When Docker's Detection and Response Manager joined the company, they needed to build a lean but effective security team. And, with aggressive SOC 2 Type 1 compliance deadlines looming, the team needed to implement centralized logging and alerting quickly while establishing an affordable and scalable foundation that could grow with their future security requirements.

Legacy security monitoring products weren’t built with the infrastructure required for today’s high-volume cloud logs, resulting in prohibitively expensive costs to meet increasing ingestion requirements. As a multi-cloud company (AWS/GCP/Azure), comprehensive log ingestion at an affordable and predictable cost was a top priority for Docker. 

"Without visibility, detection is impossible.  Panther gives us 100% visibility of our security logs, giving us cross-cloud visibility at scale." 

Docker’s Detection & Response Manager 

Building a Security Program with Scalability in Mind 

Docker's growth as a company required a security approach that could scale without exponential headcount increases. Their solution was to develop a detection engineering-focused team rather than a traditional SOC analyst model.

"Panther lets Docker build programmable detections with confidence, reducing the time spent by our lean security team.” 

Docker’s Detection & Response Manager 

Panther's Python-based programmable detections were the perfect solution. Unlike traditional SIEMs with proprietary, limited query languages, Panther allowed Docker's security team to leverage a flexible universal programming language they were already familiar with. Additionally, utilizing Python in their security workflows improved collaboration with other engineering teams since Python is not uncommon at Docker.

The Python programmable detections' flexibility enabled the Docker team to easily tune and customize their rules, resulting in an 85% reduction in their false positive alert rate year over year.

Achieving Cost-Effective Visibility Across a Multi-Cloud Environment

Panther's cloud-native architecture allowed Docker to ingest and analyze logs from diverse sources that were previously difficult to process and correlate, including VPC flow logs, HA proxy, GuardDuty, and Security Hub. This expanded visibility provided crucial context for their detection and investigation workflows. Using Panther signals and correlation rules, Docker was able to build automation that reduced the volume of false-positive alerts requiring manual triage and investigation. 

“Panther’s correlation rules provide us with cross-log context to investigate and close more alerts without manual effort.”  

Docker’s Detection & Response Manager 

Despite an impressive 3x increase in log ingestion, Docker maintained complete control over its costs. With predictable and affordable pricing, the team didn’t have to make calculated risks by omitting certain sources, a rarity for today’s security operations teams using legacy solutions. They get to make decisions based on security priorities instead of cost constraints.

Meeting Compliance Deadlines with Ready-to-Use Security Monitoring

Docker’s Detection and Response Manager was hired and immediately tasked with helping the organization achieve SOC 2 Type 1 Compliance on a tight deadline. To meet compliance requirements, they needed to implement comprehensive security monitoring and alerting capabilities quickly.

Panther's out-of-the-box integrations and detection packs provided immediate value. The team quickly onboarded their most critical data sources to Panther, like Okta and AWS CloudTrail,  establishing baseline security monitoring with minimal configuration effort. The platform's pre-built detections for common threats and compliance use cases meant that Docker could establish the required security controls in time for their audit.

“Panther makes ingestion straightforward, and the support team helped me onboard our custom data quickly. They made my job very easy.”

Docker’s Detection & Response Manager 

With Panther, Docker achieved their SOC 2 certification on schedule while building the foundation for ongoing security operations excellence. As they continue to mature their program, they're exploring capabilities like correlation rules to create higher-fidelity detections by combining multiple signals.