What is the most important SOC metric?

MTTD and MTTR are the two that matter most. Detecting a threat quickly is meaningless if you cannot contain it quickly, and a fast response does not help if detection takes months. Track and improve both together.

How do we calculate MTTD if we do not know when the compromise started?

Use forensic analysis from post-incident reviews to determine the initial compromise timestamp. For ongoing measurement, track MTTD from the time the threat activity first appeared in your logs to when the first alert fired.

What tools do we need for a metrics dashboard?

Most SIEMs have built-in dashboard capabilities. For more sophisticated visualization, connect your SIEM and ticketing data to Grafana, Power BI, or Tableau. SOAR platforms can also aggregate and visualize SOC performance data.

How do we avoid gaming metrics?

Focus on outcomes rather than activity. An analyst who closes 200 alerts by marking them all as false positives has great throughput but terrible quality. Balance volume metrics with quality reviews and random audits of closed alerts.

Should we share SOC metrics with the broader organization?

Share summary-level metrics with leadership to demonstrate value and justify investment. Share detailed operational metrics within the SOC team. Avoid sharing raw data externally since it could reveal your defensive strengths and weaknesses.

How often should vulnerability scans be run?

Weekly for external-facing assets and monthly for internal assets at minimum. Critical assets should be scanned continuously or after every significant change. Ad-hoc scans should follow major vulnerability disclosures.

Should we scan production systems?

Yes, but carefully. Use credentialed scans during low-traffic windows. Coordinate with operations teams and have a rollback plan. Not scanning production means your highest-risk environment has the least visibility.

What is the difference between CVSS and EPSS?

CVSS measures the intrinsic severity of a vulnerability. EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited in the next 30 days. Used together, they give a more complete picture of real-world risk.

How do we handle vulnerability backlogs?

Prioritize ruthlessly using risk-based criteria. Focus on externally reachable, exploitable vulnerabilities first. Use compensating controls for anything you cannot patch immediately. Break the backlog into sprints and track progress weekly.

What role does vulnerability management play in compliance?

Nearly every compliance framework requires vulnerability management: PCI DSS, SOC 2, ISO 27001, HIPAA, and NIST CSF all include requirements for regular scanning, timely patching, and documented remediation processes.

Vulnerability Management Runbook | Hunto AI

Overview

You cannot improve what you do not measure. Mean time metrics are the heartbeat of SOC performance, telling you how quickly you detect threats, how fast you respond, and how effectively your team operates. This dashboard template covers the essential metrics every SOC should track: MTTD, MTTA, MTTR, and MTTC. It includes calculation methods, benchmark targets, and a framework for building a real-time performance dashboard that drives continuous improvement.

Core SOC Metrics

Mean Time to Detect (MTTD): average time from threat activity to alert generation
Mean Time to Acknowledge (MTTA): average time from alert to analyst acknowledgment
Mean Time to Respond (MTTR): average time from detection to containment
Mean Time to Contain (MTTC): average time from first response action to full containment
Mean Time to Recover: average time from containment to full service restoration
False Positive Rate: percentage of alerts that are benign after investigation
Alert Volume: total alerts per day/week/month by category and severity
Escalation Rate: percentage of alerts escalated from L1 to L2/L3

Metric Benchmarks

Metric	Industry average	Good	Best-in-class
MTTD	197 days (IBM 2024)	24 hours	Under 1 hour
MTTA	15-30 minutes	Under 10 minutes	Under 5 minutes
MTTR	73 days (IBM 2024)	24 hours	Under 4 hours
False Positive Rate	40-60%	Under 30%	Under 15%
Alert-to-Incident Ratio	100:1	50:1	20:1
SLA Compliance	70%	90%	Over 95%

Calculating Metrics Accurately

The accuracy of your metrics depends on consistent data collection. MTTD starts from the time of initial compromise (not the alert), which requires forensic timeline analysis after incidents are resolved. MTTA starts from alert creation in the SIEM to the first analyst action in the ticket. MTTR spans from detection to confirmed containment. Automate data collection from your SIEM, ticketing system, and EDR tools to avoid manual calculation errors. Segment metrics by incident type and severity to reveal meaningful patterns rather than averages that hide important variation.

Building the Dashboard

Create a real-time dashboard accessible to the entire SOC team and leadership. Include trend lines over 30, 60, and 90 days to show improvement trajectories. Use color coding to highlight metrics that are above or below target. Include daily alert volume with category breakdown so leadership understands workload. Add a queue health widget showing current open alerts by severity and age. Consider a heat map showing alert volume by time of day and day of week to optimize shift scheduling. Keep the dashboard simple: if it has more than 10 widgets, analysts will stop looking at it.

Using Metrics to Drive Improvement

Review metrics weekly with the SOC team to identify trends and root causes of underperformance
Set quarterly improvement targets for MTTD, MTTR, and false positive rate
Use rising MTTA as an early indicator of staffing or alert volume issues
Correlate false positive rates with specific detection rules to prioritize tuning efforts
Report metrics monthly to leadership alongside narrative context explaining changes
Benchmark against industry reports (IBM Cost of a Breach, Mandiant M-Trends) to contextualize performance

Mean Time Metrics Dashboard Template