Skip to content
Connect 2-3 of your key security tools, Focus on your top threat scenarios, Prove value fast, then expand
Connect 5-10 tools, Include more use cases, More comprehensive testing
Help me figure out what makes sense
Customer Requirements & Qualification
Let’s understand your security operations needs
🎯 What's Your Biggest Pain Point? (Check all that apply)
Drowning in alerts - too much noise, can't find real threats
No context - alerts come in but we don't know what to do
Slow response - takes us hours/days to investigate and act
Coverage gaps - lack of resources / skills gap to handle alerts 24/7
Can't prove value - no metrics on how we're performing
Tool overload - too many dashboards, nothing talks to each other
Others (please specify)
🔧 What Security Tools Do You Have? (Check all that apply)
Endpoint Protection
Sentinelone
Trellix
Crowdstrike
Others (Please list all that matters for your business) -
Firewall/Network
Palo Alto
Fortinet
CheckPoint
Cisco
Others (Please list all that matters for your business) -
Cloud & Identity
AWS
Azure
GCP
M365
Okta
Others (Please list all that matters for your business) -
Web & Email Security
Imperva (WAF)
Cloudflare (WAF)
Zscaler
Others (Please list all that matters for your business) -
SIEM or SOAR or Log Management
Splunk
Exabeam
Elastic
None, just tool alerts
Others (Please list all that matters for your business) -
Ticketing & Workflow
ServiceNow
Zendesk
PagerDuty
None
Others (Please specify) -
📊 Environment Size (Rough estimates are fine)
Number of users:
Less than 1,000 (Please specify)
1,000-5,000
5,000 - 25,000
More than 25,000
Number of devices/endpoints:
Less than 1,000 (Please specify)
1,000-5,000
5,000-15,000
15,00-75,000
More than 75,000
Where is your infrastructure?
Mostly cloud (Please specify cloud providers e.g. AWS, Azure, GCP, others)
Mostly on-premises data centers
Hybrid
📈 Alert & Data Volume
How many security alerts do you get per day? (Rough estimate)
Not sure
Less than 100
100-500
500-2,000
More than 2,000 (Please specify)
Of those alerts, how many are actually real threats?
Not sure
Most of them (>50%)
Some of them (10-50%)
Very few (<10%)
Do you know your daily log/data volume?
Not sure
Less than 100 GB/day
100 GB - 500 GB/day
500 GB - 2 TB/day
More than 2TB/day (please specify)
How long do you need to store security data?
30 days
90 days
180 days
1 year or more (Please specify)
Not sure
🏢 Asset Criticality & Context
Do you have a way to identify which assets are most critical?
(e.g., Business Impact Assessment, Asset inventory with criticality ratings)
Yes - we have documented asset criticality
Partially - we know some critical systems but not all
No - everything is treated the same
Not sure
If yes, where is this information?
CMDB / Asset management system
Spreadsheet
Business Continuity plan
Risk management framework
Other (Please specify)
What additional context would help your team respond faster? (Check all that apply)
Internal Context
Asset criticality (which systems matter most)
User profiles (department, role, manager)
Device profiles (OS, patch level, owner)
Historical baselines (is this normal for this asset?)
Other (Please specify)
External Threat Intelligence
File/hash reputation lookups
IP/domain reputation
URL analysis
MITRE ATT&CK technique mapping
Threat actor attribution
Not sure what we need
Other (Please specify)
⚠️ Which Threats Matter to Your Business Most and/or are keeping you up at night? (Pick your top 5)
Ransomware / malware on endpoints
Account takeovers and suspicious logins
Phishing and business email compromise
Web application attacks (SQL injection, etc.)
Insider threats and data leaks
Cloud misconfigurations
Network scanning and unauthorized access
Compliance violations
Others (please specify)
🔬 Triage & Analysis Approach
Do you have existing analysis playbooks for common security scenarios?
Yes - we have documented playbooks we'd like to use
Some - we have playbooks for a few scenarios
No - we'd like to use HM's standard playbooks
Not sure
If you have playbooks, would you want us to follow them?
Yes - follow our existing playbooks
Use HM's playbooks as a starting point, we'll adapt
Just use HM's standard playbooks
⏱️ Response Time & SLA Requirements
How quickly do you need us to respond? (Target SLAs)
Time to Detect (acknowledge we received the alert):
Within 5 minutes
Within 30 minutes
Within 1-2 hours
Same day is fine
Not sure
Time to Triage (analyze and determine if it's real):
Within 30 minutes (Critical) / 2 hours (High)
Within 1 hour (Critical) / 4 hours (High)
Within 2 hours (Critical) / 8 hours (High)
Not sure
Other (Please specify for Critical and High):
Time to Respond (containment action taken):
Within 1 hour (Critical) / 4 hours (High)
Within 4 hours (Critical) / 8 hours (High)
Within 8 hours (Critical) / 12 hours (High)
Not sure
Other (Please specify for Critical and High):
Do you have internal SLAs you want us to track for your team?
(e.g., Time for your team to acknowledge, Time for your team to resolve)
Yes (Please specify relevant metrics):
No
Not sure
Who should take containment actions? (block IPs, quarantine endpoints, etc.)
HM takes action - we pre-approve common actions (block bad IPs, quarantine malware)
HM recommends, we execute - tell us what to do, we'll do it
We will handle everything after Triage
Depends on severity - auto-contain for critical, ask for others
Not sure
🕐 What Service Coverage Do You Need?
Business hours (8×5) - weekdays only
Extended hours (16×5) - early morning through evening, weekdays
24/7 - round the clock, every day
Do you have coverage today?
Yes, we have a SOC team covering our needs
No, we just rely on tool alerts
Partial - we have some monitoring and resources but not enough
🚀 How Do You Want to Start?
Quick Win - 30 Days (Start Small)
Bigger Pilot - 60-90 Days
Not Sure Yet
📅 Timeline
When do you need to make a decision?
Within 30 days
30-60 days
60-90 days
Just exploring for now
When would you ideally want to start?
Target date
🔌 Data Source Readiness
Which sources could you connect in the first 30 days? (Check all that apply)
Endpoint protection (SentinelOne/Trellix/CrowdStrike)
Firewall logs
Active Directory / identity logs
Cloud platform logs (AWS/Azure/GCP)
WAF logs (Imperva/Cloudflare)
M365 / Exchange logs
SIEM (if you have one)
VPN logs
DNS logs
Not sure
Are these sources already centralized?
Yes, in our SIEM
Yes, in a log management tool
No, they're in individual tools
Not sure
Can you provide API access or log forwarding?
Yes, we can set that up
Yes, but need approval first
Not sure how that works
Need help figuring this out
🎁 What Would Success Look Like for You?
In 90 days, what outcome would make you happy? (Pick your top 3)
Cut alert noise by 50%+ (fewer false alarms)
Get clear action recommendations for every alert
Respond to critical threats in under 30 minutes
See everything in one place (single dashboard)
Prove we're improving with real metrics (MTTR, SLA tracking)
Get 24/7 coverage without hiring more people
See everything in one place (single dashboard)
📝 Anything Else We Should Know?
Optional - share any context that would help:
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.