SOC Metrics & KPI Dashboard
40%
Cost & Growth Parameters
$
$
5%
SOC Capacity Score61/100
MTTD4h
MTTA0.5h
MTTR24h
MTTC8h
False Positive Rate40%
Analyst Utilization100.0%
Alert-to-Incident Ratio400:1
Cost Analysis
Cost per Alert$7.19
Cost per Incident$2,917.00
Annual SOC Cost$525,000.00
Capacity Forecast
Months to OverloadNow
Max Alerts/Day85
Analysts @ 6 Mo16
Analysts @ 12 Mo21
SOC Maturity Assessment
Overall2.8/5
Detection5.0/5
Response4.0/5
Efficiency1.0/5
Capacity1.0/5
Accuracy3.0/5
Industry Benchmark Comparison
- Industry Avg
- Your Value
Detailed Benchmark Table
| Metric | Your Value | Industry Avg | Status |
|---|---|---|---|
| Mean Time to Detect | 4 hours | 197 hours | good |
| Mean Time to Acknowledge | 0.5 hours | 1.5 hours | good |
| Mean Time to Respond | 24 hours | 72 hours | good |
| Mean Time to Contain | 8 hours | 24 hours | good |
| False Positive Rate | 40 % | 50 % | average |
| Analyst Utilization | 100 % | 70 % | good |
12-Month Alert Growth Projection
- Alerts/Day
- Utilization %
A security operations center lives or dies by its metrics, but raw MTTD and MTTR numbers mean little without context. This calculator turns your detection, response, and staffing inputs into benchmarked KPIs — analyst utilization, alert-to-incident ratio, and a composite SOC capacity score — comparing each against industry averages drawn from SANS and IBM X-Force reporting.
Formula
CapacityScore = (utilScore + fpScore + responseScore + detectScore) / 4
- utilScore
- 100 if utilization ≤ 80%, otherwise 100 − (utilization − 80) × 5
- fpScore
- 100 − falsePositiveRate (lower false positives score higher)
- responseScore
- max(0, 100 − (MTTR / 72) × 50), benchmarked to a 72-hour industry MTTR
- detectScore
- max(0, 100 − (MTTD / 197) × 50), benchmarked to a 197-hour industry MTTD
How it works
- Enter your time-based metrics (mean time to detect, acknowledge, respond, and contain), false-positive rate, analyst count, alerts per day, and weekly hours per analyst.
- The tool computes analyst utilization from triage workload (assuming about 20 minutes per alert), the alert-to-incident ratio, and benchmarks each metric as good, average, or poor against industry figures such as a 197-hour MTTD and 72-hour MTTR.
- A composite SOC capacity score (0-100) blends four equally weighted sub-scores — utilization headroom, false-positive rate, response speed versus 72h, and detection speed versus 197h — to summarize overall health.
Worked example
A SOC with 5 analysts at 40 hours/week handling 80 alerts/day, a 40% false-positive rate, MTTD of 48 hours, and MTTR of 24 hours.
- Utilization: triage hours/week = 80 × 7 ÷ 3 = 186.7 against 5 × 40 = 200 available, giving 93.3%, so utilScore = 100 − (93.3 − 80) × 5 = 33.3.
- Sub-scores: fpScore = 100 − 40 = 60; responseScore = 100 − (24/72) × 50 = 83.3; detectScore = 100 − (48/197) × 50 = 87.8.
- Average the four: (33.3 + 60 + 83.3 + 87.8) ÷ 4 = 66.1.
A SOC capacity score of 66 out of 100. High analyst utilization (93%) is the main drag, signalling the team is near saturation and at risk of burnout.
Frequently asked questions
- What do MTTD, MTTA, MTTR, and MTTC mean?
- Mean Time to Detect is how long until a threat is noticed; Mean Time to Acknowledge is until an analyst picks it up; Mean Time to Respond is until active mitigation begins; and Mean Time to Contain is until the threat is neutralized. Lower is better for all four.
- What is a healthy analyst utilization level?
- Around 70% is the industry target. Below that suggests spare capacity; above 80% the capacity score penalizes you because analysts have no slack for investigation, training, or surge events, which drives errors and turnover.
- Where do the benchmark figures come from?
- They reflect widely cited industry reporting — for example, IBM's Cost of a Data Breach puts mean time to identify a breach near 197 hours. The tool uses a 72-hour MTTR, 50% false-positive rate, and 70% utilization as reference points for the good/average/poor ratings.
- How is the alert-to-incident ratio useful?
- It shows how many alerts your analysts triage for each real incident. A very high ratio means heavy noise and tuning opportunities; the model uses 50:1 as a reference, so ratios well above that suggest your detections need refinement to cut false positives.