Security Operations Centre (SOC) Coverage
Find Out How Expansive Manage Continuous Monitoring Of Our System
Expansive maintains an internal Security Operations capability that continuously monitors our production platform and infrastructure for security, availability, and performance anomalies.
Monitoring is performed by the Expansive Platform Security Team, supplemented by automated alerting and log correlation tools that operate 24 × 7 × 365.
The SOC function includes:
-
24/7 automated monitoring of application, authentication, and infrastructure events through centralised logging and telemetry.
-
Human oversight during business hours (09:00–18:00 UK time), with on-call escalation for out-of-hours critical alerts.
-
Proactive detection rules for common attack patterns, failed-login anomalies, data-exfiltration attempts, and service degradation.
-
Defined response playbooks for security incidents, aligned to the Expansive Information Security Management System (ISMS) and ISO/IEC 27001 Annex A controls.
All monitoring and response activities are led by Expansive’s internal team; no third-party MSSP currently operates our SOC, although independent auditors review our monitoring effectiveness annually.
⚙️ Severity Classification Matrix
| Severity | Definition | Example | Initial Response Target | Communication Expectation |
|---|---|---|---|---|
| Critical (P1) | Confirmed or suspected compromise of data, credentials, or core platform components; sustained denial of service. | Database breach, ransomware, critical 0-day exploit. | 15 minutes automated detection; 1 hour human triage and escalation. | Immediate notification to senior management and affected clients within 2 business hours. |
| High (P2) | Security control degradation or unauthorised access limited in scope; potential to escalate. | Misconfiguration exposing non-sensitive data, privilege escalation detected. | 2 hours | Containment with 4 hours and communication within 4 business hours. |
| Medium (P3) | Suspicious activity or vulnerability with no confirmed exploitation. | Elevated failed login rates, new CVE affecting software stack. | 4 business hours | Status update within 1 business day; remediation within 5 business days. |
| Low (P4) | Minor event or informational issue with no immediate risk. | Routine vulnerability scan findings, false positives. | 1 business day | Included in periodic security summary. |
🚨 Incident Response SLAs
| Phase | Target Timeframe | Description |
|---|---|---|
| Detection & Logging | Within 15 minutes via automated alerting | All critical security events are logged centrally in near real time. |
| Initial Triage | Within 1 hour (Critical), 2 hours (High) | Validation, scope determination, assignment of incident handler. |
| Containment | Within 4 hours of confirmation | Isolation of affected systems or credentials; blocking of malicious access. |
| Eradication & Recovery | Within 24 hours (Critical), 72 hours (High/Medium) | Removal of root cause, patching, data integrity verification, service restoration. |
| Client Notification | Within 2 business hours of confirmed data impact | Transparent communication of impact, mitigation, and follow-up actions. |
| Post-Incident Review | Within 5 business days | Root-cause analysis, lessons learned, control improvements logged in ISMS. |
