DEMONSTRATING

SOC VALUE: A
PRACTICAL
GUIDE FOR
CLIENTS AND
SECURITY
PROVIDERS

BY IZZMIER IZZUDDIN
SOC PERFORMANCE
1. SOC KPI METRIC

Mean Time to Detect (MTTD)

• Definition: The average time taken from when a threat enters the environment until the
SOC detects it.
• Purpose: Measures how quickly your monitoring tools and analysts identify threats.
• Target: < 10 minutes (for Tier 1 alerts)
• Why It Matters: The faster you detect, the less time the attacker has to move laterally or
cause damage. A low MTTD shows excellent alerting logic and monitoring efficiency.

Mean Time to Respond (MTTR)

• Definition: The average time taken to fully respond to an incident , from detection to
containment.
• Purpose: Evaluates the SOC’s agility in remediating threats.
• Target: < 60 minutes (Tier 2 & 3 analysts)
• Why It Matters: Quick response can stop ransomware before encryption or halt data
exfiltration. A consistently low MTTR reflects good analyst workflow, response
playbooks and SOAR automation.

Alert Volume and Filtering

• Definition: Total number of alerts generated versus those auto-filtered or marked as

false positives.
• Purpose: Indicates how efficient your correlation rules, tuning and SOAR are in
reducing noise.
• Target: 90% auto-filtered / suppressed
• Why It Matters: High alert volume with poor filtering overwhelms analysts. Clients want
to see that your system filters out junk and focuses only on meaningful alerts (true
positives).

True Positive Rate (TPR)

• Definition: The percentage of alerts that are truly malicious or worth investigation.
• Purpose: Measures accuracy and quality of your detections.
• Target: > 95%
• Why It Matters: High TPR means the SOC isn’t wasting time on benign activity. It
reflects well-tuned detection rules and intelligent alerting mechanisms, which clients
value.
Escalation Rate (L1 to L2)

• Definition: Percentage of alerts escalated from Tier 1 to Tier 2 due to complexity or

uncertainty.
• Purpose: Indicates the effectiveness and skill level of L1 analysts.
• Target: < 10–15%
• Why It Matters: A low escalation rate means L1 analysts can handle routine alerts
confidently, which keeps the pipeline efficient. High rates may signal undertrained L1s
or unclear triage playbooks.

Case Closure Time

• Definition: Time taken to complete an incident response cycle , from alert open to case
closure.
• Purpose: Ensures incident handling follows SLA and is efficiently managed.
• Target:
o P1 (Critical): within 4 hours
o P2 (High): within 12 hours
• Why It Matters: SOCs under SLA need to report timely case resolution. Clients see this
as proof of professionalism and reliability in threat handling.

Client Notification Time

• Definition: Time taken to notify the client after a confirmed security incident or major
alert triage.
• Purpose: Measures responsiveness and transparency of your SOC communication.
• Target: < 30 minutes
• Why It Matters: Clients appreciate real-time collaboration. Timely updates can prevent
confusion or delays on the client side (e.g., they may need to coordinate internal IT or
management response).

Dashboard Example

KPI Description Target Why It Matters

MTTD Time to detect threat < 10 mins Shows detection speed
MTTR Time to respond/contain < 60 mins Reflects response
efficiency
Alert Volume No. of alerts & % filtered 90% auto- Shows tuning & alert
filtered quality
True Positive Rate Accuracy of alerts > 95% Reflects value and focus
of SOC alerts
Escalation Rate % escalated for further < 10–15% Indicates strength of L1
(L1→L2) analysis triage
Case Closure Time to resolve incident P1: 4h, P2: Validates SLA adherence
Time (SLA) by priority 12h
Client Notification Time to inform clients < 30 mins Builds trust, ensures
Time after triage visibility
2. SHOWCASE USE OF AUTOMATION & ENRICHMENT

Clients are increasingly focused on how modern SOCs leverage automation and threat
intelligence enrichment to reduce analyst fatigue, increase response speed and improve
accuracy. Demonstrating this gives them confidence that your SOC is not only reactive ,
but proactively efficient and scalable.

A. SOAR Integration (Security Orchestration, Automation & Response)

Automation Capabilities:

Function Automated Action Example

Triage Parse alert metadata, assign priority, correlate with past alerts
Enrichment Fetch IP reputation, file hash data, geolocation
Containment Isolate endpoint, disable account, block IP in firewall
Ticketing Auto-create ticket with full context and assign to analyst
Notification Auto-send email/SMS/Teams/Slack alert to client
Playbook Execution Use dynamic decision trees based on alert logic

Example: "Our SOAR playbook auto-triages phishing emails, checks URLs in VirusTotal,
detaches attachments for sandbox analysis and updates the SIEM , all before human
review."

B. Auto-Enrichment with Threat Intelligence (TI)

What Is Enriched:

Element Enrichment Sources Used

IP Address BrightCloud, AbuseIPDB, IBM X-Force, OTX
File Hash VirusTotal, ReversingLabs, Any.Run
Domain/URL URLhaus, PhishTank, AlienVault OTX
User/Asset CMDB, HR systems, AD group context
Geo-IP MaxMind, GeoIP DB
Alert History SIEM/EDR correlation with past cases

Example: "Suspicious login alert from IP 185.101.93.21 was enriched automatically:

• GeoIP = Russia
• Known malicious (BrightCloud score: 9/10)
• Seen in 3 previous attacks in March
Result: Auto-escalated and endpoint isolated."

C. Use Case Examples of Automation & Enrichment

 Use Case Automated Enrichment/Action Benefit
Phishing Detection Auto-scan links (VirusTotal), sandbox 90% classified within 3
attachments, classify using SOAR mins
Failed Logins from Enrich with geo-IP, past login data, TI Detect impossible
New IP lookup travel automatically
Ransomware Check process tree, hash reputation, Response within
Behaviour (EDR) isolate host seconds
Data Exfiltration Correlate with firewall logs, user Reduce false positives
Alert activity, endpoint status instantly

Outcome & Metrics to Share:

Metric Sample Performance

% Alerts Auto-Triaged 80–95%
% Alerts Enriched Before Analyst Touch >90%
Time Saved per Alert 5–15 minutes
Time to Classify Phishing Emails < 3 mins with SOAR playbook
Analyst Workload Reduction 30–50% fewer manual tasks per shift

What to Tell Clients: “Our SOC uses SOAR and integrated threat intelligence to fully enrich,
triage and in some cases auto-contain threats , before a human even touches the case.
This allows our analysts to focus on critical investigations, ensuring faster response times
and lower false positives.”
3. DEMONSTRATE THREAT COVERAGE

One of the most powerful ways to earn client trust is by visibly mapping your detection
capabilities to real-world attacker behaviours, especially using the MITRE ATT&CK
framework.

This shows that your SOC isn't just catching generic anomalies , it's built to detect specific
adversarial tactics, techniques and procedures (TTPs) used in real attacks.

A. Why It Matters to Clients

• Clients want evidence that your SOC isn’t just working , it's protecting them against
known attack behaviours like ransomware, phishing, credential theft or data
exfiltration.
• Aligning with MITRE ATT&CK proves:
o Detection is mapped to real threats
o You're not relying on vague or generic alerting
o Your team is mature, threat-informed and outcome-driven

B. What to Present: MITRE ATT&CK Coverage Matrix

• SIEM rules
• EDR/XDR detections
• Threat hunting queries
• SOAR playbooks
• Use cases / detection logic

Example Table:

Tactic Technique Coverage Detection Source

Initial Access Phishing (T1566) Full Email Gateway,
SIEM
Drive-by Compromise (T1189) Full Proxy Logs + EDR
Execution PowerShell (T1059.001) Full EDR, Sysmon
Malicious Office Macro (T1203) Full Email + EDR
Persistence Registry Run Keys (T1547.001) Partial Sysmon + EDR
Credential LSASS Dumping (T1003.001) Full EDR
Access
Brute Force (T1110) Full AD Logs + SIEM
Rules
Lateral SMB Lateral Movement Full Firewall + AD Logs
Movement (T1021.002)
Exfiltration Exfil Over Web (T1041) Partial Proxy + DLP
C. Summary Metrics to Show:

Category Metric Example

Overall Coverage 95% of relevant TTPs covered
Total Use Cases 100+ mapped to MITRE ATT&CK
Full Coverage Tactics 9 of 12 tactics
High-Risk Techniques All techniques used by FIN7, APT28 or ransomware covered
Custom Detection Logic 30+ proprietary detection rules

D. Customisation Based on Client Industry

Industry Focus Area

Finance Credential theft, fraud, data exfiltration
Healthcare Ransomware, insider threats
Education Lateral movement, privilege escalation
Government APT techniques, persistence, stealth C2

Example: “For our financial sector clients, we focus coverage on Initial Access via
phishing, credential harvesting and exfiltration tactics , mapped to FIN7 and TA505
behaviours in MITRE.”

E. Deliverables You Can Show Clients

1. MITRE ATT&CK Heatmap (colour-coded matrix)

2. TTP Coverage Report (PDF format, monthly/quarterly)
3. Use Case to Technique Mapping Table
4. Detection Source Overlay (e.g., EDR, SIEM, Cloud logs)

What to Tell Clients: “We’ve built our detection logic around MITRE ATT&CK , covering over
95% of techniques from Initial Access to Exfiltration. This gives you real-world protection
against tactics used by APTs, ransomware and insider threats.”
4. HIGHLIGHT REAL INCIDENT RESPONSE EXAMPLES

Presenting anonymised real-world incident response (IR) cases is one of the most
compelling ways to demonstrate SOC effectiveness. It helps clients understand how your
SOC handles live threats, communicates under pressure and protects real environments ,
all while maintaining SLA, using best practices and leveraging the right technologies.

Case Study 1: Credential Access via Phishing

Client Industry: Financial Services

Attack Type: Phishing email leading to credential harvesting
Detection Sources: Email Gateway → SIEM → SOAR → Threat Intel
Tools Involved: Microsoft Defender, SOAR, VirusTotal, Splunk
MITRE Techniques:

• T1566.002 (Spearphishing via Link)

• T1081 (Credential Dumping)

Timeline:

Time Event
00:00 User received phishing email impersonating HR portal login
00:01 Email gateway scanned the link → triggered SIEM alert
00:02 SOAR playbook automatically parsed the URL and matched it to known phishing
domain (VirusTotal)
00:03 User submitted credentials → proxy logs flagged exfil to suspicious IP
00:05 Analyst triaged and escalated to L2 (confirmed compromise)
00:08 AD account disabled, password reset enforced
00:10 Client notified with full triage summary and next steps
00:40 Final report issued, including IOCs and block recommendations

Outcome:

• Time to Detect (MTTD): 2 minutes

• Time to Contain (MTTR): 10 minutes
• No lateral movement occurred
• Incident closed same day with user re-education

Case Study 2: Ransomware Outbreak Prevention

Client Industry: Manufacturing

Attack Type: Early-stage ransomware via SMB exploit
Detection Sources: EDR → SIEM → XDR → SOAR
Tools Involved: Cortex XDR, SOAR, Zeek logs, Splunk
MITRE Techniques:

• T1059.001 (PowerShell Execution)

• T1021.002 (SMB Lateral Movement)
• T1486 (Data Encryption for Impact)

Timeline:

Time Event
00:00 Endpoint triggered EDR alert: suspicious PowerShell command (base64
obfuscated)
00:02 XDR flagged unusual SMB activity to 5 internal hosts
00:04 SOAR enriched with asset data and TI (PowerShell matched known ransomware
loader)
00:06 L2 analyst initiated host isolation via XDR
00:08 AD account disabled; all SMB connections blocked
00:10 File write activity halted; attack stopped pre-encryption
01:00 Root cause traced to outdated internal system via Zeek logs
02:00 Patch applied; forensic copy secured; client informed with remediation steps

Outcome:

• Ransomware contained before encryption

• Zero data loss or downtime
• Clients impressed by real-time containment and reporting
• Response validated against MITRE ATT&CK and mapped in after-action review

What to Tell Clients: "We don’t just generate alerts , we detect, enrich, contain and report
in real-time. Our analysts are supported by automation, but we still lead with intelligence.
These examples prove that our SOC is not only operational , it’s proactive, battle-tested
and aligned with real-world threats.”
5. SOC MATURITY LEVEL & FRAMEWORK ALIGNMENT

Demonstrating your SOC’s maturity level and alignment with industry-recognised

frameworks gives clients confidence that your operations are not just functional , but
structured, scalable and continuously improving.

A. What Is SOC Maturity?

SOC maturity refers to how advanced and structured your people, processes and
technology are in detecting, responding to and preventing cyber threats.

• Proactive (not reactive)

• Automated and efficient
• Driven by intelligence
• Auditable and compliant with global standards

B. SOC Maturity Levels (5-Stage Model)

Level Description Key Characteristics

Level Ad-hoc / Reactive Manual triage, little to no correlation, basic alerting
1
Level Basic / Repeatable Use of SIEM, SLAs introduced, some documentation
2
Level Proactive / Hunting Threat hunting, playbooks, SOAR, MITRE ATT&CK
3 Enabled mapping
Level Adaptive / Intelligence- Threat intel integration, purple teaming, tailored
4 Driven detections
Level Optimised / Business- Predictive defence, risk-aligned detection, AI
5 Aligned analytics, KPI-driven tuning

Your Position Example: “Our SOC currently operates at Level 3 maturity, with advanced
detection rules, threat hunting, SOAR workflows and monthly KPI reviews. We're
progressing towards Level 4 with full threat intelligence integration and client-specific
adversary simulation (purple teaming).”

C. Frameworks to Prove SOC Alignment

NIST Cybersecurity Framework (CSF)

5 core functions:

• Identify (assets, risks, business context)

• Protect (access control, awareness, endpoint defence)
• Detect (SIEM, EDR, anomaly detection)
• Respond (incident handling, comms, forensics)
• Recover (lessons learned, system restoration)

Example Mapping:

NIST Function Your SOC Capability

Detect 24/7 SIEM + EDR with MITRE coverage
Respond SOAR playbooks + incident runbooks
Recover Root cause analysis, IR reports

2. SANS SOC-CMM (SOC Capability Maturity Model)

SOC-CMM evaluates across 5 dimensions:

Dimension Description
People Skills, roles, training, retention
Process SOPs, IR workflows, playbooks
Technology SIEM, EDR, SOAR, automation level
Business Alignment with client risk, reporting to stakeholders
Security Threat modelling, intelligence, coverage depth

Example: “Our last SOC-CMM self-assessment scored Level 3 across People, Process and
Technology, with initiatives underway to boost our Business alignment and Threat Intel
integration.”

3. MITRE D3FEND Framework

MITRE D3FEND is a companion to MITRE ATT&CK, but focuses on defensive controls.

D3FEND Category SOC Implementation Example

Harden Patch management, secure baselines
Detect SIEM alerting, anomaly detection, log correlation
Isolate Endpoint isolation via EDR
Deceive Honeypots, canary tokens (if Level 4+)
Evict Threat eradication playbooks (SOAR driven)

Example: “We use MITRE D3FEND to align our detection and response capabilities,
ensuring that for every ATT&CK technique observed, we have at least one D3FEND control
in place.”

D. What to Present to Clients

1. SOC Maturity Radar Chart

o Visualise strengths across the 5 SOC-CMM domains
2. Maturity Level Roadmap
o Show progress from Level 1 to 3 and your path to 4/5
3. NIST CSF Mapping Table
o Show your SOC functions aligned with each CSF pillar
4. Use Case-to-Framework Alignment Table
o Link your use cases to MITRE ATT&CK and D3FEND

What to Tell Clients: “Our SOC isn’t just a log monitoring centre , it’s a standards-aligned,
maturing operation mapped to NIST CSF and SANS SOC-CMM. We are at Level 3 maturity,
with threat hunting, SOAR, MITRE ATT&CK visibility and a roadmap toward intelligence-
driven defence.”
6. PROVIDE MONTHLY/QUARTERLY SOC REPORT SAMPLES

A Monthly or Quarterly SOC Report is not just a compliance formality , it's a strategic
communication tool that demonstrates SOC value, risk visibility and continuous
improvement to clients or internal stakeholders.

A. Recommended SOC Report Structure

Executive Summary

A non-technical summary for C-level or decision-makers

• Key incidents detected (e.g., phishing, ransomware, brute-force attempts)

• Any escalations or confirmed compromises
• Overall security trend: “Decrease in brute-force attempts this quarter (↓22%)”
• Risk level trend: Low / Medium / High
• Highlight major improvements (e.g., reduced MTTD, new use case deployed)

Example: “This quarter, the SOC observed a sharp increase in phishing attempts (+37%)
with 98% successfully blocked. No major incidents were reported. SOC maintained 100%
SLA adherence.”

Top 10 Use Cases Triggered

Rank Use Case Name Alert Count Action Taken

1 Phishing Email Detection 412 Auto-contained by SOAR
2 VPN Login from Unusual Country 331 Manual review required
3 Excessive Failed Logins (Brute) 289 Locked accounts
4 Suspicious PowerShell Execution 205 Host isolated
5 Data Exfiltration Over HTTP 147 No data confirmed

Value: This shows which threats are most common and where focus is needed.

Lessons Learned & Improvement Actions

Incident Type Lesson Learned Improvement Action

Phishing User clicked malicious email User training refreshed; URL
clickthrough sandbox enabled
Delayed EDR alert EDR agent missed anomaly Agent policy tuned; SOAR
playbook updated
False positive on Alert misconfigured for multi- Alert rule refined; asset group
VPN country travel whitelisted

Value: Demonstrates maturity and learning, not just alert handling.

SLA Adherence Summary

Metric Target Actual (This Period) Status

MTTD (Detection Time) < 10 minutes 7 mins Met
MTTR (Response Time) < 60 minutes 38 mins Met
P1 Case Closure Time < 4 hours Avg: 2.5 hours Met
Notification Time < 30 minutes 18 mins Met

Value: Offers objective proof that the SOC is performing at high standards.

Client-Specific Risk Trends

• Top attacked systems/users/IPs

• Breakdown of risk by location/department
• Emerging threats targeting the client
• Asset visibility gaps (e.g., EDR missing on 3 endpoints)
• Recommendations specific to client’s business

Example: “60% of brute-force attacks are targeting your finance team accounts , we
recommend enabling MFA on VPN for all financial users.”

Appendices (Optional but Useful)

• Detailed incident timeline (per case)

• IOC list of detected threats (hashes, IPs, domains)
• MITRE ATT&CK mapping of key use cases
• Threat Intel feeds summary

B. Output Formats You Can Offer Clients

Format Use Case

PDF Report Formal audit trail and presentation-ready
Excel Dashboard Filterable data for technical stakeholders
PowerPoint Slides For monthly client meetings / QBRs
Interactive Client Portal Live stats and SOC visibility (if available)

What to Tell Clients: “Every month, we don’t just show how many alerts we received , we
show what those alerts mean to your business, what we’ve learned and how we’re evolving
our detection strategy to stay ahead of the threats you actually face.”
7. CLIENT VISIBILITY & COLLABORATION

Today’s clients expect transparency, collaboration and shared situational awareness from
their SOC provider , not just one-way alert emails. Giving clients visibility into SOC
operations not only builds trust but also empowers them to make faster and better security
decisions.

This section is where you highlight how your SOC engages with clients, both reactively
(during incidents) and proactively (to improve posture).

A. Why Client Visibility & Engagement Matters

Clients want answers to:

• “Can I see what’s happening in real time?”

• “Will I get alerted before it's too late?”
• “Can I trust that someone is watching over my environment 24/7?”
• “How do I provide context to the SOC or escalate urgent issues?”

B. Key Visibility & Collaboration Features to Showcase

Real-Time Client Portal / Dashboard Access

Portal Feature Benefit to Client

Live Alert Feed See active alerts and their status
Case Management View Track investigation progress (open, triaged, closed)
KPI Dashboard Monitor metrics like MTTD, MTTR, alert volume
Threat Landscape Summary Visualise top threat actors, top attack types
Download Reports Get past monthly/quarterly reports anytime
IOC/Threat Feed Lookup Allow clients to query threat intelligence manually

Example: “Your environment is fully integrated into our SOC platform , where you can view
live alerts, case progress and download reports on demand.”

Regular Threat Advisory Calls / Review Meetings

Discussion Topic Why It Matters

Past month’s threat trends Show value delivered and threat landscape
evolution
Top incidents and response Build trust in SOC handling and decision-making
actions
Use case tuning & feedback loop Align detections with business relevance
Platform/Integration updates Keep clients aware of SOC enhancements
Risk & exposure review Show risk reduction over time
Example: “In our monthly advisory call, we’ll walk you through what happened, why it
happened, how we responded and what we’re improving next.”

Monthly Threat Intelligence Briefings

Content Benefit
Industry-Specific Threat Trends Tailor to vertical (e.g. finance, healthcare)
Emerging TTPs / APT Activity Proactive alerting on global threat shifts
New CVEs and Patch Help clients harden their environment early
Recommendations
Client-Specific Intel Matching “We observed IOCs linked to your infra”
Geopolitical Threat Factors Highlight relevant regional threat landscape (e.g.,
Southeast Asia)

Example: “Last month’s threat intel update highlighted APT29 targeting the healthcare
sector using DLL sideloading , we pre-emptively deployed detections to cover this TTP.”

C. Collaboration Tools & Channels

Communication Method Purpose

Email Notification Alerts, escalations, daily summaries
Phone / Hotline High-priority or critical incidents
Secure Chat (e.g., Teams, Slack) Real-time SOC-Client comms
Ticketing Portal Access Track incidents, provide comments or evidence
Advisory Webinars Broader awareness for IT/security teams

D. Benefits of Client Collaboration

Benefit Description
Faster Decision-Making Client gives instant feedback during triage
Improved Trust Transparency builds long-term relationships
Aligned Detections SOC use cases are tuned to actual client risks
Knowledge Sharing Client becomes more security-aware & engaged

What to Tell Clients: “You’re not just handing over your logs , you’re entering a true
partnership. We provide real-time visibility, conduct regular threat reviews and collaborate
with you to align detection and response with your unique business environment.”
ADDITIONAL

SOC KPI DASHBOARD (SAMPLE – MONTHLY SNAPSHOT)

KPI Metric Description Target Actual RAG

(April) Status
MTTD (Detection Avg. time to detect ≤ 10 mins 8 mins
Time) threats
MTTR (Response Avg. time to ≤ 60 mins 48 mins
Time) contain/respond
False Positive Rate % of alerts incorrectly ≤ 5% 12%
flagged
Escalation Rate % of alerts escalated to ≤ 15% 17%
(L1→L2) higher tier
SLA Adherence % of alerts handled within ≥ 98% 99.5%
SLA
Client Notification Avg. time to inform client ≤ 30 mins 25 mins
Time after triage
Threat Intel Usage Alerts enriched with ≥ 90% 91%
threat intel
Use Case Use cases triggered with ≥ 85% 87%
Effectiveness real impact
SOC Availability Uptime & analyst ≥ 99.9% 100%
availability
Monthly Incident Total validated incidents Informational 63 –
Volume handled Incidents

Legend:

• Green: Within optimal performance range

• Yellow: Needs improvement but under control
• Red: Action required

Recommendations for This Month:

• Investigate high False Positive Rate (root cause: misconfigured rule for VPN alerts).
• Enhance L1 Analyst Playbooks to reduce unnecessary escalations to L2.
MITRE ATT&CK Coverage Heatmap (Example for April)

Tactic Technique Examples Detection Status

Coverage
Initial Access Phishing (T1566), Drive-by Compromise Covered (3/3)
(T1189)
Execution PowerShell (T1059.001), Script Covered (4/4)
Execution (T1059)
Persistence Registry Run Keys (T1547.001), Services Partial (2/4)
(T1543)
Privilege Sudo/Sudoers (T1548.003), Exploits Covered (2/2)
Escalation (T1068)
Defense Evasion Obfuscated Files (T1027), Partial (3/5)
Masquerading (T1036)
Credential LSASS Dumping (T1003.001), Brute Covered (3/3)
Access Force (T1110)
Discovery System Info Discovery (T1082), Network Covered (3/3)
Scanning (T1046)
Lateral Pass the Hash (T1550.002), SMB Covered (2/2)
Movement (T1021.002)
Collection Screen Capture (T1113), Clipboard Not Covered
Capture (T1115) (0/2)
Command & C2 Over HTTP/S (T1071.001), Custom Covered (2/2)
Control Protocol (T1095)
Exfiltration Exfil via Web (T1041), Cloud Storage Partial (1/2)
(T1567.002)
Impact Data Destruction (T1485), Disk Wipe Covered (2/2)
(T1561)

Coverage Summary:

• Grenn Fully Covered: 8 out of 12 tactics

• Yellow Partially Covered: 3 tactics
• Red Not Covered: 1 tactic
• Overall Coverage: 85%
TIMELINE OF INCIDENT LIFECYCLE

Example Incident Type: Suspicious PowerShell Activity Triggered from Email

Attachment

Phase Description Responsible Target SLA Actual Status

Tier (Sample
Case)
1. Detection SIEM detects Tier 1 (L1) Within 1 min 45
PowerShell seconds
execution linked to
suspicious
attachment
2. Triage L1 analyst triages Tier 1 (L1) Within 5 mins 3 mins
the alert, checks
context (user,
process, endpoint)
3. Enrichment TI lookup (hash, SOAR / L2 Auto/manual 6 mins
domain), asset < 10m (SOAR)
info, user risk
score added
4. Alert escalated to Tier 2 (L2) Within 15 12 mins
Classification confirmed mins
malicious if IOC
matches or
abnormal pattern
5. EDR isolates host, Tier 2 + Infra Within 30 18 mins
Containment user AD account mins
locked, firewall
rule pushed
6. Client informed Tier 2 + Client Within 30 25 mins
Notification with summary + Mgr mins
containment
actions
7. Deep dive into Tier 2 / 3 Within 4 2 hours
Investigation timeline, lateral hours
movement
checks, log review
8. Recovery Client restores Client / Tier 3 Varies by 1 day
host, resets impact
credentials,
patches
vulnerabilities
9. Closure Final report, Tier 3 / 48 hrs 36 hrs
lessons learned, Report Team
indicators
updated in
rules/EDR
SAMPLE ALERT ENRICHMENT FLOW

Alert Type: Suspicious Login Attempt from Unfamiliar IP

Step 1: Initial Alert Trigger

• Source: SIEM (e.g., failed login + successful login from same IP)
• Log Source: Azure AD / VPN / Firewall
• Trigger Rule: Multiple Failed Logins Followed by Success From Foreign IP

Step 2: Asset Context Enrichment

• Username: izzmier@client.com
• Device: WIN-CLIENT-123 (Laptop)
• Asset Tag: HR Department, Medium Sensitivity
• AD Group: HR-PowerUsers
• Recent Alerts: No prior alerts in 30 days
• Logged In Location: Not aligned with asset usual behaviour (Malaysia vs UK)

Step 3: Threat Intelligence Enrichment

• Source IP: 185.220.101.14

• Reputation: Malicious (Tor Exit Node)
• Blacklist Status: Listed on 3+ public blocklists
• Passive DNS: Seen in brute-force campaigns
• Enrichment Sources:
o VirusTotal
o BrightCloud
o AbuseIPDB
o Anomali STAXX

Step 4: Geo-IP & Behavioural Analysis

• Geo-IP: Germany (Not usual login country)

• Previous Geo: Malaysia only
• Geo-Velocity Check: Impossible travel (Malaysia → Germany in 30 mins)
• Anomaly Score: High

Step 5: User Behaviour Context

• Typical Login Time: 9am–6pm

• Alert Time: 3:12am
• Previous MFA Failures: 0
• User Flagged in Other Alerts: No
Step 6: Decision & Action Recommendation

• Verdict: Suspicious – Likely credential compromise

• Action Taken:
o Alert escalated to Tier 2
o Account temporarily locked
o Host added to watchlist
o Client notified with full context

Outcome: The alert went from a basic IP anomaly to a fully contextualised incident thanks
to enrichment , enabling confident and fast containment decisions.
YEARLY TRENDLINE: MTTD (MEAN TIME TO DETECT) & MTTR (MEAN TIME
TO RESPOND)

Monthly Data Snapshot (2024 - Example)

Month MTTD (mins) MTTR (mins)

Jan 2024 18 92
Feb 2024 16 85
Mar 2024 14 78
Apr 2024 12 72
May 2024 11 68
Jun 2024 10 62
Jul 2024 9 59
Aug 2024 9 55
Sep 2024 8 50
Oct 2024 8 45
Nov 2024 7 42
Dec 2024 6 39

Observations:

• MTTD Improved by 66% (from 18 mins → 6 mins).

• MTTR Improved by 58% (from 92 mins → 39 mins).
• Improvements driven by:
o SOAR automation for triage and initial response
o Enhanced correlation rules
o Regular playbook tuning
o Threat intel integration for faster decision-making