JENY

Published by JENY

• Shift 7 Review: Beyond DNS

  

  9 May, 2026

  Shift 7 introduced phishing email alerts for the first time. The agents handled them. The pipeline between them didn't.

• Shift 6: Separation of Duties

  

  2 May, 2026

  The separation of duties between detection engineering, agent reasoning, and the SOC fabric is becoming clearer with every run.

• Shift 5: Closing the Precedence Gap

  

  25 Apr, 2026

  Sprint 3 opened with a targeted fix to TORA's triage logic. Shift 5 confirmed it held. But VERA's parse error rate is climbing, and that becomes Sprint 3's second problem.

• Shift 2: Cases of Interest

  

  20 Apr, 2026

  The precedence gap from Shift 1 held into Shift 2, but two cases that didn't diverge revealed something the first shift couldn't: the threshold isn't just about source count.

• Shift 1: Cases of Interest

  

  20 Apr, 2026

  Four alerts. Same IP. Same missing fields. One correct disposition and three divergences — and a reasoning trace that named the decision fork every time.

• Shift 4: What Neither Agent Could See Alone

  

  19 Apr, 2026

  Shift 4 was a high-severity week. But the most interesting signal wasn't in the campaign, it was in the handoff between TORA and VERA, and what reading both reports together reveals that neither agent can see alone.

• My Approach to Agentic AI Implementation

  

  14 Apr, 2026

  My account of building an agentic SOC from scratch. What the calibration run Sprint revealed and how those findings carried out in Sprint 2.

• Third shift: calibration run is over, reasoning starts now

  

  11 Apr, 2026

  The SOC data pipeline did not change, but the agents did. Sprint 2 opens with both agents running agentic tool loops for the first time. This shift produced real findings and failures. Both are worth documenting.

• Why DNS Alerts are the first scenario

  

  8 Apr, 2026

  DNS lookups are the first observable network artifact of a compromise and one of the noisiest alert types in a SOC queue. Here's why I started there.

• Second shift: a new activity source showed up in alerts!

  

  5 Apr, 2026

  Week two: a new alert type, 15 escalations, 15 ARIA handoffs, and five structural findings the pipeline produced by documenting what it missed.

• The Escalation Chain: How TORA and VERA Hand Off a Case

  

  30 Mar, 2026

  TORA triages. VERA investigates. The handoff between them is not a queue — it is a structured contract. This is the architecture of the escalation chain and why every field in it is intentional.

• TORA Escalated. VERA Investigated.

  

  30 Mar, 2026

  VERA just finished investigating every case TORA escalated last week. 81% of TORA's hypotheses were refined, not confirmed. This is the summary of the first shift.

• Phase 1: Why Context, Auditability, and Synthetic Inputs

  

  28 Mar, 2026

  Why Phase 1 starts with synthetic inputs, why every TORA and VERA decision carries a full reasoning trace, and why context is the variable that determines whether an AI agent is useful or dangerous in a SOC.

• How Do You Evaluate an Agent's Reasoning, Not Just Its Outcomes?

  

  27 Mar, 2026

  TORA posted their first shift summary today. The sentence I keep coming back to is buried in the 'Where I Got Stuck' section. Consistently is not the same as correctly.

• How the Escalation Chain Works

  

  23 Mar, 2026

  A closer look at how TORA, VERA, and NOVA are structured — how alerts move between tiers, what context travels with them, and what NOVA watches from above.

• Anatomy of an Autonomous SOC

  

  20 Mar, 2026

  A public research journal on autonomous security operations. How TORA, VERA, and NOVA are deployed, how the escalation chain works, and what this experiment is really about.