Pop-Up SOC: Monitoring Incidents from Airports and Layovers

The worst timing for a security alert? Boarding group four. I’ve had ransomware alarms pop while sprinting between gates in Istanbul and IAM anomalies surface mid-immigration in Doha. Waiting nine hours to respond wasn’t an option. So I built a “pop-up SOC” kit that lives in my backpack. It lets me investigate alerts, coordinate incident responders, and keep execs calm without leaving the terminal.

Photo: Unsplash / JESHOOTS.com

Gear & Connectivity

• Framework 13" laptop (primary workstation) with redundancies already covered in my remote desktop playbook.
• iPad Air + Magic Keyboard as secondary console.
• GL.iNet Slate AX router preconfigured with Mullvad and Cloudflare WARP for secure tunnels.
• ZMI 20K Pro power bank to run laptop + router for 5+ hours.
• USB-C headset with noise-cancelling mic (Jabra Evolve2 65) so calls stay intelligible amid PA blasts.
• Travel consent letter authorizing me to access logs/clients systems in transit (some border checks ask).

Preflight Setup

1. Alert routing: PagerDuty and Opsgenie send push + Signal DM. I mirror them to Apple Watch for quick glance.
2. Dashboards: Grafana, Kibana, and Jupiter notebooks favorited with offline login cached via password manager.
3. Runbooks: Printed and digital (Standard Notes) versions of major incidents (phishing, malware, DLP, cloud breach).
4. Communication templates: Prewritten Slack messages and executive summaries stored in Notion for copy/paste.

Airport SOC Playbook

1. Secure Work Zone

• Scout for quiet corners with power outlets (lounges, business centers). If none, use my travel router’s captive portal bypass, connect to municipal Wi-Fi through VPN.
• Set up privacy screen and position laptop facing wall to avoid shoulder surfing.

2. Event Triage

• Alert check: Verify severity, affected assets, correlation with existing incidents.
• Log retrieval: Use Tailscale to reach SIEM. Run saved Splunk queries (stored in git) via CLI.
• Timeline building: Document initial findings in shared Notion incident doc using offline template.

3. Response Coordination

• Launch Zoom/Teams from iPad (keeps primary laptop free for investigation).
• Share screen securely (disable notifications, route audio through Krisp to blank out airport noise).
• Update Slack incident channel every 15 minutes with bullet summary.
• If bandwidth is poor, switch to matrix/SimpleX text updates and voice-only bridge using Twilio dial-out.

4. Evidence Preservation

• Use AWS Systems Manager or Azure Arc to run commands on affected hosts (collect triage packages: memory dumps, logs).
• Store evidence in pre-created S3 bucket with lifecycle rules and encryption (SSE-KMS). Note object keys in incident doc.

5. Escalation & Hand-off

• Assign tasks to on-call engineers via PagerDuty (containment actions, forensic deep dive).
• Prepare exec summary: root cause, impact, mitigation, next steps.
• If flight boarding imminent, designate another analyst as lead, transfer Notion doc links, and confirm acknowledgement.

Timeboxing Example (90-minute layover)

| Time (SAST) | Action | | :-- | :-- | | 14:00 | Find workspace, connect router, authenticate to VPN | | 14:10 | Initial triage: review PagerDuty alert, query SIEM logs | | 14:25 | Convene Zoom bridge with on-call engineer & product lead | | 14:40 | Execute containment (revoke API tokens via Terraform Cloud run) | | 15:00 | Draft incident summary, send to exec channel | | 15:30 | Hand off to follow-the-sun team, update timeline |

Backup Plans When Wi-Fi Fails

• Tether to local eSIM (Airalo). If bandwidth <3 Mbps, switch investigation to remote desktop (home Mac mini) via Tailscale.
• If total outage, call secondary on-call via Signal (voice) and relay instructions verbally. Document decisions afterwards.

Security Precautions

• Auto-lock laptop every time I step away (Apple Watch secure unlock shaved seconds).
• Use privacy screen and disable clipboard sync to other devices (Universal Clipboard can leak secrets).
• Log out of all sessions before boarding; store laptop in cross-body bag, not overhead compartment.

Quick Checklist

[ ] Secure network (travel router + VPN)
[ ] Load incident runbook template
[ ] Confirm evidence storage bucket + encryption
[ ] Keep watch timer for boarding (no surprises)
[ ] Log all decisions in timeline

Lessons Learned

• Always budget 10 minutes before boarding to summarize status and hand off. Nothing worse than being unreachable for taxi/takeoff while team waits.
• Keep physical notebook for quick scribbles when laptop typing is impractical (security lines, immigration queues).
• Practice remote drills from cafes even when no incident—muscle memory matters.

Incidents ignore travel itineraries. With a pop-up SOC kit and rehearsed workflow, airports become another temporary war room—one where you can still keep the organization secure while you wait for boarding group four to be called.