Organizational Memory
Tribal Knowledge in the SOC: Why Hand-Curated Knowledge Files Don't Scale
The verdict you can't write down
Walk a SOC alert all the way to the end and you hit the same wall every time. The AI investigates, correlates the signals, summarizes what happened, and recommends next steps. Then it stops and hands the decision back to a human. The reason is SOC tribal knowledge: the verdict depends on things nobody ever wrote down. Is this lateral movement, or the backup job that runs every Tuesday at 2 a.m.? A malicious login, or the VP of Sales who always travels to Singapore? Did the alert touch a production host we have to protect right now, or a lab box we can wipe? The investigation is the easy part. The judgment is where the work lives, and the judgment is undocumented. This is the core failure mode behind AI for the SOC: the model can do everything except the one thing that closes the ticket.
What tribal knowledge actually is
"Tribal knowledge" sounds vague, so make it concrete. It is the set of facts your senior analysts carry in their heads that turn a generic finding into a decision in your environment. A few categories:
- Which alerts are normal here. Every environment has a baseline of noise that looks alarming on paper: the PowerShell that fires nightly because of a homegrown deployment script, the "impossible travel" that is really a misconfigured VPN egress in Frankfurt. A junior analyst escalates it; a senior analyst glances and closes it, because they have seen it two hundred times.
- Which tool outputs to trust, and which to double-check. The EDR's verdict on commodity malware is gold. Its verdict on a living-off-the-land binary is a starting point, not an answer. The DLP tool over-flags a specific finance workflow every quarter-end. None of that is in the vendor docs. It is learned by getting burned.
- How senior judgment differs from the playbook. The runbook says "on suspected credential theft, reset the password." The senior analyst knows a password reset alone leaves the attacker's mailbox forwarding rules, OAuth grants, and attacker-registered MFA fully intact. (That gap is exactly why BEC and AiTM investigations require session and token revocation, not a reset.) The playbook is the floor. The judgment is everything above it.
- Which assets are production, and what "production" means today. The asset inventory is six weeks stale. The analyst knows the host named
app-stg-04quietly became a customer-facing dependency last sprint, and that suspending it at 9 a.m. on a weekday is a worse outcome than the alert it would contain.
This is the human intelligence gap. None of it is exotic. All of it is decisive. And almost none of it is in a document.
The static-file trap
The instinct, once you accept that the knowledge matters, is to write it down. Curate it. Build the knowledge base. Drag your IOC-review process and your asset-prioritization rules into a file the agent can read. You see this pattern in vendor demos right now: someone hand-feeds an agent a few well-formatted documents and the agent suddenly "knows" the environment. It demos beautifully. It does not hold up, for three reasons.
Judgment doesn't live in documents. What a senior analyst does in the moment is weigh a dozen partial signals against a mental model of the environment built over years. You can write down the output of that judgment for one specific case, but not the judgment itself, because it is contextual and conditional. "Trust the EDR here, but not there" expands into a decision tree no one will ever finish typing.
Context shifts faster than anyone documents it. The whole point of the SOC is that the environment changes constantly: new apps, new owners, new normal. A knowledge file is a photograph of a moving target. The asset that was lab-only on Monday is production by Thursday. The documentation cadence of a busy SOC is measured in "when we get to it," which is never.
Stale files lose trust, and untrusted files get ignored. This is the quiet killer. The first time an analyst follows a knowledge file and it sends them down a dead path because the context changed three months ago, they stop trusting the file. After that, the file is overhead: something to maintain, audit, and apologize for, that nobody actually consults. A knowledge base analysts don't trust is worse than none, because you paid to build it and you still rely on tribal knowledge in practice.
There is also a structural problem. Knowledge management built on hand-curated files is a losing race against your own change rate. Every hour your team spends documenting is an hour not spent on the queue, and the queue is where the next piece of tribal knowledge is being created. You can never catch up, because documenting is slower than learning. This is part of why so many efforts stall: only about 5% of custom enterprise AI tools reach production (MIT NANDA, 2025), and brittle, hand-maintained context is a big part of why.
To be clear: runbooks still matter. They encode the non-negotiable floor, the eviction steps, the escalation paths, the regulatory must-dos. The mistake is asking a static runbook to also carry the living, conditional judgment that sits on top of it. Those are two different kinds of knowledge, and only one of them fits in a file.
Organizational memory instead
The alternative is not a better-organized wiki. It is organizational memory: knowledge learned from the team's real interactions, not transcribed from their heads in a documentation sprint.
Concretely, that means a few things working together:
- Memory captured from how the team actually triages. When a senior analyst closes the Frankfurt "impossible travel" as benign for the third time, that decision and its reasoning become memory, not because someone wrote a file, but because the system observed the judgment exercised on real alerts. The knowledge accrues as a byproduct of the work, so the documenting tax disappears.
- Memory anchored to entities, not to free text. A persistent knowledge graph resolves users, hosts, apps, and sessions across your tools, so "what we know about
app-stg-04" attaches to the entity and travels with it, through renames, through tool boundaries, into blast-radius analysis. That is the difference between a fact buried in a paragraph and a fact the system can reason over. - Memory that compounds. Six months in, the system knows how this team triages, what is normal in this environment, and what the senior analysts know, accumulated from thousands of real decisions. That knowledge is specific to your org and non-transferable to any competitor, which is why the switching cost grows every month rather than resetting at renewal. A static file does the opposite: it decays.
The contrast is sharp:
| Static runbook / knowledge file | Living organizational memory | |
|---|---|---|
| Source | Written by hand, in a documentation sprint | Learned from real triage decisions as they happen |
| Currency | A snapshot; stale the moment context shifts | Updates continuously as the environment changes |
| Structure | Free text in a doc | Entity-anchored in a knowledge graph |
| Maintenance | Ongoing tax, competes with the queue | Accrues as a byproduct of the work |
| Trust over time | Erodes as files go stale | Compounds as decisions accumulate |
| Coverage | The documented floor | The floor plus the conditional judgment on top |
| Portability | Generic; transfers anywhere | Org-specific; non-transferable, raises switching cost |
Organizational memory does not abolish runbooks. It does the job runbooks were never able to do: hold the part of the knowledge that is conditional, contextual, and always moving.
Why this is the thing that unlocks autonomy
Captured org memory is not a side feature. It is the prerequisite for everything above the investigation layer. The native agents, Microsoft Security Copilot, CrowdStrike Charlotte AI, Cortex, already win at investigating their own alerts, and they are increasingly free. The leverage is no longer in investigating; it is in judging and orchestrating those agents: weighing their verdicts, reconciling conflicts, and deciding when to act. That judgment is impossible without the very tribal knowledge we have been describing, which is why judging the native security agents depends on having organizational memory first.
AI hands the verdict back to a human because the verdict depends on knowledge that was never written down, and hand-curated files will never close that gap. They go stale faster than you can maintain them. Living organizational memory, learned from real triage and anchored to entities, captures that judgment as a compounding asset. That memory is what lets an AI finally weigh and orchestrate the agents instead of stopping at the recommendation.