Measuring team effectiveness


Metric Definition Meaning
Mean Time to
Detection (MTTD)
Average time the SOC takes to
detect an incident.
How effective the SOC is at processing
important alerts and identifying real
Mean Time to
Resolution (MTTR)
Average time that transpires
before the SOC takes action
and neutralizes the threat.
How effective the SOC is at gathering
relevant data, coordinating a response,
and taking action.
Total cases
per month
Number of security incidents
detected and processed by
the SOC.
How busy the security environment is and
the scale of action the SOC is managing.
Types of
Number of incidents by type:
web attack, attrition (brute force
and destruction), email, loss
or theft of equipment, etc.
The main types of activity managed
by the SOC, and where preventative
security measures should be focused.
Number of units processed per
analyst — alerts for Tier 1,
incidents for Tier 2, threats
discovered for Tier 3.
How effective analysts are at covering
maximum possible alerts and threats.
Case escalation
Number of events that enter
the SIEM, alerts reported,
suspected incidents, confirmed
incidents, escalated incidents.
The effective capacity of the SOC at each
level and the workload expected for
different analyst groups.


Metric Definition Meaning
Number of alerts by dept, team, site. How effective the detection solution is.
If the SOC is not the greatest
source of alerts you have a problem.
Detection to
The time it takes for activity
to be detected and processed
through the system to determine
if action is required.
How effective analysts, detection tools,
SIEM, etc. are.
The time it takes to make a
decision: includes the time needed
to get all hands on deck.
Decisions are made on every alert and
are heavily influenced by the number of
alerts ahead in the queue and how much
additional research an analyst must conduct.
False positive
The percentage of alerts that
upon investigation are revealed
to not be valid threats.
False positives can reduce a security team’s
confidence in its tools and draws attention
away from serious underlying problems.
False positive feedback loops are to be
included in the process, and the only thing
worse than a false positive is an overlooked
false negative.
Time to
The time it takes to see a security
concern, identify the
impact, determine the course of
action and implement it.
These numbers can vary widely but over
time trends will appear, providing
useful insight about where you need to
invest for additional protection,
remediation and automation capabilities.