Shifts Happen: How to Rock the SOC Handoff Process With the SEAT-SWAP Method

[Chris Crowley is a cybersecurity instructor and industry analyst. This is Part 2 of his series of easy-to-use “best practice” documents – a veritable Swiss Army Knife of security operations assets on topics ranging from email writing to shift handoffs to training –  created to help SOC professionals save time on common housekeeping tasks. You can read Part 1 here.]

Security operations centers exist to delivery sustained monitoring and response capabilities. Well-performed shift handoffs are a part of that operational strategy. 

AWS Builder Community Hub

It’s no surprise that longer-duration handoffs will usually deliver more effective transfer of knowledge. But you are not required to dedicate a long amount of time to transition from one staff to the next. 

This post covers the handoff of information across three categories: essential, optimal and thorough.

SEAT-SWAP is a contrived acronym, but let’s use it to help you remember and to structure the important items of shift handoff: Staff, Explanation, Awareness and Transition (SEAT) Situation, Written, Appropriate, Persistent (SWAP).



First, staff, of course, need to participate in a shift transition. This means they’re “present” and available to do the handoff. If the time allocated to handoff from one staff member to another is in some way compromised, then the handoff doesn’t work well. 

Think about your personal routine when arriving at work. Are you ready to receive a bunch of information upon arrival? If not, you’re not the only one. Scheduling a shift-handoff discussion in the first 30 minutes of shift start is sub-optimal.

  • Essential: Two people transfer knowledge directly.
  • Optimal: Multiple pairs of staff with dove-tailed shift schedules participate in the transition.
  • Thorough: Geographical or shift-based team transfers.



What is discussed in the handoff is important. Explain the active situations, the concerns, the work that has been done to date to address items and the proposed work to continue these efforts. 

There are tools that will help with this (for example, Slack plugins, checklists & forms, SOAR tools and dedicated handoff tools) but what’s important is that there is a genuine exchange of information among  the parties. Too often, the handoff becomes routine servicing the almighty checklist, and not genuine explanations of what matters and why it matters.

  • Essential: Causes of the situations requiring attention.
  • Optimal: Situational causes and actions taken to date.
  • Thorough: Situational causes, actions taken and proposed next actions to take.



Details must be explained when there’s a specific problem. But you should also share information that would help avoid a problem from occurring. Situational awareness is intended to guide future actions and decisions by bringing issues to visibility so they’re considered. In security, this often takes the form of threat intelligence when speaking about looming threats outside of the environment. But it should also involve briefings related to suboptimal operations or conditions inside of the information systems if these issues are known.

  • Essential: Known IT operational deficiencies or issues. Highest-priority threat intelligence bulletins.
  • Optimal: Dashboard capturing operational deficiencies in environment, recorded briefing (about five minutes) discussing these items. Threat Intel brief on high-priority issues threatening the environment (about five minutes) with reference resources available for staff to review.
  • Thorough: Ongoing real-time integration of IT operational dashboards into SOC visibility for situational awareness. Ongoing real time integration of threat intelligence materials into the SIEM/SOAR/ visibility tools, as well as relevant threat intelligence products prepared for SOC staff situational awareness and executive/constituent briefings recorded for consumption on an as-needed basis.



The continuation of action by the SOC should be seamless to its constituents. To accomplish this, the SOC must not depend on the capabilities of any one individual to deliver consistent service. This depends on multiple factors of development of standards, procedures, training, and information sharing in advance of the handoff itself. The shift change is more effective if staff are already practicing continuity and consistent operational excellence.

If this isn’t the case, the shift change activities won’t fix that. In fact, the shift change might be a cause of frustration due to inconsistencies. Fix the inconsistency problem via another mechanism, not the shift-change meeting. If inconsistencies exist, however, a shift change may need to be leveraged to quickly cross-train staff on appropriate standards, procedures and information dissemination.

  • Essential: In-flight task handoff.
  • Optimal: Ticket reassignment for tasks in flight and action briefing between current task owner and new task owner.
  • Thorough: Institute a system (such as ticketing, SOAR or something else) that automatically re-queues appropriate tasks for work levelling between outgoing and incoming staff resources and assigns briefing activities.

Final guidance (SWAP)

To wrap up, let’s turn to the SWAP part of the acronym as a way encapsulate your mission when it comes to shift handovers.


Discuss the situation that exists. 


This should be in a written form, as well as a recorded briefing that can be reviewed later. (Some people prefer to read it, some people prefer to listen and some people prefer to see it. This can change depending on the topic and your team’s attention bandwidth. Prepare all three all the time.)


This communication needs to be accurate, but also exhibiting a sense of urgency. (These items are primarily moderate, high, or urgent items. Other communication vehicles should exist for lower-priority items.)


Do this work persistently. (This is not something that can be done sometimes or as needed. This is durable and persistent. The shift change always reports, even if there’s a “nothing to report” statement.)

For even more help moving beyond the daily cyber grind and concentrating on what matters most – building resiliency and investigating and remediating real threats, fast – visit to download our free community edition and start SOAR’ing today.

The post Shifts Happen: How to Rock the SOC Handoff Process With the SEAT-SWAP Method appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Chris Crowley. Read the original post at: