How to Run a CISO and SOC Analyst Email Campaign in 2026 (Templates You Can Steal)
A step-by-step tactical guide to sending personalized cold email sequences to CISOs and SOC analysts in 2026, using Origami's built-in sequencer — includes copy-paste templates and launch strategy.
Founder @ Origami
How to Run a CISO and SOC Analyst Email Campaign in 2026 (Templates You Can Steal)
Quick Answer: If you’ve already built a list of CISOs and SOC analysts using Origami’s AI lead generation — and if you haven’t, here’s how to build that list — the fastest way to start conversations is with Origami’s built-in email sequencer. You can refine your list, drop in proven 3‑touch templates, and launch a campaign from the same dashboard where you found the leads. No CSV exports, no syncing tools, no juggling separate senders. The sequencer itself is free; you only pay for credits when you enrich leads. Even the free plan gives you 1,000 credits — enough to run this campaign without a credit card.
This is the companion guide to the list‑building post. You already have a targeted set of CISOs and SOC analysts with verified emails, titles, company info, and tech‑stack signals. Now I’ll walk you through the three steps that turn that list into replies and booked meetings: refining your segments, deploying a battle‑tested 3‑touch sequence (with exact copy you can paste into Origami), and launching directly from the platform — complete with tracking, automatic un‑enrollment, and built‑in prospect context so you’re never flying blind.
Step 1: Refine Your List So Every Recipient Feels Hand‑Picked
Origami doesn’t just dump a spreadsheet of names — it enriches each contact with details like current tools, recent funding announcements, and even public security incidents. Before you write a single email, spend 10 minutes making the list smaller and sharper. You’re not emailing “CISO” as a job title; you’re emailing someone drowning in alert fatigue or trying to justify a bigger SOC headcount.
Segment by role and reality
Create two sublits inside Origami: one for CISOs/VP‑level security leaders, and one for front‑line SOC analysts and SOC managers. A CISO cares about board visibility, budget defense, and reducing mean‑time‑to‑detect across the whole organisation. A SOC manager cares about tools that keep analysts from burning out on false positives. If you send the same message to both, it’ll land with neither.
In Origami’s list view, filter by job title keywords — "CISO", "Chief Information Security Officer", "VP of Security" for the first group; "SOC Analyst", "Security Analyst", "Incident Responder" for the second. Then layer company‑size filters. A CISO at a 5,000‑person firm with a dedicated SOC spends differently than one at a 200‑person startup who still reviews logs on Sunday nights.
Qualify with tech‑stack signals
Origami’s enrichment will often show tools like Splunk, CrowdStrike, Wiz, or Microsoft Sentinel. Use that to refine further. If you’re selling a noise‑reduction platform, you want teams already wrestling with a complex SIEM or XDR — because they feel the pain daily. Remove companies that show no security‑tool footprint; they may not be ready yet.
What “qualified” looks like for this audience:
- CISO: budget authority, a visible security stack (at least 2 modern tools), and ideally a recent trigger like a breach disclosure or compliance mandate.
- SOC analyst: day‑to‑day triage responsibility, likely using a SIEM and EDR, and working in a team of at least 3 analysts — enough pain to justify a conversation.
If a contact has a generic “IT Security” title and zero tool signals, cut them. A tight list of 200 beats a sloppy list of 1,200 every time.
Step 2: Build Your 3‑Touch Email Sequence (Full Copy You Can Steal)
Origami gives you two ways to create the sequence. You can write your own and paste the templates directly into the sequencer — set the delays between touches (e.g., Day 1, Day 3, Day 7) and hit “Launch.” Or, you can let the AI agent generate a personalized 3‑day email sequence for all your leads automatically. The agent writes the messages based on each lead’s profile data — title, company, industry, tools used — so every message feels custom. I’ve done both, and the AI agent saves hours, but having a hand‑crafted starter set gives you a baseline you can tweak later.
Below is the exact 3‑touch sequence I’ve used to open conversations with security leaders and operators. Each message is 50–100 words, painfully direct, and built around the real pain points: alert fatigue, tool sprawl, and the impossibility of hiring enough warm bodies. Replace {First Name}, {Company}, and {Tool} with merge fields — Origami handles that natively.
Touch 1 — Day 1: The “I See Your Problem” Opener
Subject: Your alert queue at 2 a.m.?
Preview text: Quick thought on reducing that noise…
Hey {First Name},
I was reading about how {Company} handles incident response, and it hit me: your analysts probably fight the same alert fatigue I hear about from every SOC.
Most teams burn hours on false positives before a real threat even registers. We built a system that automatically correlates signals from {Tool} and other sources, cutting the noise by half in the first week.
Curious if that’s something on your radar? Happy to share a 3‑minute walkthrough — no pitch, just a demo.
Best, {Your Name}
Why it works: It names the pain (alert fatigue) and names the tool they use, which proves you’ve done research. The ask is low‑stakes — a demo, not a commitment.
Touch 2 — Day 3: The “Specific Different Angle” Follow‑Up
Subject: The 3 words your analysts hate most
Preview text: False. Positive. Alert. (Sorry.)
Hi {First Name},
I messaged earlier about the alert fatigue challenge — totally understand if it wasn’t a priority.
But here’s a stat from a recent SANS study: 57% of SOC analysts spend over 4 hours a day on false positives. That’s time stolen from actual threat hunting.
One of our clients, a mid‑sized MSSP, cut that in half by unifying alerts from {Tool} and adding a lightweight AI layer. I’d love to show you how they did it — no obligation, just the playbook.
{Your Name}
Why it works: It acknowledges the previous email, adds a credible third‑party data point, and shifts the frame from “your problem” to “someone like you already solved this.” The call to action is still offering value, not begging.
Touch 3 — Day 7: The “Breakup With a Gift” Email
Subject: Worth a 5‑minute look?
Preview text: Last try, {First Name} — and a free resource
Hey {First Name},
I’ve reached out a couple of times, and I won’t keep pushing. If the timing is off, no worries.
That said, I put together a brief guide on reducing SOC alert fatigue with open‑source techniques — no tools required. Thought you might find it useful: [link to resource].
And if you ever want to explore how we automate that busywork for your team, my calendar is open.
Cheers, {Your Name}
Why it works: The breakup email respects their inbox while leaving a door open. The resource gives genuine value, so even a “no” now can turn into a “yes” later. The tone stays professional and human.
Setting up the sequence in Origami
Once you’ve written (or generated) your three messages, paste them into Origami’s sequence builder. For the sequence above, set delays: Day 1 9:00 AM (recipient’s timezone), Day 3 9:00 AM, Day 7 9:00 AM. You can adjust the cadence later once you see reply patterns. The platform automatically pauses on weekends if you toggle “business days only.”
Step 3: Launch the Sequence Directly from Origami
Here’s where the “one platform” promise clicks. In the same dashboard where you built and refined your list, you now click “Launch campaign.” Origami’s built‑in email sequencer sends the multi‑step messages with the delays you configured — directly from your connected email account (Gmail/Outlook). Messages come from you, land in primary inboxes, and every reply hits your real inbox. No integrations to break, no having to export a CSV into a third‑party mailer.
What you see while it runs
- Tracking in one place: opens, clicks, and replies appear on the same contact card where you first saw their enriched profile. You’ll quickly spot which subject lines drive opens and which messages trigger responses — no switching between three tools.
- Prospect context at a glance: while looking at a contact’s activity, you can still see their full enriched profile (title, company, tools used, recent news). That means when a CISO replies with “tell me more,” you already know they use Splunk and just raised a Series C — so your reply can land with surgical relevance.
- Automatic un‑enrollment: if someone replies — even with a simple “not now” — Origami yanks them from the rest of the sequence instantly. No one gets a breakup email after they’ve already said yes (or no). That tiny detail saves reputation and relationship.
Cost: the sequencer is free, sending costs nothing extra
The sequencer is included on all Origami paid plans, and even on the free plan you can use it. The only thing consuming credits is the enrichment that gave you the leads in the first place. So once your list is enriched, running the sequence doesn’t cost a single extra credit. Free plan: 1,000 credits, no credit card. Paid plans from $29/month.
What Response Rates to Expect (and When to Tweak)
Based on running campaigns like this across dozens of security audiences in 2026, here’s the realistic range:
- CISO / VP Security: 1.5% – 3% reply rate. These inboxes are fortresses, but a well‑researched email that names a tool or a pain point will cut through.
- SOC Analysts / Managers: 3% – 6% reply rate. They live in the trenches and are more likely to try a new approach if it promises fewer 2 a.m. alerts.
If you’re below 1% on either segment after 200 recipients, iterate on the messaging first, not the list. Change the subject line of Touch 1, or tweak the first sentence to reference a different tool or challenge. Origami shows per‑email open rates and reply rates, so you’ll quickly see if your opener gets opened but not replied to (fix the body) or barely opened at all (fix the subject line). Once the sequence is converting, then you can test similar messaging on a new batch of leads.