Most SOC metrics reports are built backwards. They start with data that's easy to pull — alert count, tickets closed, events processed — and present it to leadership as if volume is the story. It isn't.

Leadership needs to know two things: are we catching real threats, and how fast. Everything else is operational noise. Here's how to build a metrics program that answers those two questions honestly, and how to present it to people who don't speak SPL.

The Metrics That Actually Tell You Something

MTTD
Mean Time to Detect
Time of First Malicious Activity → Time of First Alert
How long does it take your environment to generate an alert after an attacker starts doing something? This requires retrospective analysis — after each confirmed incident, reconstruct the timeline and measure the gap. An MTTD you measure only from alert time is meaningless.
Target: Under 1 hour for high-severity techniques in covered areas
MTTR
Mean Time to Respond
Time of First Alert → Time Threat is Contained
Not time to close the ticket. Time to contain the threat — account disabled, host isolated, malicious process terminated. These are different things and conflating them makes MTTR look better than it is. Track them separately: time to first analyst action, and time to containment action.
Target: Under 4 hours for high-severity, under 24 hours for medium
FPR
False Positive Rate
False Positive Alerts ÷ Total Alerts × 100
The metric that exposes detection rule quality. A high FPR means analysts are spending investigation time on noise instead of real threats, which directly degrades MTTD and MTTR because real alerts get lost in the queue. Track per-rule, not just aggregate — one badly tuned rule can destroy your overall number.
Target: Under 10% per rule, under 20% aggregate
DC
Detection Coverage
L3 Techniques ÷ Relevant Techniques in Threat Profile × 100
What percentage of the techniques used by actors targeting your sector do you have high-confidence detection for? This is your most important strategic metric and the hardest to measure honestly. Denominator is your threat profile, not the full ATT&CK matrix.
Target: 60%+ L3 coverage on threat-profile techniques, trending upward quarterly

The Metrics That Look Good But Don't Tell You Anything

The vanity metric trap

If your SOC metrics go up every quarter regardless of whether you're actually improving, they're vanity metrics. Real metrics expose problems — that's what makes them useful. A detection coverage number that stays flat is telling you something important.

Calculating MTTD and MTTR from Your SIEM

Sentinel KQL — MTTR from incident data

Note on MTTD

True MTTD requires retrospective timeline reconstruction from incident data — you need to know when the attacker's first action occurred, which only comes from IR investigation. The query below calculates alert-to-close time (a proxy for MTTR), not true MTTD.

Presenting Metrics to Non-Technical Leadership

The translation problem is real. "Our MTTD improved from 4.2 hours to 2.8 hours this quarter" means something to a SOC analyst. It means nothing to a CFO or a board member.

Three framing principles that actually work:

Career note

Analysts who can translate SOC metrics into business risk language get promoted faster than analysts who are technically excellent but can't communicate upward. This is a skill worth developing deliberately, not just picking up eventually.

Building a Monthly Metrics Report

One page, delivered monthly. Four sections:

One page forces prioritization. If leadership wants more detail they'll ask. Starting with a 20-page deck means the important numbers get buried.

Weekly Intelligence Pack
Monthly Office Hours — ask directly

Every subscriber gets access to monthly Office Hours with a 10-year SOC veteran. Metrics programs, leadership reporting, detection program structure — the kind of questions that don't have a Stack Overflow answer. Plus a new detection rule, case study, and hunt query every Tuesday.

Join — $14.99/mo See a Sample Issue
Founding member pricing locked for life · 30-day money back