PocketSOC is launching soon. Get PocketSOC launch updates.

PocketSOC™ FAQ

Frequently Asked Questions

Product, security, deployment, and platform questions for PocketSOC v1. Tell us what else you want covered.

Is PocketSOC affiliated with any EDR vendor?

No. PocketSOC is an independent application. We currently integrate with CrowdStrike Falcon, Microsoft Defender for Endpoint, Microsoft Defender for Cloud, and AWS GuardDuty. None of these vendors endorse or operate the app.

Trademarks remain owned by their respective owners.

Which vendors are supported?

CrowdStrike Falcon, Microsoft Defender for Endpoint, Microsoft Defender for Cloud, and AWS GuardDuty.

Additional vendors are on the roadmap.

How does PocketSOC authenticate?
  • CrowdStrike — Customer-created OAuth2 API clients in the Falcon console
  • Microsoft Defender for Endpoint — Tenant-scoped app registration (client ID / secret)
  • Microsoft Defender for Cloud — Azure app registration with delegated or app permissions and Azure RBAC roles
  • AWS GuardDuty — IAM access keys with AWS SigV4 request signing

You control scopes and can rotate or revoke credentials at any time.

Does PocketSOC use personal access tokens (PATs)?

PocketSOC does not use personal access tokens.

CrowdStrike does not issue PATs for Falcon APIs; the supported method is an OAuth2 API client. If the API client is removed or rotated, PocketSOC will prompt you to reconnect with the new credentials.

Where are credentials and tokens stored?

Authentication credentials and access tokens are stored in platform-native secure storage (iOS Keychain on Apple devices, Android Keystore on Android) with system-level encryption.

PocketSOC does not write secrets to normal app storage or logs. Biometric or device passcode protections apply to the Keychain entries, and you can clear them by signing out or uninstalling the app.

Does PocketSOC store or sell our security data?

PocketSOC retrieves detection data directly from vendor APIs (CrowdStrike, Microsoft, AWS) for in-app display. Customer data is not sold or shared for marketing.

Data is not persisted on PocketSOC servers; limited on-device caching may occur for performance.

Can PocketSOC perform actions automatically?

PocketSOC does not perform containment or other actions automatically.

Actions like host isolation require explicit user confirmation and biometric authentication. The app is designed to avoid background changes so you stay in control of every action.

What actions can PocketSOC perform?

Capabilities vary by vendor. CrowdStrike: view, assign, close detections, and host containment (isolate/lift). Microsoft Defender for Endpoint: view alerts, isolate/unisolate machines. Microsoft Defender for Cloud: view alerts, change alert status (dismiss, resolve, activate). AWS GuardDuty: view findings, archive and unarchive findings.

All actions require user confirmation. No automated playbooks.

Does PocketSOC support RTR (Real Time Response)?

PocketSOC does not support Real Time Response (RTR) in the current version.

The app does not start RTR sessions or run commands on endpoints. If RTR support is considered in the future, safeguards and requirements will be documented before release.

How do push notifications work?

Push notifications are optional and configurable per organization. Notifications deliver alert summaries and deep-link into relevant detections.

If your organization uses groups, notifications are targeted to users in groups assigned to the relevant vendor. On-call schedules can further filter delivery so off-duty team members are not disturbed.

What should we do if a device is lost?

Deactivate the device from the PocketSOC portal (Devices page) to immediately revoke push notifications. Additionally, rotate or revoke API credentials in your vendor console (Falcon, Azure, or AWS IAM) to invalidate any cached sessions.

Signing out of PocketSOC or uninstalling removes stored credentials from the device.

What permissions does PocketSOC require?

PocketSOC follows a least-privilege model and requests only the API scopes needed for alerts and containment in v1.

Administrators can tighten scopes in Falcon based on their policies. If scopes are reduced, related features in the app will be limited to match.

Does PocketSOC support demo mode?

Demo Mode is available for evaluation without connecting to a live vendor environment.

It uses mock data only and does not call external services. You can switch Demo Mode on or off at any time from the app settings. Switching on Demo Mode will also clear stored API credentials.

What security features does PocketSOC offer?

PocketSOC includes configurable security features that work out of the box—no MDM solution required:

  • Biometric & PIN requirements — Require biometric authentication or device passcode to open the app
  • Inactivity timeout — Auto-lock the app after a configurable period of inactivity
  • Screenshot & recording protection — Prevent screenshots and blank the app UI during screen recording or mirroring
  • Jailbreak & root detection — Detect compromised devices and restrict app access
  • Device management — Activate or deactivate devices remotely from the PocketSOC Portal
  • Group-based access — Control which vendor alerts each team member receives

These controls are managed through the PocketSOC Portal and app settings.

Is Defender for Endpoint fully supported?

Yes. The app can authenticate to MDE, fetch alerts, show details, and perform isolation/unisolation where your role allows it.

What is the PocketSOC Portal?

The PocketSOC Portal (portal.pocketsoc.com) is a web-based admin console for managing your organization.

From the portal you can invite team members, create groups with vendor config assignments, manage devices, configure vendor integrations, set up webhook URLs for push notifications, and view audit logs.

Need something else?

Email hello@pocketsoc.com for security questions or to request additional details.

If you update your own security review, include which vendor scopes you allow so we can confirm fit.