SOC Metrics & KPI Dashboard

40%

Cost & Growth Parameters

$
$
5%
SOC Capacity Score61/100
MTTD4h
MTTA0.5h
MTTR24h
MTTC8h
False Positive Rate40%
Analyst Utilization100.0%
Alert-to-Incident Ratio400:1

Cost Analysis

Cost per Alert$7.19
Cost per Incident$2,917.00
Annual SOC Cost$525,000.00

Capacity Forecast

Months to OverloadNow
Max Alerts/Day85
Analysts @ 6 Mo16
Analysts @ 12 Mo21

SOC Maturity Assessment

Overall2.8/5
Detection5.0/5
Response4.0/5
Efficiency1.0/5
Capacity1.0/5
Accuracy3.0/5

Industry Benchmark Comparison

  • Industry Avg
  • Your Value
MTTAcknowledgeMTTContainFP RateUtil.050100150200

Detailed Benchmark Table

MetricYour ValueIndustry AvgStatus
Mean Time to Detect4 hours197 hoursgood
Mean Time to Acknowledge0.5 hours1.5 hoursgood
Mean Time to Respond24 hours72 hoursgood
Mean Time to Contain8 hours24 hoursgood
False Positive Rate40 %50 %average
Analyst Utilization100 %70 %good

12-Month Alert Growth Projection

  • Alerts/Day
  • Utilization %
M0M2M4M6M8M10M120901802703600255075100

A security operations center lives or dies by its metrics, but raw MTTD and MTTR numbers mean little without context. This calculator turns your detection, response, and staffing inputs into benchmarked KPIs — analyst utilization, alert-to-incident ratio, and a composite SOC capacity score — comparing each against industry averages drawn from SANS and IBM X-Force reporting.

Formula

CapacityScore = (utilScore + fpScore + responseScore + detectScore) / 4

utilScore
100 if utilization ≤ 80%, otherwise 100 − (utilization − 80) × 5
fpScore
100 − falsePositiveRate (lower false positives score higher)
responseScore
max(0, 100 − (MTTR / 72) × 50), benchmarked to a 72-hour industry MTTR
detectScore
max(0, 100 − (MTTD / 197) × 50), benchmarked to a 197-hour industry MTTD

How it works

  1. Enter your time-based metrics (mean time to detect, acknowledge, respond, and contain), false-positive rate, analyst count, alerts per day, and weekly hours per analyst.
  2. The tool computes analyst utilization from triage workload (assuming about 20 minutes per alert), the alert-to-incident ratio, and benchmarks each metric as good, average, or poor against industry figures such as a 197-hour MTTD and 72-hour MTTR.
  3. A composite SOC capacity score (0-100) blends four equally weighted sub-scores — utilization headroom, false-positive rate, response speed versus 72h, and detection speed versus 197h — to summarize overall health.

Worked example

A SOC with 5 analysts at 40 hours/week handling 80 alerts/day, a 40% false-positive rate, MTTD of 48 hours, and MTTR of 24 hours.

  1. Utilization: triage hours/week = 80 × 7 ÷ 3 = 186.7 against 5 × 40 = 200 available, giving 93.3%, so utilScore = 100 − (93.3 − 80) × 5 = 33.3.
  2. Sub-scores: fpScore = 100 − 40 = 60; responseScore = 100 − (24/72) × 50 = 83.3; detectScore = 100 − (48/197) × 50 = 87.8.
  3. Average the four: (33.3 + 60 + 83.3 + 87.8) ÷ 4 = 66.1.

A SOC capacity score of 66 out of 100. High analyst utilization (93%) is the main drag, signalling the team is near saturation and at risk of burnout.

Frequently asked questions

What do MTTD, MTTA, MTTR, and MTTC mean?
Mean Time to Detect is how long until a threat is noticed; Mean Time to Acknowledge is until an analyst picks it up; Mean Time to Respond is until active mitigation begins; and Mean Time to Contain is until the threat is neutralized. Lower is better for all four.
What is a healthy analyst utilization level?
Around 70% is the industry target. Below that suggests spare capacity; above 80% the capacity score penalizes you because analysts have no slack for investigation, training, or surge events, which drives errors and turnover.
Where do the benchmark figures come from?
They reflect widely cited industry reporting — for example, IBM's Cost of a Data Breach puts mean time to identify a breach near 197 hours. The tool uses a 72-hour MTTR, 50% false-positive rate, and 70% utilization as reference points for the good/average/poor ratings.
How is the alert-to-incident ratio useful?
It shows how many alerts your analysts triage for each real incident. A very high ratio means heavy noise and tuning opportunities; the model uses 50:1 as a reference, so ratios well above that suggest your detections need refinement to cut false positives.