SOC KPIs: The Executive Guide to Unlocking Peak Performance

At A Glance

Think of Security Operations Center (SOC) KPIs as the vital signs for your company's cybersecurity health. They cut through the operational noise, giving you a clear, data-backed story of how well your security team is performing and where to invest next for maximum impact. While every SOC is unique, a few core KPIs consistently deliver the most strategic insight:

• Mean Time to Detect (MTTD): The average time it takes your team to discover a potential security threat.
• Mean Time to Respond (MTTR): The average time from when a threat is detected to when it is fully contained and neutralized.
• Detection Coverage: The percentage of known adversary techniques (often mapped to a framework like MITRE ATT&CK) that your security tools can actually identify.
• False Positive Rate (FPR): The percentage of alerts that turn out to be benign, indicating how much time your team might be spending on non-issues.
• Mean Time to Investigate (MTTI): The average time it takes an analyst to begin investigating an alert after it’s detected, bridging the gap between detection and response.

What are SOC KPIs?

As a founder, you need to know your investments are paying off, and SOC KPIs deliver that clarity for your security program. They are quantifiable metrics that demonstrate how effectively your security operations are performing. More than just technical stats, they are measures that show how well your SOC is pursuing specific business objectives. This isn't just about tracking alerts; it's about understanding your risk, optimizing resources, and proving to your board that you're building a resilient company. KPIs translate complex security work into a clear story of value and protection.

Why Tracking KPIs for SOC Matters for Busy Leaders

For a busy leader, the right KPIs cut through the technical noise. They transform complex security data into a clear dashboard for decision-making, showing you exactly where your team is winning and where to invest for the biggest impact. This isn't about getting lost in the weeds; it's about steering your security strategy with confidence and ensuring every dollar spent strengthens your company’s resilience.

KPI Categories for SOC

To make these KPIs truly actionable, we group them into strategic categories that tell a complete story about your security health. This approach helps you pinpoint strengths and weaknesses across your entire security operation, from initial detection to analyst performance.

Consider tracking your KPIs across these core areas:

• Detection Coverage and Efficacy
• Incident Response Speed and Containment Effectiveness
• Threat Intelligence Utilization and Proactive Threat Hunting
• Monitoring Visibility and Telemetry/Tooling Health
• SOC Operational Efficiency and Analyst Performance

Detection Coverage and Efficacy

This is where the rubber meets the road. Detection efficacy isn't just about having tools; it's about how effectively those tools—and the people behind them—can spot a real threat in a sea of digital noise. Tracking these KPIs gives you a clear, honest look at how well you can see and identify threats before they escalate.

Mean Time to Detect (MTTD)

This KPI clocks the average time it takes your team to spot a threat from the moment it first appears on your network, and it matters because every second an attacker goes unnoticed is another second they have to cause damage. Executives track this by analyzing incident timestamps in their security platforms to continuously shrink the window of opportunity for attackers.

Formula: (Sum of time to detect each incident) / (Total number of incidents) = MTTD

For example, if you had 10 incidents and the total detection time was 500 minutes, your MTTD is 50 minutes.

Detection Coverage

This metric shows you what percentage of known attacker tactics your security tools are actually equipped to see, which is crucial because it reveals potential blind spots in your defenses before an attacker can exploit them. Leaders measure this by mapping their current detection rules against a standard framework like MITRE ATT&CK to strategically prioritize closing the most critical gaps.

Formula: (Number of unique techniques covered) / (Total number of techniques in framework) = Detection Coverage

For example, if the framework has 194 techniques and your team covers 127 of them, your detection coverage is about 65%.

False Positive Rate (FPR)

FPR tracks the percentage of alerts that your systems flag as malicious but are actually harmless background noise, which is vital because a high FPR burns out your team on wild goose chases. Executives monitor the ratio of false alarms to total alerts to ensure their top talent is focused on high-impact work, not chasing shadows.

Formula: (Number of false positives) / (Total number of alerts) = False Positive Rate

For example, if your SOC gets 1,000 alerts and 200 are false positives, your FPR is 20%.

False Negative Rate (FNR)

FNR is the flip side of FPR, measuring the percentage of actual threats that your security tools failed to detect, and it's arguably the most critical metric because a high FNR means active threats are creating significant business risk unseen. Leaders assess this through post-incident reviews and simulated attacks to find and fix the holes in their safety net.

Formula: (Number of missed incidents) / (Total number of actual incidents) = False Negative Rate

For example, if there were 50 real security incidents in a quarter and your systems missed 5 of them, your FNR is 10%.

Mean Time to Investigate (MTTI)

MTTI measures the average time between an alert firing and an analyst actively starting the investigation, and it matters because this metric highlights any lag in your initial response. Executives track this by measuring the time from alert generation to the first investigative action, pinpointing bottlenecks that slow down containment.

Formula: (Sum of time from detection to investigation start) / (Total number of incidents) = MTTI

For example, if the total time between detection and investigation for 10 incidents was 120 minutes, your MTTI is 12 minutes.

Incident Response Speed and Containment Effectiveness

Once a threat is on your radar, every second counts. This category of KPIs measures your team’s agility and effectiveness in the heat of the moment, showing you how quickly they can move from detection to full containment and resolution. These metrics are critical for minimizing damage and ensuring business continuity.

Mean Time to Respond (MTTR)

MTTR measures the average time from when a threat is detected to when it is fully contained and neutralized, and it's your bottom-line metric for incident resolution because a shorter MTTR directly minimizes an incident's potential damage. Leaders track this by measuring the total time from alert to resolution across all incidents, aiming to drive this number down through better playbooks and automation.

Formula: (Sum of time to resolve each incident) / (Total number of incidents) = MTTR

For example, if it took a total of 500 hours to resolve 50 incidents, your MTTR is 10 hours.

Incident Closure Rate

This KPI tracks the percentage of reported security incidents that are successfully resolved within a specific timeframe, which matters because it demonstrates your team's ability to see incidents through to completion. Executives monitor the ratio of closed incidents to total reported incidents to gauge the team's throughput and effectiveness in managing its workload.

Formula: (Number of incidents closed / Total number of incidents reported) x 100 = Incident Closure Rate

For example, if 90 incidents were closed out of 100 reported in a month, your closure rate is 90%.

Incident Escalation Rate

This metric measures the proportion of incidents that require escalation to senior staff, and it's important because a high rate can signal gaps in your frontline team's expertise or resources. Leaders watch this rate to understand team capabilities and pinpoint opportunities for targeted training or better tooling, preventing bottlenecks.

Formula: (Number of incidents escalated / Total number of incidents) x 100 = Incident Escalation Rate

For example, if 20 out of 100 incidents were escalated, your escalation rate is 20%.

Cost of an Incident

This KPI quantifies the total financial impact of a security incident, including both direct expenses and indirect losses, which translates security performance into the language of business—dollars and cents. Executives calculate this by summing all costs tied to an incident, from response efforts to lost revenue, to understand the true business risk and justify security investments.

Formula: Direct Costs + Indirect Costs = Cost of an Incident

For example, if an incident incurred $10,000 in direct response costs and $50,000 in lost business, the total cost is $60,000.

Mean Time to Restore Service (MTRS)

MTRS measures the average time from when a fault is detected until the affected service is fully restored for your users, and it's a critical customer-centric metric that focuses on business continuity. Leaders track the time from detection to full service restoration to ensure the team is not just neutralizing the threat but also prioritizing a swift return to business as usual.

Formula: (Sum of time from fault detection to full service restoration) / (Total number of incidents) = MTRS

For example, if the total time to restore service across 5 incidents was 25 hours, your MTRS is 5 hours.

Threat Intelligence Utilization and Proactive Threat Hunting

This isn't just about reacting faster; it's about getting ahead of the threat with smart intelligence and proactive hunting, turning your SOC from a defensive line into a strategic advantage. By focusing on how well you use threat intelligence and hunt for hidden risks, you can measure your team’s ability to anticipate and neutralize attacks before they even begin.

Threat Intelligence Utilization Effectiveness

This KPI measures how effectively your team translates raw threat data into actionable defense, which matters because it shows whether your intelligence investment is actually making you safer or just creating noise. Leaders gauge this by tracking how many security incidents were enriched or identified using threat intelligence feeds, ensuring the data is actively sharpening their team's focus.

Mean Time to Detect (MTTD)

In this context, MTTD measures how quickly your proactive efforts uncover hidden threats, which is critical because it proves your hunting is successfully shrinking an attacker's dwell time. Executives look at the MTTD specifically for incidents discovered through threat hunting versus automated alerts, validating that their proactive investment is finding threats faster.

Formula: (Sum of time to detect each incident) / (Total number of incidents) = MTTD

For example, if your threat hunting team found 3 hidden threats that had been dormant for 10, 30, and 80 days, the average dwell time (MTTD) for those threats was 40 days—a number you'll want to drive down.

False Negative Rate (FNR)

FNR reveals how many threats your automated systems missed that were later caught by proactive hunting, which is vital because it directly measures the value of your human-led defense in catching what slips through the cracks. Leaders track the number of true positive incidents identified through manual hunts to quantify the gaps in their automated defenses and justify the need for skilled analysts.

Formula: (Number of missed incidents found by hunting) / (Total number of actual incidents) = False Negative Rate

For example, if proactive hunting uncovered 5 incidents that your SIEM missed out of a total of 50 real incidents in a quarter, your FNR is 10%, highlighting a critical gap your hunters are filling.

Detection Coverage

This KPI shows how well your defenses are mapped to attacker techniques informed by threat intelligence, which is crucial for ensuring you're building protections against the most relevant and current threats. Executives review the percentage of MITRE ATT&CK techniques covered that are specifically highlighted in recent threat intelligence reports, ensuring their team is prioritizing the right defenses.

Formula: (Number of unique techniques covered) / (Total number of techniques in framework) = Detection Coverage

For example, if threat intelligence points to 20 key adversary techniques and your team has built and tested detections for 15 of them, your targeted detection coverage is 75%.

Number of Hunts Leading to New Detections

This metric counts how many proactive threat hunts result in the creation of a new, permanent detection rule, which matters because it shows your hunting team isn't just finding fish but teaching the system how to fish for itself. Leaders track this as a direct measure of the hunting team's contribution to scaling and automating security, turning one-off discoveries into lasting protection.

Monitoring Visibility and Telemetry/Tooling Health

This is the bedrock of your security posture—if you can’t see it, you can’t stop it. These KPIs give you a brutally honest look at how well your tools and telemetry are performing, ensuring you have the visibility needed to catch threats early and that your systems are healthy enough to deliver critical alerts without delay.

Mean Time to Detect (MTTD)

MTTD clocks how fast your team spots a threat from the moment it occurs, and it’s critical because every second an attacker goes unnoticed is another second they have to dig deeper into your systems. Executives measure this by analyzing the average time from an event’s start to its detection, relentlessly pushing to shrink this window of opportunity.

Formula: (Sum of time to detect each incident) / (Total number of incidents) = MTTD. For example, if 10 incidents had a total detection time of 100 hours, your MTTD is 10 hours.

False Positive Rate (FPR)

This KPI tracks the percentage of alerts that are just harmless noise, which is vital because a high rate burns out your team on wild goose chases instead of focusing on real threats. Leaders monitor the ratio of false alarms to total alerts to ensure their security tools are finely tuned and their analysts’ time is protected.

Formula: (Number of false positives / Total number of alerts) x 100 = False Positive Rate. For example, if your SOC gets 1,000 alerts and 200 are false positives, your FPR is 20%.

False Negative Rate (FNR)

FNR measures the real threats your tools completely miss, and it’s your most critical blind spot metric because a high FNR means active threats are operating unseen. Executives assess this by analyzing data from proactive threat hunts and post-incident reviews to quantify what slipped past automated defenses and close those gaps.

Formula: (Number of missed incidents / Total number of actual incidents) x 100 = False Negative Rate. For example, if there were 50 real security incidents and your systems missed 5, your FNR is 10%.

Detection Coverage

This metric shows what percentage of known attacker tactics your security tools can actually see, which is crucial for revealing exactly where your defensive blind spots are. Executives measure this by mapping their detection capabilities against a framework like MITRE ATT&CK to validate that their tooling provides visibility into the most relevant threats.

Formula: (Number of uniquely covered techniques / Total number of techniques in framework) x 100 = Detection Coverage. For example, if a framework has 194 techniques and you cover 127, your coverage is approximately 65%.

Alert Latency

Alert Latency measures the delay between when suspicious activity occurs and when an analyst actually receives the alert, highlighting potential bottlenecks in your data pipeline or tooling. Leaders track the average time from an event’s start to the alert’s acknowledgment to ensure their systems are delivering critical information without costly delays.

Formula: (Sum of time from activity start to alert acknowledgment) / (Total number of alerts) = Alert Latency. For example, if the total time between activity and acknowledgment for 100 alerts was 300 minutes, your average alert latency is 3 minutes.

SOC Operational Efficiency and Analyst Performance

This is where operational excellence meets human performance, giving you a clear picture of your team’s efficiency, workload, and effectiveness. Tracking these KPIs helps you optimize processes, prevent analyst burnout, and ensure your security operations can scale with your business.

Mean Time to Respond (MTTR)

MTTR is your bottom-line metric for incident resolution, measuring the average time from detection to full containment to show how quickly your team can neutralize a threat and minimize damage.

Leaders track the total time from alert to resolution across all incidents, relentlessly pushing this number down through better playbooks, automation, and expert support.

Formula: (Sum of time to resolve each incident) / (Total number of incidents) = MTTR

For example, if it took a total of 240 hours to resolve 30 incidents, your MTTR is 8 hours.

Mean Time to Investigate (MTTI)

MTTI measures the critical gap between an alert firing and an analyst actively starting the investigation, revealing any lag in your initial response that could give an attacker a head start.

Executives monitor the time from alert generation to the first investigative action, pinpointing bottlenecks that slow down containment and indicate where analysts may be overloaded.

Formula: (Sum of time from detection to investigation start) / (Total number of incidents) = MTTI

For example, if the total time between detection and investigation for 20 incidents was 180 minutes, your MTTI is 9 minutes.

False Positive Rate (FPR)

FPR tracks the percentage of alerts that are just harmless noise, a vital metric because a high rate burns out your top talent on wild goose chases instead of focusing on real threats.

Leaders monitor the ratio of false alarms to total alerts to ensure their security tools are finely tuned and their analysts’ valuable time is protected.

Formula: (Number of false positives / Total number of alerts) x 100 = False Positive Rate

For example, if your SOC gets 2,000 alerts in a month and 500 are false positives, your FPR is 25%.

Incident Escalation Rate

This metric measures how often incidents require escalation to senior staff, acting as a powerful indicator of your frontline team's expertise, authority, and access to information.

Leaders watch this rate to identify gaps in team capabilities or resources, guiding targeted training and process improvements to empower frontline analysts and prevent bottlenecks.

Formula: (Number of incidents escalated / Total number of incidents) x 100 = Incident Escalation Rate

For example, if 15 out of 100 incidents were escalated last month, your escalation rate is 15%.

SOC Capacity

SOC Capacity calculates the total time your team has available to handle alerts, which is crucial for ensuring you have the bandwidth to manage your current workload and scale for growth without burning out your team.

Executives use this to forecast resource needs and ensure their team's available work hours exceed the expected workload, building a sustainable and resilient security operation.

Formula: (Number of analysts x Available triage hours per day x Days per month x % of time spent triaging) = SOC Capacity

For example, with 5 analysts spending 40% of their time on triage for 5.6 hours a day over 20 workdays, your SOC capacity is 224 hours per month.

Common Pitfalls for SOC KPI Management

It’s dangerously easy to let your KPI strategy derail your security goals. The most common pitfall is chasing meaningless “vanity” metrics—like a high incident closure rate that looks great on a chart but masks the fact that incidents are being closed incorrectly just to boost a number. Other teams get bogged down by tracking too many KPIs, which dilutes focus, or they suffer from inconsistent definitions and a lack of clear ownership, leaving everyone confused about what the data actually means. Let’s be honest: as a leader, you don’t have the bandwidth to personally police these details. Without a dedicated eye on the process, you risk over-optimizing for the wrong things, ignoring critical lag times in your response, and ultimately making decisions based on flawed data. The key is to ensure someone is accountable for keeping your KPIs meaningful, actionable, and relentlessly tied to business outcomes.

How an Executive Assistant from Viva Streamlines KPI Tracking

A high-caliber executive assistant from Viva ensures your KPI management is sharp, not a distraction. Our top 0.2% Latin American talent, trained through a rigorous business bootcamp, owns the operational details so you can focus on leadership. An EA handles:

• Managing KPI Dashboards: Consolidating data into a single, clean dashboard for an accurate, at-a-glance view of performance.
• Distilling Weekly Reports: Synthesizing raw data into concise summaries that highlight key trends and performance shifts.
• Flagging Critical Anomalies: Monitoring performance against benchmarks and proactively alerting you to significant deviations.

Want Better KPI Management?

Streamline your KPI management and get back to leading. Take the first step and book a call with our team—we’ll match you with a vetted EA in under a week.