pulled in the rest of the team. 

Analyst: Everything about it just screamed “bad.” It was running VBScript, decoding binaries, downloading encrypted payloads. And that DLL had a name that was a dead giveaway. Then it oddly referenced a tool built by a sketchy security researcher. So I Googled it, and that’s when I knew for sure we needed to escalate. 

Hayden: We looped in incident response, added more team members, and brought the customer in. And right in the middle of that call, they realized that one of their developers had downloaded a compromised version of a VMware tool. They had downloaded it literally just hours after reading an article that said *not* to download it. It was a classic watering hole attack. 

Melissa: That’s wild timing. 

Hayden: Yeah, we couldn’t believe it! But it certainly proved the value of what we do and showed the customer that they could rely on their SOC to catch something major when it falls through cracks like that. The customer’s CISO told their CTO, “This is exactly why we hire these guys.” 

Melissa: Nice! So BHIS caught it in time. 

Hayden: Thankfully, yes. It was active command-and-control (and based on the news article, possibly related to a Conti offshoot).  We hadn’t observed lateral movement to other devices yet, and that would have been their next step before wide-spread ransomware. 

Tell me about how you came to join BHIS. 

Melissa: So, how did you get into cybersecurity and end up at BHIS? 

Hayden: Originally, I wanted to be a game developer, but I eventually realized I hated programming. So I pivoted to cybersecurity, got a degree from Regent University, and started with internships in GRC. Eventually, I interned at a shipyard and worked in their SOC. I became a full-time analyst there and stayed about four years. Two former coworkers, Hal and Troy, left for Black Hills. One of them jokingly said I should apply, so I did. Now I’ve been here nearly three years. 

Melissa: Sounds like a perfect fit. 

Hayden: It really is. We’re always improving, always collaborating, especially with our red team. That back-and-forth between offense and defense is one of the coolest things about working here.