What is the institutional knowledge problem in a SOC?

Every security team has analysts who carry critical operational knowledge — the specific queries that surface lateral movement in their environment, the false positives unique to their infrastructure, the investigation shortcuts built over years of practice. When that analyst is absent or leaves, the team feels the gap immediately: alert queues back up, investigations take longer, and junior analysts reinvent steps the senior team already solved. Most teams attempt to fix this with documentation — runbooks, wikis, Confluence pages — but documentation goes stale because updating it is nobody's primary job, and analysts skip it during investigations because searching a wiki mid-alert breaks flow.

What is a Crogl Skill?

A Skill in Crogl is structured guidance that the Crogl agent applies during an investigation. It contains domain knowledge, query patterns, investigation workflows, and environment-specific institutional context. Technically, a Skill is a plain directory built around a SKILL.md file that defines its name, the conditions that trigger it, and the steps to take. A large skill library does not slow the agent because only each skill's name and description are loaded until that skill is actually invoked. Skills can be triggered automatically when the agent recognizes the relevant task, or explicitly by an analyst using a slash command.

How does Crogl's threat hunt skill work?

The Crogl threat hunt skill accepts a CISA advisory URL, advisory ID, threat actor name (such as Volt Typhoon), CVE, or a local file path as its starting point. The skill fetches the advisory and automatically extracts organized intelligence: SHA-256 file hashes, IP addresses, domain names, file names, and MITRE ATT&CK techniques mapped to their tactics. Identified malware and tools are listed separately. The output format is identical on every run, so both junior and senior analysts start a threat hunt from the same extracted and structured intelligence regardless of who initiates it.

How do Crogl Skills differ from SOC runbooks and wikis?

Runbooks and wikis are static artifacts that require a human to find, read, and correctly apply under investigation pressure. They go stale because updating them is never the primary job of the analysts who use them. A Crogl Skill is active: the agent invokes it automatically when the task type is recognized, or the analyst calls it with a slash command. The knowledge is applied consistently on every investigation without anyone needing to locate or interpret a document first. Unlike a wiki with growing coverage debt, the skill library is updated centrally and takes effect immediately on the next investigation that matches.

How do you build a Crogl Skill?

The most direct approach is to describe the skill to the Crogl agent: name the alert type, the relevant data sources, the queries your team typically runs, and the output format you want. The agent drafts the skill, you test it in a live session, and it is saved when you are satisfied. For analysts who prefer direct control, the Skills page in the Crogl UI offers a full management interface — create, browse, edit, duplicate, and export — with a built-in file tree editor and autosave. Engineers building skills in an external IDE can author the SKILL.md directory structure by hand.

How does a skill library prevent knowledge loss when analysts leave?

A skill library encodes the repeatable parts of how your team investigates — environment-specific queries, hard-won investigation workflows, alert-type-specific context that senior analysts apply automatically. When those steps are captured in Skills, the Crogl agent applies them consistently on every matching investigation regardless of who is on shift. A new analyst and a ten-year veteran start from the same place. When a senior analyst leaves, their operational knowledge does not leave with them — it remains in the skill library, versioned, updated centrally, and available to every subsequent investigation.

← Resources

BlogJune 23, 2026

Level the Playing Field in Your SOC with Skills

Jeff Friedsam

Head of Product, Crogl

Crogl Skills interface showing the OWASP Top 10 for Agentic Applications 2026 detection skill — an example of how SOC teams encode and share institutional security knowledge

What if All Your Analysts Executed Like Your Best Analyst?

Every security team has one. The analyst who knows exactly which Splunk query surfaces lateral movement in your environment. Who remembers that the EDR fires a false positive on the finance team's backup process every Tuesday. Who can triage a phishing alert in four minutes flat because they've done it a thousand times.

When that analyst is on shift, your team runs well. When they're out, you feel it.

This is the institutional knowledge problem. It's not unique to security, but in security it has real consequences. Alert queues back up. Investigations take longer. Junior analysts reinvent steps the senior team solved two years ago. And when that senior analyst eventually leaves, a meaningful chunk of operational capability walks out with them.

Most teams try to solve this with documentation. Runbooks, wikis, Confluence pages. The intent is right. The execution rarely holds. Documentation goes stale because keeping it current is nobody's primary job. Analysts skip it because searching a wiki mid-investigation breaks flow. And even the best runbook can't account for the specific quirks of your environment.

The documentation approach treats knowledge as a static artifact. The problem is that investigations are dynamic.

Knowledge, On Demand

Better documentation doesn't help. Skills do. You need your best analysts' knowledge to be present in every investigation, automatically, without anyone having to find and read a document first.

That's the design principle behind Skills in Crogl.

A Skill is structured guidance that the Crogl agent applies during an investigation. Not a static reference file, not a prompt template. A Skill gives the agent domain knowledge, query patterns, investigation workflows, and institutional context — loaded at the moment it's relevant and applied consistently every time. Specifically, a Skill is a plain directory built around a SKILL.md file that spells out its name, when to trigger it, and what to do. A large skill library will not weigh down the agent's context because only that name and description load until the skill is invoked.

The difference matters. A runbook requires a human to find it, read it, and apply it correctly under pressure. A Skill is invoked automatically when the agent recognizes the task, or explicitly by an analyst with a slash command. The knowledge is always there. The agent always uses it.

A Skill in Practice: Threat Hunt

Crogl ships with several built-in Skills, but let's take a closer look at the threat hunt skill.

An analyst can kick it off with almost anything: a CISA advisory URL, an advisory ID, a threat actor name like "Volt Typhoon," a CVE, or a local file path. The skill handles all of those inputs without requiring the analyst to restructure the request.

From there it runs a defined workflow. It fetches the advisory, then extracts and organizes everything an analyst needs to act:

Found:
✓ {count} SHA-256 file hashes
✓ {count} IP addresses
✓ {count} domain names
✓ {count} file names
✓ {count} MITRE ATT&CK techniques across {count} tactics

Malware/Tools Identified:
• {tool 1}
• {tool 2}

Every technique is mapped to MITRE ATT&CK. Every indicator is extracted and categorized. The output format is identical every time.

That's not a prompt — it's a repeatable workflow. The junior analyst and the senior analyst start from the same place, with the same extraction logic applied to the same advisory. Without a skill, that outcome depends entirely on who's running the hunt and what they remember to check.

Building Skills Without Writing Code

The most direct way to create a skill is to describe what you need to the Crogl agent and let it draft one for you. Tell it the alert type, the data sources involved, the queries your team typically runs, and the output format you want. The agent drafts the skill, you test it together, and it's saved automatically when you're satisfied.

For analysts who prefer direct control, the Skills page in the Crogl UI provides a full management interface: create, browse, edit, duplicate, export. A built-in file tree editor with autosave handles the structure. For engineers building Skills in an external IDE, the directory format is straightforward enough to author by hand.

What This Means for the SOC

A skill library is a record of how your team investigates. Every hard-won query, every environment-specific caveat, every step your best analyst takes automatically because they've internalized it over years. Encoded once, applied consistently, updated centrally.

The analyst who knows every quirk of your environment is still irreplaceable. Their judgment, their instincts, their ability to recognize something genuinely novel — that doesn't transfer to a machine. But the repeatable parts of what they know can be captured, and those repeatable parts are often exactly what consumes the most time on a busy shift.

Crogl handles the investigation. The analyst makes the call.

The next question is what happens to those Skills once you've built them? A Skill that lives with one analyst doesn't solve the institutional knowledge problem — it just moves it.

I'll cover that in my next piece.

Download Crogl today or request a demo.

Level the Playing Field in Your SOC with Skills

What if All Your Analysts Executed Like Your Best Analyst?

Knowledge, On Demand

A Skill in Practice: Threat Hunt

Building Skills Without Writing Code

What This Means for the SOC

The Ninety-Minute Routine Alert

The AI SOC Requirement Vendors Don't Talk About: Multi-Model Support

Download Crogl free.