KRAKEN
SOC
AUTOMATION
Custom Python automation service integrating 6+ security tools into a single layer — eliminating manual ticket creation, automating phishing triage, and building the metrics foundation that made data-driven process improvement possible.
MANUAL
TOIL AT
SCALE
SOC analysts were context-switching between disconnected platforms — triaging alerts in one system, filing tickets in another, chasing phishing reports in a third. The overhead wasn't incidental; it compounded. Every manual step was a place where context got lost, metrics got muddied, and analyst fatigue accumulated.
No consistent ServiceNow field completion meant ticket data couldn't be trusted for metrics. Phishing reports arrived continuously and required per-case analyst handling — routing, triage, and closure all manual, all time-consuming.
The goal: automate the parts of the job that didn't require a human, so the parts that did could get full attention.
SILOS
DATA
QUALITY
TRIAGE
LOAD
- No single alert ingest layer — security tools siloed with no cross-platform workflow
- Manual ServiceNow ticket creation with inconsistent field completion — data too unreliable to build metrics on
- Phishing reports required per-case analyst handling — routing, triage, and closure all manual
- No trustworthy metrics baseline — impossible to measure outcomes or identify patterns for improvement
OPSGENIE
INGEST
+ TAG
All alerts at Millennium flowed through OpsGenie first for deduplication and automatic tagging based on alert content. Kraken consumed those tags as its routing primitive — no re-parsing raw alert data from each individual source.
CLASSIFY
+ ROUTE
+ ENRICH
Tags drove routing, enrichment, and action. For SIEM-sourced alerts, Kraken pulled rich context automatically. For phishing reports, classification logic determined routing toward closure or escalation.
SERVICENOW
+ SIEM
+ COFENSE
Three downstream systems fully automated: ServiceNow tickets created with all required fields populated, SIEM alert detail fetched for analyst context, Cofense reports routed to closure or escalation based on the classification model.
BUILT BY
AN ANALYST
FOR ANALYSTS.
Kraken was a Python service managed as a systemd unit — automatic start and restart with zero ops overhead. It was built before "security engineering" was a job title, by an analyst who decided the tooling problem was worth solving.
Using OpsGenie as the single ingest point was the key architectural decision. It meant Kraken never needed to speak each tool's API for parsing — only for action. Adding a new alert source became adding a new OpsGenie tag; Kraken didn't change.
- Python service running as a systemd unit — always-on, automatic restart, zero ops overhead
- OpsGenie dedup and tagging used as routing primitive — decoupled alert parsing from downstream action
- Consistent ServiceNow field completion enforced by design — not convenience, but a deliberate data quality strategy
- Cofense PhishMe integration — automated close or escalate on every incoming phishing report
WHAT THE
SPEC DIDN'T
MENTION
Most design choices in Kraken were invisible to end users but decisive for longevity. The most important: treating ServiceNow field consistency as a data quality strategy rather than a convenience.
Reliable ticket data was the prerequisite for everything that followed. Without it, the phishing analysis couldn't have been done, and the classification model wouldn't have had ground truth to build on.
- OpsGenie as routing primitive — consuming tags avoided re-parsing every alert source's raw format. New sources became new tags; Kraken didn't change.
- ServiceNow field consistency — requiring complete fields wasn't a UX choice. It made ticket data queryable and trustworthy, which is what made automation possible later.
- systemd unit — simple, proven, zero ops overhead. Automatic restart without building a management layer on top of the service itself.
- Tag-driven architecture — decoupled alert parsing (OpsGenie's problem) from action (Kraken's problem). Clean separation of responsibilities at the system boundary.
THE LOOP
THAT BUILT
ITSELF
The 60% reduction in phishing report volume wasn't a configuration change — it was the result of a data-driven feedback loop that Kraken made possible in the first place.
Reliable ServiceNow field completion meant phishing report data was consistent and queryable. That data became the foundation for a manual but rigorous analysis: TP/FP rates, keyword patterns, subject line characteristics, and behavioral signals across the full dataset.
The analysis produced a classification model. The model went directly into Kraken. From that point, Kraken automatically closed false positive phishing reports and escalated confirmed threats — without analyst intervention on routine cases. Infrastructure created the data. Data enabled the analysis. Analysis automated the work.
- False positive phishing reports closed automatically — no analyst touch required
- Confirmed threats escalated immediately — no triage delay between report and response
- Classification model built from real data, not heuristics — grounded in observed TP/FP patterns
- The same infrastructure that created the data is what automated it — the loop is the actual product