Stage 2 Security

SOC Prime has helped Stage 2 Security, the leading cloud Managed Security Service Provider (MSSP), accelerate the company’s threat hunting process. By taking advantage of SOC Prime’s Detection as Code platform, Stage 2 Security has reduced by 50% its MTTD using up to hundred queries per second in the company’s daily SOC operations.

SOC Prime Helps Stage 2 Security Accelerate Its Threat Hunting Process

By taking advantage of SOC Prime’s Detection as Code platform, Stage 2 Security has reduced by 50% its MTTD using up to hundred queries per second in the company’s daily SOC operations.

“The biggest thing SOC Prime does is reduce the number of hours we need to spend on detection content development, which enables us to focus more on security operations. With SOC Prime Threat Detection Marketplace, we’ve managed to achieve really low mean time to detect (MTTD) and reduced the burden on our SecOps Team.”

Jake Groth

Chief Technology Officer at S2


  • S2 selected SOC Prime as a scalable solution to augment daily threat hunting operations
  • Partnership with SOC Prime helped the company’s SecOps Team reduce their MTTD by 50%
  • S2 augmented and accelerated their threat hunting capability by obtaining thousands of use cases to tailor for their customers’ needs
  • Leveraging SOC Prime’s API Integration tool, S2 continuously obtains high-quality SOC content that relentlessly hunts their customers’ data for intrusions


Tailored Behavior-Based SOC Content. Having extensive experience in delivering cybersecurity services in the private and public sectors in the USA, Jake Groth, the CTO at S2, has noticed that clients are more focused on the actual detection content tailored to the company’s infrastructure and threat profile instead of just acquiring products. Organizations are wanting to buy outcomes and insights, not products alone. S2’s “Detection as Code” approach is how they can guarantee a consistent quality service while also allowing for flexible delivery models as they can push out thousands of tailored detections to various environments and harvest the output in a flexible way. S2 views content creation as an essential and central role in an organization’s overarching security program, with the technology architecture and staff there to support this anchor. Whether delivering on a customer’s site, cloud, or through their fully hosted turnkey managed service, S2 adheres to the “Detection as Code” approach to protection. While there is a great number of trained SOC Analysts who know how to respond to the incoming alerts, there is always a problem finding relevant behavioral hunting content.

Talent Shortage and Content Scalability Issues. Threat Hunters are really hard to chase on the market, and even if companies have managed to find them, it is still challenging for individual content contributors to keep pace with the crowdsourcing content library with hundreds of authors, such as Threat Detection Marketplace.

Apart from this massive talent shortage in the security industry of Content Developers and experienced Threat Hunters, their produced content doesn’t always identify the company’s imminent risk. Far too often organizations are drowning in data but starving for insights.

High Cost of Content Outsourcing. S2 found that ordering external content development services wouldn’t be reasonable enough for the growing company. In addition, transitioning outsourced detections to various SIEM, EDR, and NTDR language formats brings about another financial challenge.

Automation and Industrialization. Automation and industrialization are familiar concepts across the entire IT sector. In cybersecurity, relentlessly hunting for intrusions requires processing hundreds of queries per second. This industrialization requires automating and scaling threat hunting for more efficiency. Stage 2 Security was looking for automated solutions that would scale out a lot of parallel processes and augment its threat hunting operations. Possessing high-skilled staff with sufficient expertise in content development alone was not enough for S2 to compete with large organizations and solutions. Therefore, Stage 2 Security was looking for a product that would accelerate their detection content development and enhance their hunting capability.

Detection as Code Content Solution

While searching for a way to address all the above mentioned challenges, S2 found that purchasing the SOC Prime Threat Detection Marketplace license would unlock the opportunity to obtain the high-value curated detection content on a regular basis. S2 found it more reasonable to obtain scalable Detection as Code content from SOC Prime rather than fully manage security content development in-house, essentially reducing the amount of dedicated CTI and research specialists and focusing more on Incident Response, Threat Hunting, Penetration Testing and Content customization to meet the customer needs.


API Integration. S2 has mainly taken advantage of the API Integration tool for automating the detection search and threat hunting operations. The company has simplified its content development to a minimum number of steps:

  • Pulling down content via API
  • Enriching detections
  • Deploying detections to relentlessly hunt customers’ data at scale using DevOps pipelines

High-Quality Customer Engagement. SOC Prime Team is striving to be highly responsive to the company’s feedback. S2 has mentioned that “customer engagement is great”, proving that  SOC Prime is really trying to make its product better.

Content Update Notifications. The regular SOC Prime’s practice of sending email notifications of the latest detection content releases helps staying constantly updated and allows quickly getting “the hottest” detections to make sure the company’s customers are protected.

Emergency Attack Coverage. S2 hugely benefits from the content coverage of the emergency attacks like the SolarWinds use case. As a slight improvement, S2 sees adding alerts that would notify Threat Detection Marketplace users that they are a couple of hours away from having their SIEMs updated on the most recent detections.

Threat Hunting Made Easier. SOC Prime genuinely helps make threat hunting easier and more accessible, which allows gaining more control over implementation and customization of detections and completing these operations in-house.

Cloud Security Use Cases. Content categorization based on security use cases seems like an asset for Stage 2 Security since the company is mainly providing cloud security monitoring for its customers. Increasing an amount of cloud-native detections can notably enrich most SaaS, IaaS, and PaaS solutions.


Stage 2 Security (S2) is an industry leader in cloud Managed Security Services that focuses on protecting the company’s clients from their Adversaries. S2 believes there are only two teams, and it’s not red and blue. It’s the good guys and the bad guys. S2’s innovative MAGE Platform unifies, automates, and orchestrates its Adversary Simulation (Red Team) and Adversary Prevention (Blue Team) into one continuous Managed Service. They train and certify their staff of “Cyber Warriors” using their offensive tradecraft, honed through years supporting the NSA, and proven defensive methodologies supporting and operating enterprise-class security programs for Fortune 500 and Federal Governments. S2 simulates the advanced threats enterprises face from sophisticated threat actors and automates detection and response within their MAGE Platform. With the combination of S2’s continuous Red Team and MDR-as-a-Service, organizations are armed with strong industrialized expertise that protects their clients’ enterprise and budget.


Are you a MSSP looking for a long-term partnership?

Join SOC Prime Threat Detection Marketplace to supercharge your cyber defense capabilities and deliver curated use cases tailored to your customers’ threat profile.