SOC Metrics and KPIs: What to Measure in Your Security Operations Center
Most SOCs track the wrong metrics. Alert volume, tickets closed per analyst, and SLA compliance rates measure activity, not effectiveness. A SOC that closes 500 tickets per day but misses a lateral movement campaign for three weeks is not a high-performing SOC. The metrics that matter are those that correlate with your ability to detect and contain real threats before they cause significant damage.
The Core Four: Outcome Metrics
Four metrics capture whether your SOC is actually achieving its security mission:
Mean Time to Detect (MTTD)
How long from the start of a malicious activity until your SOC has a confirmed detection. Measured from the earliest evidence in your logs (not from when an alert fired). MTTD tells you how long attackers operate undetected. The industry average is 21 days; best-in-class SOCs achieve under 24 hours for most attack types. Track MTTD separately by attack technique category (phishing, lateral movement, exfiltration) to identify detection gaps.
Mean Time to Respond (MTTR)
How long from confirmed detection until the threat is contained or remediated. MTTR measures your incident response efficiency. A low MTTD with a high MTTR means you detect threats early but take too long to act. Track MTTR separately for automated responses vs. analyst-driven responses to quantify automation value.
Detection Coverage
What percentage of the MITRE ATT&CK techniques relevant to your threat model do you have active detections for? Map your current detection rules to ATT&CK techniques. Organizations typically cover 20 to 40 percent of relevant techniques; 60 percent or above is strong coverage. This metric drives investment in new detection development.
Escape Rate
What percentage of real security incidents were not detected by your SOC and were discovered by external parties (law enforcement, vendor notification, victim complaint)? Even a single incident discovered externally represents a detection failure worth investigating. Track this quarterly.
Operational Efficiency Metrics
Operational metrics help manage analyst workload and tool performance without confusing activity with effectiveness:
False positive rate
The percentage of alerts that required analyst investigation but turned out not to be security incidents. High false positive rates (above 30 to 40 percent) indicate detection logic that needs tuning and cause analyst alert fatigue. Track by detection rule to identify the highest-noise sources for targeted tuning.
Alert-to-incident conversion rate
What percentage of alerts escalate to confirmed incidents? An extremely low conversion rate (under 1 percent) suggests either your environment is very secure or your alerts are poorly calibrated. A moderate rate (2 to 5 percent) is typical for well-tuned environments.
Analyst utilization rate
The percentage of analyst time spent on actual security investigation vs. administrative tasks, ticket management, and tool maintenance. Targeting 60 to 70 percent investigation time is realistic; anything below 40 percent suggests operational overhead is consuming analyst capacity.
Automation rate
The percentage of alerts handled entirely by automated playbooks without analyst intervention. Mature SOCs automate 50 to 70 percent of high-volume, low-complexity alerts (phishing URL detonation, known-malicious IP blocking, malware sandbox submission). Track which alert types are automated vs. analyst-handled.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection Engineering Metrics
Detection quality is a continuous improvement problem. Track these metrics to manage your detection engineering backlog:
Detection-to-adversary-action lag
How quickly do you add detections for newly observed adversary techniques? After a major threat intelligence report or CISA advisory, measure time from publication to deployed detection rule. Best-in-class SOCs deploy detections within 24 to 72 hours of a new technique being documented.
Rule age and freshness
What percentage of your detection rules have not been reviewed or tuned in the past 12 months? Stale rules generate noise or miss evolved techniques. Audit your rule library quarterly and retire or update rules that no longer reflect current attacker behavior.
Purple team coverage results
Run quarterly purple team exercises (simulated attacks with red team and blue team working together) and measure detection rate. This is the most accurate measure of actual detection capability because it tests against real attack simulations in your specific environment.
Communicating Metrics to Leadership
SOC metrics presented to technical leadership differ from those for executives. Executive audiences need metrics that translate security performance into business risk language:
Time attackers have access before detection (MTTD)
Frame MTTD as business risk: 'An attacker who compromises an account today has 21 days on average before we detect them. In that time, they can reach every system our employees access.' This lands differently than '21 days MTTD.'
Coverage against top threats
Map your MITRE ATT&CK coverage against the attack techniques used in recent breaches in your industry. 'We detect 8 of the 12 techniques used in the average ransomware attack against healthcare organizations' is more meaningful to a CFO than '67% ATT&CK coverage.'
Automation ROI
Calculate the analyst hours saved by automation per month and convert to cost. 'Our automated triage handles 4,200 alerts per month that would otherwise require 300 analyst hours. At fully-loaded cost, this represents $45,000 in monthly analyst capacity freed for higher-complexity work.'
What Not to Measure
Some commonly tracked SOC metrics are actively misleading. Avoid leading with these:
Raw alert volume
More alerts is not better security. Alert volume without context (false positive rate, coverage, severity distribution) rewards noisy detection rules and encourages tuning in the wrong direction.
Tickets closed per analyst
This measures speed, not quality. A SOC that closes tickets quickly by misclassifying real incidents as false positives looks great on this metric while missing breaches.
Compliance check completion rate
Completing compliance checks is an activity metric, not a security outcome metric. A SOC can complete 100 percent of required compliance checks while missing an active intrusion.
The bottom line
Start with MTTD and detection coverage. Everything else follows from those two: MTTD tells you how effective your current detections are, and ATT&CK coverage tells you where your gaps are. Every other SOC metric is either an input (false positive rate, automation rate) or an output (escape rate, MTTR) of improving those two core measures.
Frequently asked questions
How do I calculate MTTD accurately?
MTTD should be measured from the earliest evidence of malicious activity in your logs, not from when an alert fired. For each confirmed incident, conduct a log review to find the first indicator (first suspicious authentication, first C2 beacon, first lateral movement event) and calculate the delta to confirmed detection. This is sometimes called 'retrospective MTTD' and is more accurate than using alert timestamps, which only measure how fast your current rules fire, not how long attackers were actually in your environment before you knew.
What is a realistic MTTD target for a mid-size enterprise SOC?
Industry benchmarks vary widely by organization size and SOC maturity. The Mandiant 2025 M-Trends report put median global MTTD at 10 days. Best-in-class SOCs with mature detection engineering, EDR, and SIEM coverage achieve MTTD under 24 hours for most attack categories. A realistic improvement target for a SOC in the first two years of maturation is moving from industry average (10-21 days) to under 72 hours for high-severity incidents. Set MTTD targets by attack category, since lateral movement detections mature faster than data exfiltration detections in most programs.
How do we use MITRE ATT&CK to measure detection coverage?
Map each of your SIEM detection rules and EDR alerts to the ATT&CK technique it detects. Use tools like ATT&CK Navigator to visualize coverage. Identify which techniques in your threat model are not covered by any current detection. Prioritize new detection development based on: techniques used by threat actors targeting your industry (from CISA advisories and threat intel reports), techniques with high business impact if executed (data exfiltration, ransomware deployment), and techniques where your environment has exploitable attack surface.
What is a good false positive rate for a SOC?
There is no universal target, but false positive rates above 50 percent in any detection category indicate significant tuning work needed. Many mature SOCs target under 10 percent false positives for high-severity alerts (analysts investigate every one) and accept higher rates for lower-severity alerts that are triaged automatically. Track false positive rates by rule, not just overall: one noisy rule generating 80 percent false positives distorts your aggregate and identifies a specific tuning target.
How should SOC metrics be reviewed and with what frequency?
MTTD, MTTR, and false positive rates should be reviewed weekly by SOC leadership to identify trends and assign tuning work. Detection coverage should be reviewed monthly with detection engineering to track the backlog of new rules needed. Executive-facing metrics (coverage against top threats, MTTD in business terms, automation ROI) should be prepared quarterly for CISO reporting. Annual purple team exercises provide the most accurate point-in-time measurement of actual detection capability.
What tools help automate SOC metric collection?
SIEM platforms (Splunk, Microsoft Sentinel, Elastic SIEM) can generate most SOC metrics from their existing data: alert volumes, closure times, analyst workloads, and false positive rates. SOAR platforms (Palo Alto XSOAR, Splunk SOAR, Tines) track automation rates and playbook execution metrics. Specialized security operations platforms (Tines, Torq, Swimlane) include SOC performance dashboards. For MITRE ATT&CK coverage tracking, use ATT&CK Navigator with manual rule mapping or tools like Vectr (for purple team results) and Atomic Red Team for detection validation.
Sources & references
- SANS SOC Survey 2025
- Gartner SOC Maturity Model 2025
- Splunk State of Security 2025
- MITRE ATT&CK Evaluations 2025
- Exabeam 2025 State of the SOC Report
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.