Most SOC metrics reports are built backwards. They start with data that's easy to pull — alert count, tickets closed, events processed — and present it to leadership as if volume is the story. It isn't.
Leadership needs to know two things: are we catching real threats, and how fast. Everything else is operational noise. Here's how to build a metrics program that answers those two questions honestly, and how to present it to people who don't speak SPL.
The Metrics That Actually Tell You Something
The Metrics That Look Good But Don't Tell You Anything
- Total alerts processed — volume isn't quality. More alerts usually means worse tuning, not more threats found.
- Tickets closed — closing tickets fast is easy when you close them without investigating. This metric rewards speed over quality.
- Events per second ingested — a data volume metric that tells you about your SIEM bill, not your security posture.
- Uptime / availability — worth tracking operationally but irrelevant to whether you're actually detecting threats.
If your SOC metrics go up every quarter regardless of whether you're actually improving, they're vanity metrics. Real metrics expose problems — that's what makes them useful. A detection coverage number that stays flat is telling you something important.
Calculating MTTD and MTTR from Your SIEM
Sentinel KQL — MTTR from incident data
True MTTD requires retrospective timeline reconstruction from incident data — you need to know when the attacker's first action occurred, which only comes from IR investigation. The query below calculates alert-to-close time (a proxy for MTTR), not true MTTD.
Presenting Metrics to Non-Technical Leadership
The translation problem is real. "Our MTTD improved from 4.2 hours to 2.8 hours this quarter" means something to a SOC analyst. It means nothing to a CFO or a board member.
Three framing principles that actually work:
- Translate time to business impact — "In the time it took us to detect the last comparable sector breach, an attacker could have accessed approximately X systems and exfiltrated Y GB. Our current MTTD of 2.8 hours limits that window to Z."
- Use the coverage gap as a risk statement — "We have high-confidence detection on 58% of the techniques used in the recent financial sector campaign. The 42% gap represents techniques where an attacker could operate undetected. Our next quarter roadmap closes 12 of those gaps."
- Show trends, not snapshots — a single quarter's numbers are noise. A four-quarter trend line tells a story. FPR trending down plus MTTD trending down is a story about a maturing program.
Analysts who can translate SOC metrics into business risk language get promoted faster than analysts who are technically excellent but can't communicate upward. This is a skill worth developing deliberately, not just picking up eventually.
Building a Monthly Metrics Report
One page, delivered monthly. Four sections:
- Executive summary — three bullets: what we detected, MTTD/MTTR this month vs last month, one coverage gap we closed
- Detection quality — FPR trend, notable true positives, any rules added or retired
- Coverage progress — ATT&CK coverage map (screenshot from Navigator), L3 technique count, quarter-over-quarter change
- Next 30 days — what hunts are planned, what rules are in the build queue, what data gaps are being addressed
One page forces prioritization. If leadership wants more detail they'll ask. Starting with a 20-page deck means the important numbers get buried.
Every subscriber gets access to monthly Office Hours with a 10-year SOC veteran. Metrics programs, leadership reporting, detection program structure — the kind of questions that don't have a Stack Overflow answer. Plus a new detection rule, case study, and hunt query every Tuesday.
Join — $14.99/mo See a Sample Issue