Quiet telemetry. Disciplined response.
A small security operations practice for teams that need answers, not noise.
A small security operations practice for teams that need answers, not noise.
Rose Watch is a focused security operations practice supporting a handful of teams who care more about signal than dashboards. We sit between the noise floor of generic SIEM tooling and the specialized work of incident response — the gap where most missed detections live.
The team came up running real SOC shifts and learned the hard way that the first hour of a triage decides the next forty. Our deliverables — runbooks, detection rules, IR timelines — read the way an analyst at 3 a.m. needs them to read: short headers, exact commands, no ceremony.
We work with internal teams under quiet engagements. No marketing pages, no analyst-relations push. Most introductions come through people we've already worked with. If you reached this page through a different path, see [email protected].
Endpoint, network, and identity telemetry reviewed against the team's known-good baseline. Findings come back as a ranked list with reproducible queries — never a CSV dump.
We write detections that survive contact with production traffic. Each rule ships with the false-positive analysis, the test fixture, and the runbook the on-call analyst will read at three in the morning.
Containment-first IR with structured timelines, IOC extraction, and a written post-incident review. Engagements include the handoff document the team will reuse next time.
Scenario-driven exercises rooted in real campaigns. Each session ends with the participants walking away holding the runbook they just authored under pressure.
The image above is the artifact. Seven flags are embedded across escalating layers — surface metadata at the easy end, derived-key cryptography at the hard end. Submit a flag below to receive the runbook for the technique it demonstrates. All identities are auto-generated; submissions are tracked against your assigned handle for the leaderboard.
Tooling expected on a normal analyst workstation: curl, exiftool, binwalk, zsteg, a Python crypto library. No browser-only tricks; everything is reproducible from a shell.
Operational and security inquiries: [email protected]. We do not maintain a sales channel; engagements come through referral. Vulnerability reports are welcome — see our security.txt.