The screen glowed a sickly amber in the dim light of the SOC. Marcus’s third coffee of the shift sat cold beside his keyboard, a tiny graveyard of caffeine loyalty. The SIEM dashboard was a waterfall of green and yellow—noise, mostly. Failed logins from a printer in accounting. A port scan from a sanctioned penetration test. The usual digital tumbleweed.

Then: "Good work. Activate the IR plan. I'm calling the CISO."

This was the moment the textbooks didn't prepare you for. The moment where the "read online" guides stop at "enrich the indicator" and "escalate to tier 3." But Marcus was tier 3. There was no one above him at 3:15 AM except the on-call manager who’d ask, "Is it a real fire, or a flicker?"

"Talk to me," the manager said, voice gravelly.

His heart hammered. Encoded PowerShell. He decoded the first layer. A download cradle. The second layer? A callback to a domain he didn't recognize: journalofsocresearch[.]com .

Marcus almost clicked "ignore." He’d seen this IoC (Indicator of Compromise) before—a known false positive tied to a legacy SMTP relay. But the timestamp was wrong. 03:14:07. The relay was decommissioned six months ago.

Silence.

He remembered the first rule of effective threat investigation: Follow the anomaly, not the alert.