Security SLA Metrics: Measurable Security Requirements

Threat Detection SLAs

Measure capability to identify security threats

Detection speed, detection accuracy, coverage breadth

Minimize exposure window

Incident Response SLAs

Measure effectiveness of security incident handling

Response time, containment speed, recovery time

Minimize business impact

Vulnerability Management SLAs

Measure vulnerability identification and remediation

Scan frequency, remediation timeframes, vulnerability reduction

Reduce attack surface

Security Monitoring SLAs

Measure continuous security surveillance

Monitoring coverage, alert generation, investigation quality

Maintain security visibility

Access Control SLAs

Measure identity and access management effectiveness

Provisioning/deprovisioning speed, access review completion

Enforce least privilege

Security Operations SLAs

Measure security operations center performance

Ticket response time, escalation accuracy, operational availability

Ensure operational readiness

Compliance SLAs

Measure regulatory and policy compliance maintenance

Audit findings, control effectiveness, compliance percentage

Meet regulatory obligations

Threat Intelligence SLAs

Measure threat intelligence production and application

Intelligence timeliness, relevance, actionability

Enable proactive defense

Penetration Testing SLAs

Measure security validation and testing effectiveness

Testing frequency, finding severity, remediation validation

Validate control effectiveness

Security Training SLAs

Measure security awareness and training delivery

Training completion rates, assessment scores, behavioral change

Build security culture

Data Protection SLAs

Measure data security control effectiveness

Encryption coverage, DLP effectiveness, data breach prevention

Protect sensitive data

Third-Party Risk SLAs

Measure vendor security risk management

Vendor assessment completion, risk remediation, incident response

Manage supply chain risk

Cloud Security SLAs

Measure cloud environment security posture

Misconfiguration detection, cloud control effectiveness

Secure cloud infrastructure

Application Security SLAs

Measure secure software development and deployment

Vulnerability introduction rate, secure code review coverage

Build secure applications

Physical Security SLAs

Measure physical access control and surveillance

Access violation detection, incident response, facility security

Protect physical assets

Operational Metrics

Measure execution of security processes and activities

Vulnerability scan frequency, alert response time, patch deployment speed

Easy to measure, clear accountability, objective verification

Don't measure effectiveness, can be gamed, activity ≠ outcome

Outcome Metrics

Measure security posture improvement and risk reduction

Exploitable vulnerability reduction, attack prevention rate, breach impact

Measure effectiveness, align with business goals, demonstrate value

Harder to measure, external factors influence, attribution complexity

Leading Indicators

Predict future security posture based on current activities

Security training completion, patch coverage, control testing frequency

Enable proactive management, early warning signals

May not correlate with outcomes, prediction uncertainty

Lagging Indicators

Measure historical security performance and incidents

Security incidents, breach costs, audit findings

Objective measurement, clear impact demonstration

Reactive measurement, past performance ≠ future results

Efficiency Metrics

Measure resource utilization in security operations

Cost per incident, alerts per analyst, automation percentage

Optimize resource allocation, demonstrate efficiency

Can incentivize wrong behaviors, efficiency ≠ effectiveness

Effectiveness Metrics

Measure whether security controls achieve intended outcomes

Control validation pass rate, attack simulation success rate, threat detection accuracy

True security posture measurement

Complex measurement, requires sophisticated testing

Coverage Metrics

Measure breadth of security control implementation

Asset inventory completeness, monitoring coverage percentage

Identify gaps, ensure comprehensive protection

Coverage ≠ effectiveness, can be superficial

Quality Metrics

Measure accuracy and reliability of security processes

False positive rate, investigation accuracy, threat intelligence relevance

Improve operational quality

Subjective assessment challenges, quality definitions vary

Compliance Metrics

Measure adherence to security policies and standards

Policy violation rate, control compliance percentage

Regulatory requirement satisfaction

Compliance ≠ security, checkbox mentality

Maturity Metrics

Measure security program sophistication and evolution

Capability maturity level, control maturity score

Long-term improvement tracking

Subjective assessment, slow-changing indicators

Risk Metrics

Measure security risk exposure and reduction

Critical vulnerability exposure time, high-risk asset coverage

Direct risk alignment

Risk quantification challenges, requires risk framework

Business Impact Metrics

Measure security contribution to business objectives

Breach cost avoidance, customer trust metrics, revenue protection

Executive engagement, budget justification

Attribution complexity, intangible benefits

Metric Gaming

Teams optimize for measured metrics rather than actual security improvement

SLA compliance doesn't reflect security posture

Combine operational and outcome metrics, independent validation

Attribution Complexity

Difficult to attribute security outcomes to specific controls

Can't definitively prove SLA achievement caused security improvement

Use control validation testing, attack simulation, before/after analysis

External Factors

Security outcomes influenced by threat landscape changes beyond control

Unfair SLA performance assessment

Risk-adjust metrics, focus on controllable factors

Measurement Cost

Sophisticated outcome measurement requires significant investment

Organizations default to cheap operational metrics

Automate measurement where possible, prioritize high-value metrics

False Positive Noise

High false positive rates obscure meaningful security signals

Response time SLAs met on irrelevant alerts

Measure alert accuracy, investigation quality, not just response speed

Delayed Outcomes

Security improvements manifest over long timeframes

Short-term SLA measurement doesn't capture effectiveness

Balance leading indicators with lagging outcome measurement

Data Quality Issues

Incomplete or inaccurate security data undermines metrics

SLA reporting reflects data quality, not security reality

Asset inventory accuracy, data validation, reconciliation processes

Baseline Establishment

No baseline for "good" performance on many security metrics

Can't determine whether SLA targets are appropriate

Peer benchmarking, maturity models, industry standards

Metric Interdependencies

Security metrics influence each other in complex ways

Optimizing one metric may degrade others

Balanced scorecard approach, holistic metric sets

Subjectivity

Many security assessments require judgment

SLA achievement disputes, inconsistent measurement

Clear definitions, rubrics, multiple assessors, calibration

Technology Limitations

Security tools can't measure certain effectiveness dimensions

Rely on measurable but less meaningful proxies

Invest in better measurement technology, manual assessment where needed

Organizational Silos

Security outcomes depend on cross-functional coordination

Can't hold security team accountable for outcomes they don't control

Shared SLAs, cross-functional accountability

Threat Evolution

New attack techniques make historical metrics less relevant

SLA targets based on outdated threat models

Regular threat landscape assessment, adaptive metrics

Compliance Focus

Regulatory metrics dominate despite limited security value

SLA frameworks measure compliance rather than effectiveness

Separate compliance tracking from security effectiveness measurement

Vendor Transparency

External vendors don't provide visibility for outcome measurement

Limited to measuring vendor-reported operational metrics

Contractual requirements for data access, independent assessment rights

Mean Time to Detect (MTTD)

Average time from attack initiation to detection

Attack simulation testing, red team exercises

Critical: <15 min<br>High: <1 hour<br>Medium: <4 hours

Improved detection coverage, better analytics, threat hunting

Detection Accuracy Rate

Percentage of true attacks correctly identified among all detections

Red team success rate, attack simulation validation

>85% for critical attacks<br>>70% for high attacks

Tuned detection rules, machine learning, threat intelligence

False Positive Rate

Percentage of alerts that are not actual security threats

Manual alert validation, investigation outcomes

<15% for critical alerts<br><25% for high alerts

Rule tuning, baseline learning, context enrichment

Coverage Completeness

Percentage of attack techniques with detection capabilities

MITRE ATT&CK mapping, detection coverage assessment

>80% of relevant techniques

New detection rules, tool deployment, log source expansion

Alert Fidelity

Percentage of alerts providing accurate, actionable information

Investigation effectiveness assessment

>75% actionable alerts

Context enrichment, automated correlation, threat intelligence

Detection Consistency

Variation in detection performance across environment

Detection testing across different systems/networks

<20% variation

Standardized deployment, centralized management

Threat Hunting Effectiveness

Percentage of hunting exercises identifying real threats

Hunting operation outcomes, threat discovery rate

>40% hunts find threats

Hypothesis quality, tool sophistication, analyst expertise

Zero-Day Detection Rate

Percentage of novel attacks detected before signature availability

Behavioral detection assessment, unknown threat testing

>60% novel attack detection

Behavioral analytics, anomaly detection, deception technology

Lateral Movement Detection

Time to detect internal attack propagation

Red team lateral movement exercises

<30 minutes for anomalous lateral movement

Network monitoring, endpoint detection, user behavior analytics

Data Exfiltration Detection

Percentage of exfiltration attempts detected

Data exfiltration simulation testing

>90% of significant exfiltration

DLP deployment, traffic analysis, abnormal behavior detection

Insider Threat Detection

Percentage of malicious insider activities detected

Insider threat simulation, privileged user monitoring

>70% of malicious insider actions

User behavior analytics, privileged access monitoring

Cloud Attack Detection

Detection rate for cloud-specific attack techniques

Cloud attack simulation, cloud security testing

>75% of cloud attacks

Cloud-native detection, CSPM integration, API monitoring

Detection Gap Identification

Number of detection gaps identified and remediated quarterly

Gap analysis, purple team exercises

>80% identified gaps remediated

Continuous gap assessment, purple team operations

Threat Intelligence Integration

Percentage of threat intelligence resulting in improved detection

Threat intelligence application tracking

>60% of intelligence improves detection

Intelligence operationalization, automation, relevance filtering

Attack Chain Visibility

Percentage of multi-stage attacks with full chain detection

Attack chain reconstruction success rate

>70% complete attack chain visibility

Correlation capabilities, investigation tools, data retention

Mean Time to Acknowledge (MTTA)

Average time from alert generation to analyst acknowledgment

Alert timestamp to acknowledgment timestamp

Critical: <5 min<br>High: <15 min<br>Medium: <1 hour

Staffing optimization, on-call procedures, alert routing

Mean Time to Respond (MTTR)

Average time from detection to initial response action

Detection timestamp to first response action

Critical: <15 min<br>High: <1 hour<br>Medium: <4 hours

Playbook automation, analyst training, tool integration

Mean Time to Contain (MTTC)

Average time from detection to threat containment

Detection timestamp to containment confirmation

Critical: <1 hour<br>High: <4 hours<br>Medium: <8 hours

Automated containment, network segmentation, EDR deployment

Mean Time to Recover (MTTR-Recovery)

Average time from detection to full service restoration

Detection timestamp to service restoration

Critical: <4 hours<br>High: <12 hours<br>Medium: <24 hours

Backup strategy, recovery automation, disaster recovery

Mean Time to Investigate (MTTI)

Average time to complete security incident investigation

Investigation start to completion timestamp

Critical: <8 hours<br>High: <24 hours<br>Medium: <72 hours

Investigation tools, analyst expertise, data availability

Escalation Accuracy

Percentage of incidents correctly escalated to appropriate tier

Escalation review, incident classification validation

>90% appropriate escalations

Classification criteria, analyst training, decision support

Containment Effectiveness

Percentage of incidents successfully contained on first attempt

Containment validation, re-compromise tracking

>85% successful containment

Containment procedures, testing, tooling

Incident Classification Accuracy

Percentage of incidents correctly classified by severity

Post-incident severity validation

>80% accurate initial classification

Classification criteria, threat intelligence, impact assessment

Response Playbook Compliance

Percentage of incidents handled according to documented playbooks

Playbook adherence tracking, quality assurance

>90% playbook compliance

Playbook quality, automation, analyst accountability

Communication Timeliness

Percentage of incidents with stakeholder notification within SLA

Notification timestamp tracking

>95% on-time notifications

Communication templates, automation, notification workflows

Root Cause Identification Rate

Percentage of incidents with identified root cause

Post-incident review outcomes

>75% root cause identified

Investigation capability, forensic tools, analyst expertise

Remediation Verification

Percentage of incidents with validated remediation

Post-remediation testing, follow-up assessment

>90% verified remediation

Validation procedures, testing, accountability

Incident Recurrence Rate

Percentage of incident types recurring within 90 days

Incident tracking, pattern analysis

<10% recurrence rate

Remediation quality, systemic fixes, lessons learned

Cross-Team Coordination

Incidents requiring coordination resolved within SLA

Multi-team incident tracking

>80% coordinated incidents meet SLA

Coordination procedures, communication tools, accountability

Forensic Evidence Preservation

Percentage of incidents with complete evidence chain of custody

Evidence management tracking, legal review

>95% evidence preservation

Forensic procedures, training, tools

Investigation Completeness

Percentage of investigations addressing all required analysis areas

Quality assurance review, investigation template compliance

>85% complete investigations

Investigation frameworks, checklists, peer review

Evidence Collection Quality

Percentage of investigations with complete, admissible evidence

Legal review, evidence assessment

>90% legally admissible evidence

Forensic training, chain of custody procedures, tools

Attack Attribution Accuracy

Percentage of attributed attacks correctly identified

External validation, threat intelligence confirmation

>70% accurate attribution

Threat intelligence, attribution frameworks, analysis expertise

Impact Assessment Accuracy

Percentage of incidents with accurate impact assessment

Post-incident business impact validation

>80% accurate impact assessment

Impact assessment frameworks, business alignment

Timeline Reconstruction

Percentage of incidents with complete attack timeline

Timeline validation, evidence correlation

>75% complete timelines

Logging coverage, correlation tools, analysis capability

Indicator Extraction

Percentage of investigations producing actionable IOCs

IOC utilization tracking, detection improvement

>80% produce actionable IOCs

Analysis methodology, threat intelligence platforms

Investigation Efficiency

Average investigation time per incident severity

Investigation duration tracking

Critical: <4 hours<br>High: <8 hours

Tools, automation, analyst expertise, data availability

Cross-Reference Analysis

Percentage of investigations correlating related events

Connected incident identification

>60% identify related incidents

Correlation capability, data integration, pattern recognition

Threat Actor Profiling

Percentage of sophisticated attacks with threat actor profile

Profiling completion tracking

>50% of APT-level attacks profiled

Threat intelligence, analysis frameworks, expertise

Remediation Recommendation Quality

Percentage of recommendations successfully preventing recurrence

Recurrence tracking, recommendation effectiveness

>85% effective recommendations

Root cause analysis, remediation expertise, validation

Documentation Quality

Percentage of investigations with complete, clear documentation

Documentation review, quality assessment

>90% quality documentation

Documentation standards, templates, training

Knowledge Transfer

Percentage of investigations contributing to organizational learning

Lessons learned incorporation, knowledge base updates

>70% contribute to knowledge base

After-action reviews, knowledge management, culture

Tool Utilization

Percentage of investigations fully utilizing available tools

Tool usage tracking, capability assessment

>85% tool utilization

Training, tool awareness, workflow integration

Collaboration Effectiveness

Percentage of multi-team investigations with effective coordination

Collaboration assessment, participant feedback

>80% effective collaboration

Coordination procedures, communication tools, culture

Investigation Accuracy

Percentage of investigation conclusions validated as correct

External validation, follow-up assessment

>85% accurate conclusions

Quality assurance, peer review, validation procedures

Scan Coverage

Percentage of assets scanned for vulnerabilities

Asset inventory reconciliation, scan coverage reporting

>95% of critical assets<br>>90% of all assets

Asset discovery, scan scheduling, network access

Scan Frequency

Number of vulnerability scans per asset per timeframe

Scan schedule tracking, completion monitoring

Weekly: Critical assets<br>Monthly: High-value assets<br>Quarterly: All assets

Scan capacity, scheduling optimization, automation

Vulnerability Discovery Time

Average time from vulnerability disclosure to organizational identification

CVE disclosure to scan detection timestamp

<7 days for critical<br><14 days for high

Scan frequency, threat intelligence, signature updates

Asset Inventory Accuracy

Percentage of active assets in vulnerability management inventory

Inventory reconciliation, asset discovery validation

>98% inventory accuracy

Asset discovery, CMDB integration, reconciliation procedures

Vulnerability Assessment Accuracy

Percentage of reported vulnerabilities accurately assessed

False positive analysis, verification testing

>85% accurate assessments

Scanner tuning, authenticated scanning, validation

Risk Scoring Accuracy

Percentage of vulnerabilities with accurate risk scores

Risk validation, exploit likelihood assessment

>80% accurate risk scores

Risk frameworks, threat intelligence, context integration

Exploitability Analysis

Percentage of critical/high vulnerabilities with exploitability assessment

Exploitability documentation tracking

>90% of critical/high assessed

Threat intelligence, exploit databases, security research

Compensating Control Identification

Percentage of unpatched vulnerabilities with documented compensating controls

Compensating control inventory

>75% have compensating controls

Control framework, security architecture, documentation

Vulnerability Deduplication

Percentage of duplicate vulnerabilities consolidated

Deduplication effectiveness assessment

>95% duplicates consolidated

Scanner integration, asset correlation, data normalization

Environmental Context

Percentage of vulnerabilities with environmental context (internet-facing, PII access, etc.)

Context documentation completeness

>80% contextual information

Asset classification, network topology, data flow mapping

Vulnerability Aging

Average age of open vulnerabilities by severity

Vulnerability lifecycle tracking

Critical: <7 days<br>High: <30 days<br>Medium: <90 days

Remediation velocity, prioritization, resource allocation

New Vulnerability Introduction Rate

Number of new vulnerabilities introduced per deployment/change

Change tracking, pre/post-deployment scanning

<5% increase per deployment

Secure development, change management, testing

Vulnerability Trend Analysis

Quarterly change in vulnerability counts by severity

Historical vulnerability tracking

>20% reduction quarter-over-quarter

Remediation effectiveness, secure development, patch management

Scanner Coverage Breadth

Number of vulnerability types/categories detected

Scanner capability assessment

>95% of relevant vulnerability types

Scanner selection, signature updates, specialized scanning

Third-Party Vulnerability Visibility

Percentage of third-party components with vulnerability tracking

Third-party inventory, vulnerability correlation

>85% third-party visibility

SBOM implementation, vendor disclosure, scanning

Critical Vulnerability Remediation Time

Average time from discovery to remediation for critical vulnerabilities

Vulnerability lifecycle tracking

<24 hours for actively exploited<br><7 days for other critical

Emergency patching, automated deployment, prioritization

High Vulnerability Remediation Time

Average time from discovery to remediation for high vulnerabilities

Vulnerability lifecycle tracking

<30 days

Patch scheduling, testing, deployment automation

Medium Vulnerability Remediation Time

Average time from discovery to remediation for medium vulnerabilities

Vulnerability lifecycle tracking

<90 days

Regular patching cycles, resource allocation

Remediation Rate

Percentage of discovered vulnerabilities remediated within SLA timeframes

SLA compliance tracking

>95% critical within SLA<br>>90% high within SLA

Remediation velocity, automation, resource allocation

Patch Deployment Success Rate

Percentage of patches successfully deployed without issues

Deployment monitoring, rollback tracking

>98% successful deployment

Testing procedures, deployment tools, change management

Vulnerability Re-Introduction Rate

Percentage of remediated vulnerabilities reintroduced

Vulnerability recurrence tracking

<5% re-introduction

Configuration management, deployment procedures, validation

Virtual Patching Effectiveness

Percentage of vulnerabilities successfully mitigated through virtual patching

Virtual patch validation, exploit testing

>95% effective virtual patches

WAF/IPS rules, virtual patching tools, testing

Exception Processing Time

Average time to process vulnerability remediation exceptions

Exception workflow tracking

<72 hours for exception decisions

Exception procedures, governance, decision criteria

Exception Approval Rate

Percentage of exception requests approved

Exception tracking, approval analysis

<30% approved (indicating tight exception criteria)

Exception criteria, risk assessment, governance

Compensating Control Validation

Percentage of compensating controls validated as effective

Control testing, effectiveness assessment

>90% validated controls

Testing procedures, security validation, monitoring

Remediation Backlog

Number of overdue vulnerabilities by severity

Backlog tracking, aging analysis

Critical: 0<br>High: <50<br>Medium: <200

Remediation capacity, prioritization, resource allocation

Remediation Coordination

Percentage of remediation requiring coordination completed within SLA

Cross-team remediation tracking

>85% coordinated remediations on time

Coordination procedures, accountability, communication

Vulnerability Window Closure

Percentage of time assets are exposed to known critical vulnerabilities

Exposure time tracking, remediation velocity

<0.1% of time for critical vulnerabilities

Remediation speed, detection speed, continuous monitoring

Patching Coverage

Percentage of assets with current patch levels

Patch compliance tracking

>98% of critical assets current<br>>95% of all assets current

Patch management tools, automation, enforcement

Zero-Day Response Time

Time from zero-day disclosure to protective measures implementation

Zero-day response tracking

<4 hours for critical zero-days

Emergency response procedures, virtual patching, monitoring

Exploitation Likelihood Accuracy

Percentage of exploitation predictions proven accurate

Exploitation tracking, prediction validation

>70% accurate predictions

Threat intelligence, exploit monitoring, predictive modeling

Business Impact Assessment

Percentage of vulnerabilities with documented business impact

Impact documentation completeness

>90% of critical/high assessed

Asset classification, business alignment, impact frameworks

Remediation Prioritization Effectiveness

Percentage of highest-priority vulnerabilities actually representing highest risk

Priority validation, risk assessment

>80% correct prioritization

Risk frameworks, scoring systems, continuous refinement

CVSS Score Adjustment

Percentage of vulnerabilities with environmental CVSS scoring

Environmental scoring usage

>75% use environmental scoring

Contextual analysis, environmental assessment, scoring tools

Threat Intelligence Integration

Percentage of prioritization decisions incorporating threat intelligence

Intelligence utilization tracking

>60% intelligence-informed

Threat intelligence platforms, integration, analyst training

Attack Surface Correlation

Percentage of vulnerabilities prioritized considering exposure

Exposure analysis usage

>85% exposure-aware prioritization

Network mapping, asset classification, topology analysis

Data Sensitivity Consideration

Percentage of prioritization considering data classification

Data classification integration

>80% data-aware prioritization

Data classification, asset tagging, correlation

Exploit Availability Weighting

Percentage of critical vulnerabilities assessed for public exploits

Exploit research completeness

>95% of critical assessed

Exploit databases, security research, threat intelligence

Active Exploitation Tracking

Percentage of vulnerabilities monitored for active exploitation

Exploitation monitoring coverage

>100% of critical monitored

Threat intelligence, honeypots, threat monitoring

Vulnerability Clustering

Percentage of related vulnerabilities grouped for efficient remediation

Clustering effectiveness assessment

>70% effective clustering

Correlation analysis, remediation planning, efficiency focus

Remediation Complexity Assessment

Percentage of vulnerabilities with documented remediation effort estimates

Effort estimation completeness

>75% have effort estimates

Remediation knowledge, historical tracking, planning

Stakeholder Priority Alignment

Percentage of stakeholders agreeing prioritization reflects business priorities

Stakeholder satisfaction assessment

>80% stakeholder alignment

Business engagement, communication, priority transparency

False Positive Filtering

Percentage of reported vulnerabilities determined as false positives

False positive identification rate

<15% false positives

Validation procedures, scanner tuning, verification

Dynamic Reprioritization

Frequency of priority reassessment based on threat landscape changes

Reprioritization tracking

Monthly reassessment of all critical/high

Threat monitoring, agile prioritization, continuous assessment

Prioritization Timeliness

Time from vulnerability discovery to priority assignment

Prioritization workflow tracking

<24 hours for critical discoveries

Automation, threat intelligence, decision frameworks

Alert Volume

Total number of security alerts generated per timeframe

SIEM/alert platform tracking

<500 actionable alerts per analyst per month

Rule tuning, false positive reduction, aggregation

Alert-to-Incident Ratio

Percentage of alerts escalated to incidents

Alert disposition tracking

>15% (indicating quality alerting)

Alert tuning, threshold optimization, context enrichment

False Positive Rate by Alert Type

Percentage of alerts of each type that are false positives

Alert validation tracking

<20% for critical alerts<br><30% for high alerts

Rule refinement, baseline tuning, exception handling

Alert Triage Time

Average time to triage and categorize new alerts

Triage timestamp tracking

Critical: <5 min<br>High: <15 min<br>Medium: <30 min

Automation, playbooks, analyst training, tooling

Alert Correlation Effectiveness

Percentage of related alerts successfully correlated

Correlation analysis, incident reconstruction

>70% related alerts correlated

Correlation rules, SIEM capabilities, time windows

Alert Enrichment Coverage

Percentage of alerts with automated enrichment data

Enrichment completeness tracking

>85% of alerts enriched

Integration, automation, threat intelligence feeds

Alert Queue Backlog

Number of unprocessed alerts older than SLA thresholds

Backlog monitoring

0 critical alerts overdue<br><50 high alerts overdue

Staffing, automation, workflow optimization, prioritization

Alert Dismissal Accuracy

Percentage of dismissed alerts validated as truly benign

Quality assurance sampling

>90% dismissals justified

Dismissal criteria, quality assurance, training

Alert Escalation Accuracy

Percentage of escalated alerts requiring escalation

Escalation review

>85% appropriate escalations

Escalation criteria, training, decision support

Alert Source Distribution

Balance of alerts across detection sources

Alert source analysis

No single source >40% of alerts

Detection diversity, tool deployment, coverage

Alert Severity Distribution

Distribution of alerts across severity levels

Severity distribution analysis

Critical: <5%<br>High: <20%<br>Medium: <40%<br>Low: <35%

Severity scoring, threshold tuning, prioritization

Repeat Alert Rate

Percentage of alerts for previously-seen indicators

Repeat pattern tracking

<25% repeat alerts (indicating new threats detected)

Remediation effectiveness, pattern evolution, tuning

Alert Context Completeness

Percentage of alerts with sufficient context for initial assessment

Context availability assessment

>80% have adequate context

Log coverage, integration, data enrichment

Automated Alert Resolution

Percentage of alerts resolved through automation

Automation effectiveness tracking

>40% automated resolution

Playbook automation, SOAR implementation, orchestration

Alert Response SLA Compliance

Percentage of alerts responded to within SLA timeframes

SLA tracking by severity

>98% critical<br>>95% high<br>>90% medium

Staffing, prioritization, automation, workflow

Analyst Productivity

Number of incidents processed per analyst per timeframe

Case tracking, resource allocation

>30 incidents per analyst per month

Automation, tools, training, workflow optimization

Automation Coverage

Percentage of repetitive tasks automated

Task automation tracking

>60% repetitive tasks automated

SOAR deployment, playbook development, integration

Tool Utilization

Percentage of available SOC tools actively used

Tool usage tracking

>85% tools regularly used

Training, workflow integration, tool rationalization

Case Load Balance

Distribution of cases across analysts

Workload distribution analysis

<30% variance between analysts

Case assignment, skill matching, resource balancing

Tier 1 Resolution Rate

Percentage of incidents resolved by Tier 1 analysts

Escalation tracking

>60% resolved at Tier 1

Training, playbooks, empowerment, tools

Escalation Velocity

Average time from incident creation to escalation

Escalation timing tracking

<30 minutes for appropriate escalations

Escalation criteria, decision support, automation

Knowledge Base Utilization

Percentage of investigations referencing knowledge base

Knowledge base usage tracking

>70% reference knowledge base

Knowledge management, search capability, content quality

Shift Coverage Effectiveness

Incident response consistency across shifts

Performance variance by shift

<15% performance variance

Shift coordination, documentation, training consistency

Onboarding Effectiveness

Time for new analysts to reach productivity benchmarks

New analyst performance tracking

<90 days to 80% productivity

Training programs, mentorship, documentation

Analyst Retention

Percentage of analysts remaining after 12/24 months

Retention tracking

>85% 12-month retention

Culture, career development, compensation, burnout prevention

Continuous Improvement Rate

Number of process improvements implemented per quarter

Improvement tracking

>5 significant improvements per quarter

After-action reviews, suggestion programs, experimentation

Cross-Training Coverage

Percentage of analysts cross-trained on multiple functions

Skill matrix tracking

>60% analysts cross-trained

Training programs, rotation assignments, career development

Tool Integration Depth

Number of integrated tool workflows vs. manual processes

Integration tracking

>75% workflows integrated

API utilization, SOAR, integration investment

Detection Rule Development

Number of custom detection rules created per quarter

Rule creation tracking

>10 custom rules per quarter

Threat hunting, intelligence, continuous improvement

Cost Per Incident

Average cost to investigate and resolve incidents

Cost allocation tracking

<$500 per incident

Automation, efficiency, tool optimization

Investigation Quality Score

Quality assessment of investigation thoroughness and accuracy

Quality assurance review using scoring rubric

>85% quality score

Quality assurance, training, peer review, standards

Documentation Completeness

Percentage of incidents with complete documentation

Documentation review

>90% complete documentation

Documentation standards, templates, automation, culture

Incident Classification Accuracy

Percentage of incidents correctly classified by type and severity

Post-incident classification review

>85% accurate classification

Classification frameworks, training, decision support

Root Cause Identification

Percentage of incidents with identified root cause

Root cause analysis tracking

>70% root causes identified

Investigation depth, forensic capabilities, time allocation

Recommendation Quality

Percentage of security recommendations implemented by stakeholders

Recommendation tracking, stakeholder feedback

>65% recommendations implemented

Actionability, business alignment, communication

Peer Review Coverage

Percentage of high-severity incidents receiving peer review

Peer review tracking

>100% critical incidents<br>>75% high incidents

Quality assurance procedures, culture, time allocation

Quality Assurance Finding Rate

Percentage of reviewed incidents with quality issues identified

QA tracking

<20% incidents have quality issues

Quality improvement, training, standards enforcement

Stakeholder Satisfaction

Incident response satisfaction from business stakeholders

Survey/feedback tracking

>80% stakeholder satisfaction

Communication, collaboration, business alignment

After-Action Review Completion

Percentage of significant incidents with completed after-action reviews

AAR tracking

>100% critical incidents<br>>80% high incidents

AAR procedures, facilitation, time allocation

Lessons Learned Implementation

Percentage of lessons learned resulting in process/control improvements

Implementation tracking

>60% lessons implemented

Change management, ownership, resource allocation

Tool Usage Proficiency

Average analyst proficiency with SOC tools

Skills assessment tracking

>75% proficient on critical tools

Training, certification, hands-on practice

False Negative Identification

Number of missed threats identified through threat hunting/testing

Red team results, hunting outcomes

<5% attack scenarios missed

Detection coverage, hunting, continuous improvement

Communication Effectiveness

Clarity and timeliness of stakeholder communications

Communication assessment

>85% effective communications

Communication templates, training, feedback

Compliance Adherence

Percentage of incidents handled according to compliance requirements

Compliance audit tracking

>98% compliance adherence

Compliance training, procedures, oversight

Continuous Learning

Hours of security training per analyst per quarter

Training tracking

>20 hours per quarter

Training programs, certification, conference attendance

Account Provisioning Time

Average time from access request to account activation

Ticket timestamp tracking

Standard: <4 hours<br>Privileged: <2 hours<br>Emergency: <30 min

Automation, workflow optimization, approval streamlining

Account Deprovisioning Time

Average time from termination to account deactivation

HR termination to deactivation timestamp

<1 hour for terminations<br><4 hours for transfers

HR integration, automation, real-time synchronization

Orphaned Account Detection

Percentage of accounts without valid owners identified

Account reconciliation, orphan detection

>95% orphans detected

Account lifecycle tracking, reconciliation procedures

Orphaned Account Remediation

Time to disable/remove orphaned accounts

Orphan lifecycle tracking

<24 hours for critical systems<br><7 days for all systems

Automated cleanup, governance, accountability

Access Request Approval Time

Average time from access request to approval decision

Approval workflow tracking

Standard: <8 hours<br>Privileged: <4 hours

Approval delegation, automation, SLA enforcement

Access Modification Time

Average time to modify account permissions

Modification request tracking

<4 hours for standard changes<br><1 hour for emergency changes

Automation, change procedures, resource availability

Access Certification Completion

Percentage of access reviews completed within timeframe

Certification campaign tracking

>95% completion within 30 days

Stakeholder accountability, automation, escalation

Access Certification Accuracy

Percentage of access reviews with accurate outcomes

Post-certification validation

>90% accurate certifications

Certification design, reviewer training, validation

Inappropriate Access Remediation

Time to revoke access identified as inappropriate

Revocation tracking

<24 hours for critical access<br><72 hours for standard access

Automated revocation, prioritization, accountability

Least Privilege Compliance

Percentage of accounts adhering to least privilege principle

Privilege analysis, excessive access detection

>85% least privilege compliance

Privilege right-sizing, role optimization, continuous review

Role-Based Access Control Coverage

Percentage of access managed through RBAC

RBAC utilization tracking

>80% access via RBAC

Role modeling, RBAC deployment, migration

Privileged Account Monitoring

Percentage of privileged accounts under enhanced monitoring

Monitoring coverage tracking

>100% privileged accounts monitored

PAM deployment, monitoring integration, comprehensive coverage

Service Account Management

Percentage of service accounts with documented owners and purpose

Service account inventory completeness

>95% documented service accounts

Inventory processes, accountability, governance

Access Recertification Frequency

Frequency of access rights review by risk level

Certification schedule adherence

Critical: Quarterly<br>High: Semi-annually<br>Standard: Annually

Automated campaigns, stakeholder engagement, risk-based scheduling

Segregation of Duties Violations

Number of SoD conflicts detected

SoD analysis, conflict tracking

0 critical SoD violations

SoD rules, preventive controls, remediation

Multi-Factor Authentication Coverage

Percentage of accounts with MFA enabled

MFA enrollment tracking

>100% privileged accounts<br>>95% standard accounts

MFA deployment, enforcement, user education

MFA Bypass Rate

Percentage of authentication attempts bypassing MFA

MFA bypass tracking

<2% bypasses (emergency only)

Conditional access, enforcement, exception minimization

Password Policy Compliance

Percentage of accounts meeting password complexity requirements

Password audit, compliance tracking

>98% policy compliance

Technical enforcement, education, automated compliance

Compromised Credential Detection

Time to detect compromised credentials

Credential monitoring, detection tracking

<24 hours average detection

Threat intelligence, monitoring, credential stuffing detection

Compromised Credential Remediation

Time to force password reset for compromised credentials

Remediation tracking

<1 hour for critical accounts<br><4 hours for standard

Automated remediation, user notification, forced reset

Session Timeout Compliance

Percentage of applications enforcing session timeouts

Session configuration audit

>95% timeout enforcement

Configuration management, standards enforcement

Failed Authentication Monitoring

Percentage of failed authentication patterns investigated

Monitoring coverage, investigation tracking

>90% suspicious patterns investigated

Automated detection, alerting, investigation procedures

Account Lockout Effectiveness

Percentage of brute force attempts blocked by lockout policies

Lockout tracking, attack prevention

>95% brute force blocked

Lockout thresholds, intelligent lockout, monitoring

Single Sign-On Coverage

Percentage of applications integrated with SSO

SSO integration tracking

>80% applications via SSO

SSO deployment, application integration, migration

Authentication Failure Rate

Percentage of legitimate authentication attempts that fail

User authentication analytics

<5% legitimate failures

User experience, authentication design, support

Biometric Authentication Accuracy

False acceptance and false rejection rates for biometric auth

Biometric system monitoring

<0.1% false acceptance<br><5% false rejection

Biometric quality, enrollment, system tuning

Privileged Access Management Coverage

Percentage of privileged access through PAM solution

PAM utilization tracking

>100% admin access via PAM

PAM deployment, enforcement, integration

Just-In-Time Access Adoption

Percentage of privileged access using JIT provisioning

JIT access tracking

>60% privileged access via JIT

JIT implementation, workflow adoption, automation

Passwordless Authentication Adoption

Percentage of users using passwordless authentication

Passwordless enrollment tracking

>40% users passwordless

Passwordless deployment, user adoption, hardware tokens

Adaptive Authentication Coverage

Percentage of authentication flows using risk-based factors

Adaptive auth utilization

>70% authentication via adaptive

Adaptive auth deployment, risk engine, policy refinement

Cloud Misconfiguration Detection Time

Average time from misconfiguration introduction to detection

CSPM detection timestamp tracking

<15 minutes for critical misconfigurations

CSPM deployment, continuous scanning, alerting

Misconfiguration Remediation Time

Average time from detection to remediation

Misconfiguration lifecycle tracking

<1 hour for critical<br><24 hours for high

Automated remediation, IaC integration, accountability

Cloud Security Score

Overall security posture score from CSPM tools

CSPM score tracking

>85% security score

Configuration management, remediation, continuous improvement

Public Exposure Detection

Time to detect publicly exposed resources

Exposure monitoring

<5 minutes for critical resource exposure

Real-time monitoring, alerting, automated scanning

Public Exposure Remediation

Time to remediate publicly exposed resources

Exposure remediation tracking

<30 minutes for critical resources

Automated remediation, emergency procedures, accountability

IAM Policy Compliance

Percentage of cloud IAM policies following least privilege

IAM policy analysis

>90% least privilege compliance

Policy review, right-sizing, continuous assessment

Cloud Encryption Coverage

Percentage of data encrypted at rest and in transit

Encryption compliance tracking

>100% sensitive data encrypted

Encryption policies, automated enforcement, validation

Security Group Rule Accuracy

Percentage of security group rules that are necessary and appropriate

Security group audit

>85% rules justified

Rule review, cleanup, documentation

Unused Resource Cleanup

Time to identify and remove unused cloud resources

Resource lifecycle tracking

<30 days for unused resources

Resource tagging, lifecycle policies, cleanup automation

Cloud Compliance Posture

Percentage of cloud resources meeting compliance requirements

Compliance scanning

>95% compliance

Compliance frameworks, automated assessment, remediation

Multi-Cloud Security Consistency

Variance in security controls across cloud providers

Cross-cloud comparison

<15% variance in control implementation

Standardization, unified tools, consistent policies

Infrastructure-as-Code Security

Percentage of IaC templates passing security scans

IaC security scanning

>95% secure IaC templates

Policy-as-code, scanning integration, developer training

Cloud Secret Management

Percentage of secrets stored in secret management solutions

Secret scanning, inventory

>100% production secrets in vault

Secret management deployment, scanning, enforcement

Cloud Backup Validation

Percentage of cloud backups tested for recoverability

Backup testing tracking

>90% backups validated quarterly

Automated testing, recovery procedures, validation

Cloud Cost Security Impact

Security spending as percentage of cloud costs

Cost tracking, allocation

8-15% of cloud spending

Security investment, optimization, value demonstration

Container Image Vulnerability Scan Coverage

Percentage of container images scanned for vulnerabilities

Image scanning tracking

>100% images scanned before deployment

CI/CD integration, scanning automation, policy enforcement

Container Image Vulnerability Remediation

Average time from vulnerability detection to patched image deployment

Image vulnerability lifecycle

<7 days for critical<br><30 days for high

Automated patching, image rebuilds, deployment automation

Container Runtime Security Coverage

Percentage of container workloads with runtime security monitoring

Runtime security tracking

>95% containers monitored

Runtime security deployment, orchestrator integration

Container Configuration Compliance

Percentage of containers following security configuration standards

Configuration scanning

>90% compliant configurations

Configuration management, policy enforcement, validation

Kubernetes Security Posture

Security score for Kubernetes cluster configurations

K8s security scanning

>85% security score

K8s hardening, CIS benchmarks, continuous assessment

Serverless Function Security Scanning

Percentage of serverless functions scanned for security issues

Function scanning tracking

>100% functions scanned

Scanning integration, SAST/DAST, dependency checking

Serverless Permissions Review

Percentage of serverless functions following least privilege

Permission analysis

>90% least privilege

Permission right-sizing, automated review, enforcement

Container Registry Security

Percentage of container registries with access controls and scanning

Registry security audit

>100% secure registries

Access controls, scanning integration, policy enforcement

Admission Control Effectiveness

Percentage of non-compliant workloads blocked at deployment

Admission control tracking

>98% non-compliant workloads blocked

Policy enforcement, admission controllers, validation

Container Secrets Management

Percentage of containers using secret management for credentials

Secret usage analysis

>95% using secret management

Secret injection, encrypted secrets, enforcement

Service Mesh Security Coverage

Percentage of service-to-service communication encrypted and authenticated

Service mesh tracking

>90% mesh-secured communications

Service mesh deployment, mTLS enforcement, policy

Immutable Infrastructure Compliance

Percentage of infrastructure deployed as immutable

Immutability tracking

>80% immutable deployment

IaC practices, deployment pipelines, culture

Container Escape Prevention

Number of container escape attempts prevented

Runtime security monitoring

>95% escape attempts blocked

Runtime controls, capability restrictions, monitoring

API Security for Serverless

Percentage of serverless APIs with security controls

API security assessment

>90% APIs secured

API gateway, authentication, rate limiting, validation

Function Timeout and Resource Limits

Percentage of functions with appropriate security limits

Function configuration audit

>95% appropriate limits

Configuration management, security standards, enforcement