Why SOC analysts get inconsistent results from ChatGPT (and how structured workflows fix it)

gaurav kundu — Thu, 02 Apr 2026 02:15:06 +0000

If you've ever handed a security alert to ChatGPT and gotten a different answer each time — you've hit the real problem.

It's not the model. It's the prompt.

Most analysts paste an alert and ask "what do you think?" That's like asking a junior analyst to investigate without a runbook. You'll get something back, but the quality depends entirely on how the question was framed.

The real problem: no structure

Experienced SOC analysts don't wing investigations. They follow a process:

Triage the alert
Map to MITRE ATT&CK
Check for lateral movement
Build a containment recommendation
Write a ticket summary

The issue is that most AI-assisted workflows skip steps 2–5 and jump straight to "is this bad?"

What I built

I spent time building SOC.Workflows — a free collection of structured investigation workflows for SOC analysts. Each workflow breaks an investigation into 4 steps, with specific prompts for each step, designed to run in ChatGPT or Claude.

Current workflows:

Phishing Email Investigation
AWS VPC Flow Log Analysis
PowerShell & Script Analysis
Credential Dumping Investigation
Ransomware Triage
Identity Compromise Investigation
URL & Domain Analysis
SOC Alert Triage
Explain This Alert

How it works

Pick a workflow matching your alert type
Copy the workflow prompt
Paste into ChatGPT or Claude
Get structured, step-by-step analysis

No login. No setup. No API keys.

Why structure matters

When I ran the same phishing alert through an unstructured prompt vs. the structured workflow, the difference was clear:

Unstructured: "This looks like a phishing email. Check the sender domain."

Structured: SPF/DKIM validation → header analysis → sender reputation → verdict with risk score → recommended response actions

Same model. Completely different output quality.

Try it

If you work in a SOC or do blue team work, I'd love feedback on which investigation types are missing.

👉 socworkflows.com — free, no login required

SOC Workflow: How I Investigate a Phishing Alert (Step-by-Step)

gaurav kundu — Wed, 01 Apr 2026 15:08:47 +0000

Phishing alerts are one of the most common — and most time-consuming — tasks in a SOC.

But the problem is not the alert itself.

The problem is lack of structured workflow.

Without a clear process, analysts:

Miss important signals
Waste time switching tools
Produce inconsistent results

So here’s the exact step-by-step workflow I use to investigate a phishing alert.

🧠 Step 1: Initial Triage

Start with the basics:

Who reported the email?
Internal or external sender?
Subject line / urgency indicators
Any attachments or links?

👉 Goal: Quickly understand if this is likely phishing or just noise

🔗 Step 2: Extract Indicators (IOCs)

Pull all possible IOCs:

Sender email address
Domain
URLs
File hashes (attachments)

👉 This becomes your investigation base

🌐 Step 3: Reputation Check

Check:

VirusTotal
MalwareBazaar
URL reputation tools

Look for:

Known malicious domains
Newly registered domains
Low reputation signals

🧪 Step 4: Email Analysis

Analyze headers:

SPF / DKIM / DMARC status
Sender spoofing
Reply-to mismatch

Check for:

Impersonation attempts
Display name abuse

🖥️ Step 5: Endpoint Impact

Did the user:

Click the link?
Download attachment?
Execute anything?

Check EDR:

Process activity
PowerShell / script execution
Network connections

🔐 Step 6: Account Activity

Check identity logs:

Suspicious login attempts
MFA prompts
Impossible travel

👉 Especially important for credential phishing

📊 Step 7: Scope & Impact

Answer:

Is it isolated or widespread?
More users affected?
Any lateral movement?

🚨 Step 8: Response Actions

Depending on severity:

Block domain / URL
Quarantine email
Reset user credentials
Isolate endpoint (if needed)

📝 Step 9: Documentation

Always document:

Timeline
Indicators
Actions taken
Final verdict

👉 This improves future detection

⚡ Final Thought

SOC work becomes easier when you stop reacting to alerts…

…and start following repeatable workflows.

This is exactly why I started building structured workflows for investigations:

👉 https://socworkflows.com

It’s a growing library of step-by-step SOC workflows designed to reduce investigation time and improve consistency.

If you're a SOC analyst, I'd love to know:

👉 Do you follow a structured workflow or investigate ad-hoc?

Forem: gaurav kundu