P
AI for Cybersecurity Analyst

Claude Project: Build Your Personal SOC Analyst Assistant

Tools:Claude Pro
Time to build:1-2 hours
Difficulty:Intermediate-Advanced
Prerequisites:Comfortable using Claude for basic tasks (Level 3) — see Level 3 guide: "Build an Incident Reporting Workflow with Claude Pro"

What This Builds

A persistent Claude Project configured with your organization's specific context — your tool stack, your compliance requirements, your report templates, and your preferred writing style. Every conversation starts with full organizational context, so you skip the "let me explain our environment" preamble every time. Instead of explaining that you run Splunk + CrowdStrike + ServiceNow every session, Claude already knows. Every report, policy, and detection rule it produces matches your organization's standards from the first word.

Prerequisites

  • Claude Pro subscription ($20/month at claude.ai)
  • Comfortable with basic Claude conversations (Level 3)
  • Your organization's incident report template (even an informal one)
  • A few minutes to document your security stack in bullet points

The Concept

A Claude Project is like hiring a new security analyst who already read your entire playbook on their first day. You set it up once by uploading your templates, policies, and environment documentation. After that, every conversation in that Project starts from that shared foundation. You don't re-explain your SIEM platform, your report format, or your risk rating system. The AI remembers. Over time, the Project becomes increasingly valuable as you add more documents and context.

Build It Step by Step

Part 1: Create the Project

  1. Open claude.ai and sign in to your Pro account
  2. In the left sidebar, click "New project" (or look for a "Projects" section with a "+" button)
  3. Name your project: "SOC Analyst Assistant" or your team name
  4. You'll see a Project interface with two sections: Instructions (always-on system prompt) and Files (uploaded documents)

What you should see: A project workspace with a chat interface, an Instructions panel on the right, and a Files tab.

Part 2: Write Your System Instructions

Click "Set instructions" or the Instructions panel. This is your permanent context — what Claude knows about you and your organization every time you open this Project.

Copy and customize this template:

Copy and paste this
You are a security analyst assistant for [COMPANY NAME], a [industry] company with [employee count] employees.

## Our Security Stack
- SIEM: [Splunk / Microsoft Sentinel / QRadar / Elastic] — version [X]
- EDR: [CrowdStrike Falcon / SentinelOne / Microsoft Defender XDR]
- Ticketing: [ServiceNow / Jira] — tickets follow format [INC-XXXXX]
- Email Security: [Proofpoint / Mimecast / Microsoft Defender for O365]
- Cloud: [AWS / Azure / GCP / hybrid on-prem]
- Identity: [Active Directory / Azure AD / Okta]

## Our Compliance Requirements
[HIPAA / SOC 2 Type II / PCI DSS / CMMC Level 2 / ISO 27001] — specify which apply

## Incident Severity Classifications
- SEV 1 (Critical): [your definition — e.g., active breach, data exfiltration confirmed]
- SEV 2 (High): [e.g., confirmed compromise, service disruption]
- SEV 3 (Medium): [e.g., suspicious activity requiring investigation]
- SEV 4 (Low): [e.g., policy violation, informational]

## Report Writing Style
- Reports are written in third person, formal professional tone
- Audience: technical reports go to the security team; executive summaries go to the CISO
- Incident IDs follow format: INC-[DATE]-[SEQUENCE]
- Time zone: [your time zone]

## What I need from you
1. When I give you investigation notes, draft a complete incident report in our standard format
2. When I ask about CVEs or threats, give a summary that includes applicability to our specific stack
3. When I ask for SIEM queries, write them in [SPL / KQL / our SIEM's language]
4. When I draft communications, adjust tone based on the stated audience
5. Never invent facts — use [PLACEHOLDER] when information is missing

Fill in all bracketed fields. Click Save.

Part 3: Upload Your Reference Documents

Click the "Files" tab in your Project. Upload documents that Claude will reference in every conversation:

Priority uploads:

  1. Your incident report template — even a simple Word doc with the section structure
  2. Your incident response playbook — the steps your team follows for common incident types
  3. Your severity matrix — how you classify incident severity with examples
  4. Your escalation procedures — who to contact at which severity level
  5. Common SIEM query library — any queries your team uses repeatedly (paste into a text file)

Optional but valuable:

  • Your organization's security policies (AUP, IRP, data classification)
  • Your standard communication templates (incident notification emails, breach notifications)
  • Your on-call rotation and contact list

How to upload: Drag and drop files into the Files tab, or click "Upload files." Claude will reference these documents in responses without you having to paste them.

Part 4: Test and Refine

Start a conversation in your Project. Test these scenarios:

Test 1 — Incident report: "I need to write an incident report. [Paste 5 bullet points of investigation notes]. Draft the report."

  • Does it use your severity classification?
  • Does it follow your report template structure?
  • Does it mention the right SIEM and ticketing system?

Test 2 — SIEM query: "Write a detection query to find failed logins from the same IP more than 10 times in 5 minutes."

  • Does it write in the right query language (SPL vs KQL)?

Test 3 — CVE applicability: "CVE-2024-12345 was just announced. Does it affect our environment?"

  • Does it reference your specific stack to answer the applicability question?

If any test produces generic or incorrect output, update your Instructions with more specific context.

Real Example: A Full Morning SOC Workflow

Setup: Your Project has the CrowdStrike + Sentinel + ServiceNow stack documented, your severity matrix uploaded, and your incident report template in the Files section.

Your morning starts with three alerts in the queue:

Alert 1 (SOC triage): You paste the alert details: "CrowdStrike alert: LSASS dump attempt on WKSTN-4421, user: jdoe, 9:03am. No other alerts on this host in 7 days."

What you type in your Project: "Triage this alert: [paste details]. Is this likely a true positive? What should I investigate next?"

What you get: A structured triage analysis — likelihood assessment based on the behavior (LSASS dumps are high-confidence malicious), specific investigation steps using your stack (CrowdStrike process tree, Sentinel correlation for other activity on WKSTN-4421), and a suggested severity classification using your matrix.

Alert 2 (Report writing): You investigated and confirmed credential dumping. You have 8 bullet points of notes.

What you type: "Write the incident report. Severity 2. [Paste notes]."

What you get: A complete incident report using your template, your severity definitions, your ticket format, in 30 seconds.

Alert 3 (Communication): You need to notify the affected user's manager.

What you type: "Write a notification email to jdoe's manager explaining that jdoe's workstation may have been compromised and their account has been temporarily suspended pending investigation. Professional, calm, no technical jargon."

What you get: A polished, appropriately toned email ready to send.

Time saved: What normally takes 60-90 minutes of writing, formatting, and communication drafting is handled in 10 minutes of review-and-send.

What to Do When It Breaks

  • Claude forgets your stack or template → Check that your instructions are saved (click Instructions panel — they should be visible). If missing, re-paste them. This occasionally happens after Claude Pro updates.
  • Reports don't match your template → Upload your actual template as a file rather than describing it in instructions. Direct document reference is more reliable.
  • CVE applicability answers are wrong → Your stack description may be too vague. Add version numbers and specific service names. "Azure AD" vs "Entra ID" matters for some CVEs.
  • Files aren't being referenced → Start your prompt with "Based on our uploaded incident response playbook, [your question]" to explicitly trigger file reference.

Variations

  • Simpler version: Skip the Project setup and just start every Claude conversation by pasting a 5-line context paragraph about your environment. Less powerful, but requires no Pro subscription.
  • Extended version: Create separate Projects for different functions — one for your SOC work, one for compliance documentation, one for security awareness training content creation.

What to Do Next

  • This week: Spend 30 minutes uploading your most-used templates and refining the instructions until test responses match your expectations
  • This month: Add your most common playbook scenarios as example input/output pairs in your Instructions (shows Claude exactly what a good incident report looks like for your team)
  • Advanced: Share the Project setup with your team — create a team-level Claude for Business/Enterprise workspace so everyone benefits from the same context

Advanced guide for cybersecurity analyst professionals. These techniques use more sophisticated AI features that may require paid subscriptions.