About this program
Whether you run a SOC in-house or use an MSSP — a quick check on coverage, tooling, response time and reporting.
Risks addressed
- High No coverage outside business hours
- Critical Alert fatigue u2014 real incidents missed
- High No documented runbooks for top incident types
Controls (7)
-
24x7 coverage (in-house or MSSP)
Critical24x7 coverage (in-house or MSSP)
How to test + evidence
Testing procedure: Documented rota / MSSP SLA covering nights + weekends + holidays.
Evidence to collect: Rota / contract.
-
Mean-Time-To-Detect tracked + trending
HighMean-Time-To-Detect tracked + trending
How to test + evidence
Testing procedure: MTTD metric reported monthly with trend.
Evidence to collect: SOC dashboard.
-
Mean-Time-To-Respond tracked
HighMean-Time-To-Respond tracked
How to test + evidence
Testing procedure: MTTR per severity reported.
Evidence to collect: SOC dashboard.
-
Runbooks for top 10 alert types
HighRunbooks for top 10 alert types
How to test + evidence
Testing procedure: Documented playbooks; analysts can step through without senior help.
Evidence to collect: Runbook library.
-
Use-case engineering / detection coverage
MediumUse-case engineering / detection coverage
How to test + evidence
Testing procedure: Detections mapped to MITRE ATT&CK + reviewed quarterly.
Evidence to collect: Detection inventory.
-
Quarterly purple-team exercises
MediumQuarterly purple-team exercises
How to test + evidence
Testing procedure: Detection effectiveness tested with red-team / purple-team scenarios.
Evidence to collect: Test reports.
-
False-positive rate tracked + trending down
MediumFalse-positive rate tracked + trending down
How to test + evidence
Testing procedure: FP rate < 30% on top alert types; tuning meeting cadence in place.
Evidence to collect: Tuning minutes.