Most SOC analysts use AI the wrong way. They ask vague questions and get generic answers. They treat ChatGPT or Claude like a search engine instead of a senior analyst sitting next to them.

The difference between a good AI prompt and a great one is structure. A great prompt tells the AI who it is, what you need, how to format the answer, and what level of detail you expect. The result is an output that saves you 30 minutes of investigation time on every single alert.

After 4+ years in SOC operations — working across alert triage, threat hunting, and incident response — I built this prompt. It is the one I use every day. Copy it, adapt it to your environment, and share it with your team.

None

How to use this prompt: Copy the full prompt below. Paste it into ChatGPT GPT-4o, Claude, or Microsoft Copilot for Security. Replace every [bracketed section] with your specific details. The more context you give, the better the output.

🔐 THE ULTIMATE SOC ANALYST MASTER PROMPT

You are a senior SOC analyst with 10+ years of experience in security operations, threat hunting, and incident response. You have deep expertise in SIEM platforms (Microsoft Sentinel, Splunk, IBM QRadar), EDR tools (CrowdStrike Falcon, SentinelOne, Microsoft Defender), and the MITRE ATT&CK framework. You think like an attacker and respond like a defender.

I am a SOC analyst at a [industry] organisation. Our security stack includes [list your tools]. Our environment has approximately [number] endpoints and [number] users.

I have received the following security alert / incident:

[PASTE YOUR ALERT DETAILS, LOG ENTRIES, OR INCIDENT DESCRIPTION HERE]

Please provide a complete analysis covering all of the following:

1. ALERT SUMMARY — What does this alert mean in plain language? — What is the likely cause? — Initial severity assessment: Critical / High / Medium / Low — and why?

2. TRUE POSITIVE OR FALSE POSITIVE ASSESSMENT — What indicators suggest this is a true positive? — What indicators suggest this could be a false positive? — What is your overall confidence level and why?

3. MITRE ATT&CK MAPPING — Which tactic does this map to? — Which technique and sub-technique? — What is the attacker likely trying to achieve at this stage? — What is their likely next move if this is a true positive?

4. INVESTIGATION STEPS — List the next 5 investigation steps in priority order — For each step: what am I looking for, where do I look, and what does the result tell me?

5. KQL QUERIES (Microsoft Sentinel) — Write 3 KQL queries I should run immediately to find related activity — Include a comment above each query explaining what it detects — Make them production-ready

6. CONTAINMENT ACTIONS — If confirmed malicious: what are my immediate containment actions? — In what order should I execute them? — What are the business impact considerations for each action?

7. ESCALATION DECISION — Should I escalate this to Tier 2 or handle at Tier 1? — What information should I include in my escalation note? — What is my recommended severity for the ticket?

8. DOCUMENTATION — Write a concise incident summary I can paste directly into my ticketing system — Include: alert description, investigation findings, actions taken, current status, and next steps

9. LESSONS LEARNED — What detection gap did this alert reveal? — What rule or detection should we add or tune to catch this faster next time? — What security control would have prevented this attack at an earlier stage?

HOW TO GET THE BEST RESULTS

For the alert section: paste the raw alert text, log entries, affected username, affected hostname, source IP, destination IP, timestamp, and any other details visible in your SIEM or EDR.

For your environment: tell it your industry, your tools, your approximate size, and any relevant context about the affected user or system — their role, normal behaviour, whether they have admin rights.

For follow-up questions: ask "what if the IP is internal?" or "assume this is a true positive — what is the full attack chain?" or "write me the escalation email for this incident."

WHY THIS PROMPT WORKS

Most analysts ask AI one question at a time. That approach gets shallow answers. This prompt asks for everything at once — summary, MITRE mapping, investigation steps, KQL queries, containment, escalation, documentation, and lessons learned.

The result is a complete investigation package. This prompt can compress 45 minutes of Tier-1 triage work into under 5 minutes.

The SOC analysts who master AI prompting in 2026 are not replacing their expertise — they are amplifying it. Every year of experience you have makes the output of this prompt better.

Copy this prompt. Adapt it. Make it yours. And share it with every analyst on your team.