The 08:30 Runbook: Day in the Life of a Super-Admin
A time-boxed daily runbook for security platform super-admins — morning health check, triage block, vuln window, identity sweep, end-of-shift handover.
08:30 — Morning health check (15 min)
Open the Executive Dashboard. Look at four KPI cards in order: TS-RISK INDEX, critical alerts open, open incidents (and MTTR trend arrow), KEV exposures. If any one turned red since yesterday, click through to the source module first.
09:00 — Triage block (45 min)
Filter alerts by severity = critical first, then high. End the shift with zero criticals open. For every incident in triage > 24 hours, either advance the stage or re-assign the owner.
14:00 — Vuln + compliance window (60 min)
Filter Vuln Scanner by KEV = true. Hand the patch list to the patch team via your ticket system. Re-run Verify Fix for any pending API Security findings from yesterday. Click into any compliance framework whose coverage % dropped.
16:30 — Identity + endpoint sweep (20 min)
Sort Identity Monitoring by Discovered (24h) desc. Force password reset + invalidate sessions on every new hit. Sort Antivirus by Last Seen asc to find offline endpoints; by Detections (24h) desc to find dirty ones.
17:30 — End-of-shift handover (10 min)
Confirm zero criticals. Confirm every incident has a timeline entry from the last 24 hours. Export the day's audit log to your SIEM. Post a 5-line shift summary in your team's channel.