Most small businesses don't have a SOC. They have one IT person who also does everything else. Here's how to build a security monitoring habit that actually works in that reality.
The security monitoring playbook everyone publishes assumes you have a Security Operations Center, a SIEM, and analysts working in shifts. For a 10-person company, that's fiction. But the need is real — your attack surface is growing, your team is deploying new tools constantly, and without any monitoring, you have no way of knowing when something goes wrong until a customer tells you.
The good news: you can build a meaningful monitoring routine in under an hour a week. The key is focusing on the signals that actually matter, automating what you can, and using the right free or low-cost tools.
Before building a routine, be clear on what you're watching for. For most small businesses, the priority signals are:
Put these checks on a recurring calendar slot — Monday morning works well. The whole thing should take 45 to 60 minutes if you're efficient about it.
Run a Shodan scan of your public IP ranges. Compare what you see this week to last week. New open ports? New services fingerprinting? Anything on an unexpected port that might be an old dev server someone spun up?
If your monitoring tool already covers this automatically, review the alerts. The discipline is actually reading the alerts rather than archiving them unseen.
Pull your DMARC aggregate reports from the email address you designated in your DMARC record. Look for authenticated sources you don't recognize. If a source is passing SPF/DKIM and you don't know what it is, investigate it — it might be a legitimate marketing tool someone added, or it might be an attacker testing your domain.
In AWS, open CloudTrail and look at the last 7 days of IAM activity. Focus on: new IAM users created, new access keys issued, policy changes, and console sign-ins. In Azure, use the Activity Log. In GCP, use Cloud Audit Logs. You don't need to read every log — look at the summary views and exception reports.
Set up Google Alerts for your company name, your main domains, and variations of both (yourdomain.com, your-domain.com, yourdomain.net, yourcompanyname.net). Google will email you when new results appear. Check monthly for lookalike domains being registered.
Use a service like DomainTools or DNSdumpster to check for subdomain enumeration results — this shows you what an attacker using public tools already knows about your infrastructure.
Set up notifications for new domains registered with patterns similar to yours. Services like DNSWire and DomainCrawler offer this. If someone registers yourcompany-support.com, that's a phishing domain in preparation. Catching it early gives you time to send takedown requests before it goes live.
The goal isn't to manually do everything forever. Automate the collection, reserve your time for analysis and decision-making. Here's where automation pays off:
Run weekly automated scans of your external IP ranges and domains using a tool that alerts on changes. EdgeIQ, Intruder, and SecurityMetrics all offer this. Set it and get reports in your inbox rather than having to remember to run scans manually.
AWS Config, Azure Security Center, and GCP Security Command Center can all be configured to alert on policy changes — new S3 public access, IAM policy modifications, security group changes. Enable these alerts to run automatically; review them weekly.
Use Let's Encrypt's Certbot for automatic renewal, and set up monitoring for any certs you manage manually. SSL Labs and Why No Padlock offer free checks. An expired certificate is embarrassing and dangerous — and it's entirely preventable.
The hardest part of monitoring without a dedicated team is distinguishing noise from signal. When you see an alert, ask:
If you can't answer those questions, escalate to your vendor or an external security consultant. The goal of monitoring is to catch things early — but only if you act on what you catch.
EdgeIQ runs continuous external scans and delivers a prioritized weekly digest of findings — no dedicated security team required.
View plans →