Metrics for Threat Detection Engineering
Table of Contents
- Introduction
- Scope
- Definitions
- Metric Tiers
- KPIs vs KRIs vs Operational Metrics
- The Purpose and Pitfalls of Metrics
- How to Read This Catalog
- Primary Metrics
- Secondary Metrics
- Tertiary Metrics
Introduction
Program metrics for threat detection are quantifiable measures that evaluate how well an organization detects threats, reduces noise, and adapts to an evolving adversary landscape. They provide the visibility needed to assess detection coverage, validate engineering investments, and drive continuous improvement across a security program.
Scope
The scope encompasses all components of the threat detection framework — alerting, automation, operational processes, and response playbooks. This end-to-end coverage ensures threats are not only identified through detection rules and alerting mechanisms, but are also triaged, enriched, and escalated through automated workflows.
Definitions
The following terms are used throughout this document. Because tooling and platform vendors often use overlapping or inconsistent terminology, these definitions establish a common language for the purposes of this guide.
Detection is the process of identifying potentially malicious, unauthorized, or abnormal activity within an environment by analyzing data from sources such as logs, network traffic, endpoints, and user behavior. Detections are implemented as rules, signatures, behavioral analytics, or machine learning models that surface threats which may compromise confidentiality, integrity, or availability. Detection is the first step in the threat response lifecycle, enabling timely investigation and mitigation of security risks.
Alerts are security events generated by detections when predefined conditions are met — such as unusual login activity, malware signatures, or suspicious network behavior. An alert signals that something may require attention but does not by itself confirm malicious activity. Alerts are the raw input to the investigation process.
Tickets are formal records created to track, investigate, and manage security alerts through their lifecycle. A ticket typically includes the triggering alert, related systems or users, timestamps, analyst notes, and current investigation status. Tickets ensure accountability, enable cross-team collaboration, and provide an auditable trail from detection through resolution or escalation. They are commonly managed through case management systems, SOAR platforms, or integrated tools such as Jira or ServiceNow.
Cases are the primary unit of investigation in a modern detection program. A case correlates one or more disparate alerts into a unified, reviewable record — allowing analysts to understand related activity across different systems, users, or timeframes as a single narrative rather than isolated signals.
A note on terminology: Many platforms and teams use incident and case interchangeably, and some products use incident as the default term for what this document calls a case. The distinction matters because it reflects a shift in how detection programs think about investigation: moving from managing individual alerts to reasoning about correlated activity. Where your tooling uses incident, treat it as equivalent to case in the context of this guide. The term incident is preserved here only where it refers specifically to a confirmed threat requiring formal response — a subset of cases, not a synonym.
Playbooks are structured automation workflows attached to detections or cases that define the sequence of actions to be taken in response to a specific alert type or threat scenario. A playbook encodes institutional knowledge — triage steps, enrichment queries, escalation logic, and remediation actions — into a repeatable, auditable process. Playbooks reduce analyst decision fatigue, enforce consistency, and serve as the connective tissue between detection and response.
Automation refers to the execution of discrete actions triggered by a detection, alert, or playbook without requiring manual analyst intervention. Automation actions may include enriching an alert with threat intelligence, isolating an endpoint, blocking an IP, creating a ticket, or notifying a stakeholder. While playbooks define what should happen, automation is what actually executes. The effectiveness of automation is a measurable property of the program and a key input to several metrics in this guide.
Metric Tiers
Metrics are organized into three tiers that define audience, cadence, and purpose.
Primary
Primary metrics prove program value to leadership. They answer "is the program working?" and map directly to organizational risk reduction. Reported monthly to executives and stakeholders, these metrics should be few in number and highly trusted.
Secondary
Secondary metrics guide engineering decisions. They explain why primary metrics look the way they do and help diagnose gaps in detection coverage, fidelity, and playbook health. Reported weekly to engineering leads.
Tertiary
Tertiary metrics track operational hygiene and program maturity. Internal to the Detection Engineering team, they surface things like rule volume, stale detections, and deployment frequency — used continuously to keep the program healthy rather than to prove value externally.
KPIs vs KRIs vs Operational Metrics
Before diving into the metrics themselves, it is important to understand that not every metric serves the same purpose. Each metric in this guide is classified as one of three types — KPI, KRI, or Operational — reflecting the nature of what it measures, who it serves, and what it drives.
Key Performance Indicator (KPI)
A KPI measures how effectively you are executing. It is backward-looking or current-state — "here is what we achieved." When you report Mean Time to Detect, True Positive Rate, or playbook completion, you are answering the question "how well are we performing?"
KPIs are subdivided into three tiers that define who consumes the metric, what decision it supports, and how frequently it is reported:
- Primary — metrics that demonstrate program value to leadership, mapping directly to organizational risk reduction
- Secondary — metrics that guide engineering improvements, explaining why primary metrics look the way they do and diagnosing gaps in coverage, fidelity, and playbook health
- Tertiary — metrics that monitor platform health, operational hygiene, and program maturity over time
Key Risk Indicator (KRI)
A KRI is a forward-looking early warning signal. It measures exposure and likelihood of future failure — "here is where we might break." KRIs sit outside the tier hierarchy entirely because they serve a different function: they trigger action before a problem surfaces in your KPIs. A KRI is not reported on a cadence — it is escalated when it moves.
If a KRI starts trending in the wrong direction — a coverage gap growing, log ingestion failures increasing, detection rule staleness climbing — you want that escalated regardless of whether your MTTD and True Positive Rate still look healthy. KRIs are your canary; KPIs confirm whether the canary was right.
Operational
An Operational metric supports the day-to-day execution of the detection engineering team. It is not reported upward and does not measure risk exposure — it exists to help the team operate effectively, maintain quality, and stay self-aware. Operational metrics are internal by design and do not carry the audience or cadence expectations of a KPI.
Operational metrics matter because they represent the earliest stage of a metric's lifecycle. A metric that starts as internal team hygiene may, as the program matures, become relevant enough to report upward — at which point it gets promoted to a KPI. This promotion path is intentional. What is Operational today may be a Primary KPI in twelve months as the program grows and leadership begins asking the questions that metric answers.
Why the distinction matters in practice.
A program that tracks only KPIs is flying with instrumentation that tells you how the last flight went. KRIs tell you the engine is running hot before something fails. Operational metrics tell you whether the crew is ready to fly at all. A mature detection engineering program treats all three as essential and knows when each one should drive a conversation.
The Purpose and Pitfalls of Metrics
Metrics are a storytelling tool. They exist to communicate the health, effectiveness, and risk posture of your detection program to the people who need to act on that information. But like any tool, they can be misused — and in security programs, misused metrics don't just produce bad reports, they produce bad behavior.
Before building out a metrics program, every detection engineering team should understand two well-documented failure modes.
Goodhart's Law
"When a measure becomes a target, it ceases to be a good measure."
Goodhart's Law is the most common way metrics programs quietly degrade. It happens when the number itself becomes the goal rather than the outcome the number was meant to represent. In detection engineering this surfaces in subtle but damaging ways: a team pressured to improve Mean Time to Respond starts closing alerts faster without completing investigations. A program measured on alert volume ships low-fidelity detections to hit a number. On paper, the metrics improve. In practice, the program is moving backwards.
The fix is not to stop measuring — it is to measure outcomes, not outputs, and to pair every metric with enough context that gaming it produces no advantage. A True Positive Rate reported alongside investigation quality tells a fuller story than either number alone.
The Cobra Effect
The Cobra Effect describes what happens when an incentive produces the exact opposite of its intended result. The name comes from colonial India, where a bounty on cobras was introduced to reduce the population — and instead incentivized people to breed them.
In detection engineering, the equivalent is rewarding rule count as a proxy for coverage. Engineers respond rationally to the incentive and ship more rules — but those rules are low-fidelity, poorly tuned, and increase analyst fatigue without meaningfully improving detection capability. The coverage metric looks healthy; the program's actual ability to detect threats has degraded.
Any metric tied to volume — rules deployed, alerts generated, playbooks written — carries Cobra Effect risk if it is not balanced against a quality signal.
What This Means for Your Program
The sections that follow provide a catalog of metrics worth tracking across the Primary, Secondary, and Tertiary tiers. Not all of them will be right for your program at every stage of maturity, and not all of them need to be reported to every audience. Use them as a starting point, not a checklist.
The visibility matrix accompanying each metric is designed to help you ask the right question before you report anything: who needs this number, what decision does it support, and what behavior does tracking it incentivize? If you cannot answer all three, the metric is not ready to be a target.
How to Read This Catalog
Each metric in this catalog is presented in a consistent format — a short narrative description followed by a detail table. The table fields are standardized across every metric so the document can be used as a quick reference as well as a guide. Here is what each field means:
Definition — what the metric measures in plain language.
Formula — the mathematical expression used to calculate the metric. Some metrics include multiple formulas where different calculation methods apply.
Tier — whether the metric belongs to the Primary, Secondary, or Tertiary tier as defined in the Metric Tiers section.
Type — whether the metric is a KPI, KRI, or Operational metric as defined in the KPIs vs KRIs vs Operational Metrics section.
Preferred Collection Method — how the metric should ideally be collected in a healthy program:
- Ad-Hoc describes any metric that requires manual intervention to collect, even if parts of the process are automated. If an analyst must touch, pull, transform, or assemble data at any point in the process, the metric is ad-hoc. This is not a permanent state — it is a signal that instrumentation or automation is missing.
- Automatic describes any metric that can be produced and delivered without manual intervention. The underlying data is instrumented, processed, and reported automatically. Automatic is the target state for all metrics in a mature detection program.
Cadence — how frequently the metric should be reported or reviewed.
Visibility — which audiences should receive or have access to this metric.
Dependencies — the data sources, integrations, platform capabilities, or program conditions that must be in place before the metric can be collected. A metric that cannot be collected because its foundational data does not exist is not a gap in reporting — it is a gap in instrumentation. Dependencies are broken into layers where relevant:
- Analytical Layer — the platforms or systems where the data lives
- Key Fields — the specific data fields required to calculate the metric
- Requirements — any additional conditions or instrumentation that must be in place
Notes — any critical context, caveats, cross-references to related metrics, or pitfalls specific to that metric.
Primary Metrics
Primary metrics are the core indicators of a threat detection program's effectiveness. They directly measure the program's ability to identify, alert on, and respond to real threats in a timely and accurate manner. These metrics align closely with organizational risk reduction goals and are reported to leadership and stakeholders as key performance indicators (KPIs).
True Positive Rate (TPR)
The True Positive Rate measures the percentage of tickets confirmed as actual security threats. It is the clearest signal of detection fidelity — how well the program distinguishes real threats from noise.
| Metric Attribute |
Details |
| Definition |
The percentage of alerts or tickets created that are confirmed as actual security threats |
| Formula |
(True Positives / Total Tickets) × 100 |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: SIEM, Case Management System Analytical Layer: Ticket Resolution Data, Ticket Disposition Data |
| Notes |
TPR is only as trustworthy as the disposition process behind it — if analysts are not closing tickets with structured, queryable outcomes, this number cannot be trusted. Read alongside FPR for a complete picture of detection fidelity. |
False Positive Rate (FPR)
The False Positive Rate measures the percentage of alerts or tickets that were triggered but later identified as benign or not security-relevant. A high FPR is a direct driver of alert fatigue, eroding analyst trust in the detection program and reducing overall SOC efficiency over time.
| Metric Attribute |
Details |
| Definition |
The percentage of alerts or tickets triggered that were identified as benign or not security-relevant |
| Formula |
(False Positives / Total Tickets) × 100 |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: SIEM, Case Management System Analytical Layer: Ticket Resolution Data, Ticket Disposition Data |
| Notes |
FPR should be read alongside TPR — a low FPR means little if TPR is also low. A rising FPR is an early signal of detection tuning debt and a leading indicator of analyst fatigue. |
Mean Time to Detect (MTTD)
Mean Time to Detect measures the average time from when a threat event first occurs in the environment to when an analyst or automated agent is assigned and actively reviewing it. This metric captures the full detection chain — from raw event to human eyes — and is one of the most direct indicators of how quickly the program surfaces real threats.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from threat event occurrence to analyst or agent assignment |
| Formula |
Sum of (Analyst Assignment Time − Event Time) / Total Tickets |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: SIEM (Event Time, Alert Time), Case Management System (Ticket Creation Time, Analyst Assignment Time) Key Fields: Event Time, Alert Time, Ticket Creation Time, Analyst Assignment Time |
| Notes |
MTTD is not a measure of detectability — it is a measure of detection delivery. It reflects how efficiently the detection pipeline moves a threat from raw event to analyst hands. Spikes in MTTD should be investigated as pipeline or data quality issues first: missing event timestamps, unassigned tickets, or ingestion gaps will skew this metric before any true detection gap is considered. |
Mean Time to Respond (MTTR)
Mean Time to Respond measures the average time from ticket disposition to response completion. While MTTR is primarily a CSIRT metric, it is important for the detection engineering team to track — it provides visibility into how detections perform end-to-end and whether the program is contributing to timely threat resolution.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from ticket disposition to response completion |
| Formula |
Sum of (Response Completion Time − Ticket Disposition Time) / Total Tickets |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: Case Management System (Ticket Disposition Time, Response Completion Time) Key Fields: Ticket Disposition Time, Response Completion Time |
| Notes |
Response completion may be defined differently across programs and platforms — ensure a consistent definition is established before tracking this metric. Detection engineering should treat MTTR as a shared signal with CSIRT rather than a metric they own outright. |
Automated Response Rate (ARR)
Automated Response Rate measures the percentage of tickets where automation fully or partially determined the outcome through disposition analysis. This metric is a direct indicator of automation maturity — tracking both rates separately reveals how much of the ticket lifecycle the program has truly automated versus how much still relies on human decision making.
| Metric Attribute |
Details |
| Definition |
The percentage of tickets fully or partially resolved through automated disposition |
| Formula — Full Automation Rate |
(Tickets Fully Resolved by Automation / Total Tickets) × 100 |
| Formula — Partial Automation Rate |
(Tickets Partially Handled by Automation / Total Tickets) × 100 |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: Case Management System, SOAR Platform Key Fields: Ticket Disposition Data, Automation Outcome Data, Resolution Source (Automated vs Manual) Requirements: Case and ticket dispositions must explicitly attribute closure or resolution to automation — human and automated closures must be distinguishable in the data. Automation actions taken on cases must be logged in a queryable format so that tickets touched by automated tasks can be derived. Without these attribution requirements in place, this metric cannot be accurately calculated. |
| Notes |
A high partial automation rate should not be mistaken for a mature automation program — it may indicate that automation is assisting but humans are still carrying the decision. The goal over time is to shift tickets from partial to full automation. A large gap between the two rates is a signal of where automation investment is needed. |
False Positive Reduction (FPR Reduction)
False Positive Reduction measures the percentage decrease in false positives over a defined period as a result of automated enrichment and triage improvements. Unlike FPR which is a point-in-time snapshot, this metric is a continuous improvement trend — tracked week over week or month over month to validate that automation and tuning investments are meaningfully reducing noise over time.
| Metric Attribute |
Details |
| Definition |
The percentage decrease in false positives over a defined period attributable to automated enrichment and triage |
| Formula |
((FPR Previous Period − FPR Current Period) / FPR Previous Period) × 100 |
| Tier |
Primary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: SIEM, Case Management System, SOAR Platform Key Fields: Ticket Disposition Data, False Positive Disposition Records, Automation Action Logs Requirements: Consistent false positive disposition taxonomy must be in place across periods — if the definition of a false positive changes between periods, trend comparisons become invalid. |
| Notes |
A flat or worsening trend is a direct signal that automation and tuning efforts are not keeping pace with detection growth. This metric should be reviewed alongside Automated Response Rate — if ARR is growing but FPR Reduction is flat, automation may be closing tickets without actually addressing the underlying noise problem. |
Secondary Metrics
Secondary metrics are supporting indicators that provide context and insight into the factors influencing primary metric outcomes. While they do not directly measure detection effectiveness, they offer visibility into breadth, quality, coverage, and performance across systems and processes. These metrics help diagnose gaps, justify tuning efforts, and inform decision-making around detection strategy.
Detection Coverage
Detection Coverage measures the proportion of relevant MITRE ATT&CK techniques that are monitored by active detection rules in the environment. It is broken down into three sub-metrics — Tactic Coverage, Technique Coverage, and APT Coverage — each providing a different lens on how broadly and specifically the detection program addresses the threat landscape. Together they answer the question: what general coverage do we have over adversaries?
Important: Coverage does not translate to detection success. The adversary landscape is continuously evolving — new tactics, techniques, and procedures emerge regularly, making complete coverage an unrealistic and misleading target. Coverage metrics should instead be treated as operational intelligence on your detection library: a tool for understanding potential gaps, framing detection objectives, and informing engagement activities such as Purple Teaming exercises. They also provide a level of traceability between detections and the adversarial techniques they are designed to address. Use coverage to drive conversations, not to declare victory.
MITRE ATT&CK Coverage
MITRE ATT&CK Coverage measures the percentage of MITRE ATT&CK techniques within each tactic that have active detection logic mapped to them. Coverage at this level provides a broad view of where the detection program has visibility and where entire adversary objectives may go unmonitored.
| Metric Attribute |
Details |
| Definition |
The percentage of MITRE ATT&CK techniques within each tactic that are covered by at least one active detection rule |
| Formula |
(Techniques with Active Detection Logic / Total MITRE ATT&CK Techniques per Tactic) × 100 |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Data Layer: Detection Rule Repository, MITRE ATT&CK Framework Key Fields: Active Rule Status, Technique Mapping per Rule Requirements: Detection logic must be tagged with MITRE ATT&CK technique mappings — either natively within the detection platform or maintained automatically through CI/CD pipelines. Without consistent and accurate tagging, coverage calculations will be incomplete or misleading. |
| Notes |
Tactic Coverage is a breadth signal — a high score does not mean threats are being caught, only that at least one rule exists per tactic. A tactic with a single low-fidelity rule still counts as covered. The accuracy of this metric is entirely dependent on the quality of MITRE tagging metadata on detection rules — untagged or incorrectly tagged rules will produce an inaccurate coverage picture. |
Detection Fidelity
Detection Fidelity is a composite metric that reflects the reliability, confidence, and actionability of a detection rule. Rather than measuring a single data point, it combines multiple signals — data source quality, historical trigger rate, and true and false positive rates — into a single score per rule. This gives detection engineers a normalized view of how trustworthy any given detection is and where tuning investment is most needed.
| Metric Attribute |
Details |
| Definition |
A composite score reflecting the reliability, confidence, and actionability of a detection rule based on data source quality, historical trigger rate, and true and false positive rates |
| Formula |
Fidelity Score = (Data Source Quality × W1) + (Historical Trigger Rate × W2) + (TPR × W3) + ((1 − FPR) × W4) × 100 |
| Formula Notes |
Each component is scored on a 0–1 scale. Weights (W1–W4) are configurable per program and must sum to 1. Example weighting: Data Source Quality 20%, Historical Trigger Rate 20%, TPR 40%, Inverse FPR 20%. TPR carries the heaviest weight as the most direct signal of rule effectiveness. |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SIEM or Data Platform (Historical Trigger Rate, TPR, FPR per Rule), Case Management System (Disposition Data) Requirements: Data sources must be cataloged and scored or rated for quality — this includes data completeness, parsing quality, and event fidelity. These ratings feed directly into the Data Source Quality component of the formula. Without a maintained data source inventory with quality scores, this component of the fidelity calculation cannot be reliably populated and will produce an incomplete or arbitrary score. |
| Notes |
Weights should be defined and agreed upon by the detection engineering team before this metric is tracked — changing weights between periods invalidates trend comparisons. This metric is most valuable at the individual rule level for prioritizing tuning efforts rather than as a program-wide aggregate. |
Detection Latency
Detection Latency measures the time delay between when an event occurs in the environment and when it is processed and alerted by the detection system. This is a purely infrastructure and pipeline metric — it isolates the detection system's processing speed from any human or operational factors. Unlike MTTD which measures the full delivery chain to an analyst, Detection Latency ends the moment the alert fires.
| Metric Attribute |
Details |
| Definition |
The time elapsed between event occurrence and alert generation by the detection system |
| Formula |
Sum of (Alert Time − Event Time) / Total Alerts |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Continuous / Weekly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SIEM or Data Platform Key Fields: Event Time, Alert Time Requirements: Event timestamps must be accurately preserved through ingestion — normalization or parsing errors that alter event timestamps will directly skew this metric. |
| Notes |
Spikes in Detection Latency are an infrastructure signal first — check ingestion pipelines, parsing performance, and data platform health before drawing conclusions about detection logic. High latency here will inflate MTTD downstream and should be treated as an engineering priority. |
Incident Conversion
Incident Conversion measures the total number of tickets that are confirmed as incidents over a given period. A ticket converts to an incident when it is validated as a real threat requiring formal response — typically reflected through a priority escalation or disposition change in the case management system, such as a ticket moving from a sub-priority alert to a Sev1. This metric provides visibility into how many detections are resulting in real incidents and is a direct signal of threat activity in the environment.
| Metric Attribute |
Details |
| Definition |
The total number of tickets confirmed as incidents within a given period, as indicated by priority escalation or disposition change |
| Formula |
Count of Tickets where Priority Escalation or Incident Disposition is recorded within the period |
| Tier |
Secondary |
| Type |
KPI |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Leadership, Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Case Management System Key Fields: Ticket Priority, Disposition Metadata, Escalation Timestamp Requirements: Organizations must have a defined and consistently applied method for marking incident conversion — either through priority escalation logic or explicit disposition metadata. How this is implemented is highly dependent on organizational structure and how detections are serviced and delivered. Without a consistent escalation or disposition taxonomy, this metric cannot be reliably calculated. |
| Notes |
Incident Conversion is organizationally dependent — what constitutes an incident, and how a ticket is escalated to one, varies across programs and team structures. Establish and document your organization's conversion criteria before tracking this metric to ensure consistency across periods. |
Time to Tune
Time to Tune measures the average duration from when a tuning recommendation is made to when it is implemented. It is a direct measure of how quickly the detection engineering team responds to and resolves detection debt. As technology and automation capability evolve, the workflow that drives this metric changes — but the formula remains consistent regardless of how the recommendation was generated or how the implementation was executed.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from a tuning recommendation being made to the detection rule being updated with the recommendation |
| Formula |
Sum of (Tuning Resolution Time − Tuning Request Time) / Total Tuning Requests |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, Case Management System or Ticketing Platform Key Fields: Tuning Request Timestamp, Tuning Resolution Timestamp, Rule Update Log Requirements: A consistent method for logging tuning requests and their resolution must be in place. The definition of Request Time and Resolution Time will vary by workflow model — see Notes. |
| Notes |
Time to Tune operates across three workflow models depending on program maturity. The formula is consistent across all three — what changes is what constitutes the Request Time and Resolution Time. Ensure these timestamps are consistently defined and logged before tracking this metric across periods. Workflow Models: (1) Automated Recommendation + Human Implementation — the system generates a tuning recommendation; an engineer reviews and implements it. (2) Agentic — an agent prescribes a recommendation; a human makes the deterministic accept or reject decision before implementation. (3) Fully Human — an analyst identifies the issue and opens a tuning ticket; an engineer reviews and updates the rule. |
Control Mapping Rate
Control Mapping Rate measures the percentage of critical security controls that are mapped to at least one active detection rule, ensuring the detection program maintains alignment with the organization's control framework. For organizations without a formally adopted control framework, detection rules can be aligned to security domains such as Network, Endpoint, Web, SaaS, or Identity as a proxy — achieving the same goal of traceability between detections and what they are designed to protect.
| Metric Attribute |
Details |
| Definition |
The percentage of critical security controls or security domains mapped to at least one active detection rule |
| Formula — Formal Framework |
(Controls Mapped to at least one Active Detection Rule / Total Critical Security Controls) × 100 |
| Formula — Domain Based |
(Security Domains with at least one Active Detection Rule / Total Defined Security Domains) × 100 |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, Control Framework or Domain Taxonomy Key Fields: Control or Domain Mapping per Rule, Active Rule Status Requirements: The organization must have either a formally adopted control framework or a defined set of security domains before this metric can be calculated. Detection rules must be tagged with their corresponding control or domain mapping — without this tagging the metric cannot be derived. |
| Notes |
Like MITRE ATT&CK Coverage, a high Control Mapping Rate does not mean threats are being caught — it means monitoring alignment exists. A control with a single low-fidelity rule still counts as mapped. Organizations without a formal control framework should define their domain taxonomy before tracking this metric to ensure consistency across periods. |
Log Source Coverage
Log Source Coverage measures the percentage of ingested log sources that are actively referenced in detection logic. Ingestion alone does not constitute coverage — a log source sitting in the SIEM or data platform without a single detection rule referencing it provides no operational value to the detection program. This metric surfaces that gap.
| Metric Attribute |
Details |
| Definition |
The percentage of ingested log sources that are actively referenced in at least one detection rule |
| Formula |
(Ingested Log Sources Referenced in Active Detection Logic / Total Ingested Log Sources) × 100 |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SIEM or Data Platform, Detection Rule Repository Key Fields: Ingested Log Source Inventory, Log Source References per Detection Rule, Active Rule Status Requirements: Detection rules must explicitly reference or be tagged to their log source dependencies. Without this attribution, it is not possible to determine which ingested sources are actively used in detection logic versus which are passively stored. |
| Notes |
A log source that is ingested but unreferenced in any detection rule is a coverage gap and a cost with no return. This metric is also a useful input to data source quality discussions — if a log source has low detection usage it may indicate parsing issues, incomplete field normalization, or a gap in detection strategy for that source. |
Playbook Success Rate
Playbook Success Rate measures the percentage of playbook executions that complete without a technical failure. A failure is defined as any execution that errors out due to an integration failure, API timeout, or platform issue — not a manual override or analyst intervention. This is a technical health metric for the automation layer of the detection program.
| Metric Attribute |
Details |
| Definition |
The percentage of playbook executions that complete without a technical failure |
| Formula |
(Successful Playbook Executions / Total Playbook Executions) × 100 |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Playbook Execution Logs, Execution Status (Success / Failure), Failure Reason Requirements: The SOAR platform must log execution outcomes with a queryable status field and failure reason. Without structured execution logging, failed runs cannot be distinguished from successful ones. |
| Notes |
A drop in Playbook Success Rate is an infrastructure and integration signal first — investigate integration health, API availability, and platform stability before reviewing playbook logic. Persistent failures against a specific integration are a leading indicator that the integration health should be reviewed as a dependency risk. |
Average Playbook Execution Time
Average Playbook Execution Time measures the average duration of automated workflow executions. Tracked at two levels — program-wide and per playbook — the program-wide average reflects the overall health and performance of the automation layer, while per-playbook tracking identifies long-running workflows that may be introducing delays in detection response or masking performance issues in the aggregate.
| Metric Attribute |
Details |
| Definition |
The average time taken to complete an automated playbook execution from start to finish |
| Formula — Program Wide |
Sum of (Playbook Completion Time − Playbook Start Time) / Total Playbook Executions |
| Formula — Per Playbook |
Sum of (Playbook Completion Time − Playbook Start Time) / Total Executions for that Playbook |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Playbook Execution Logs, Playbook Start Time, Playbook Completion Time, Playbook Identifier Requirements: The SOAR platform must log execution start and completion timestamps per playbook run with a queryable playbook identifier so that per-playbook averages can be derived independently from the program-wide aggregate. |
| Notes |
The program-wide average alone is insufficient — a single long-running playbook can inflate the average while the rest of the automation layer performs well. Per-playbook tracking is where actionable optimization work happens. Long execution times are typically caused by sequential API calls, integration latency, or waiting on external system responses — these should be investigated as engineering issues rather than platform failures. |
Integration Health Score
Integration Health Score measures the availability of each integration that SOAR workflows and detection delivery pipelines depend on, tracked as an uptime percentage per integration. It surfaces integration failures that may be silently impacting playbook execution, detection alerting, and automation reliability across the full detection delivery chain.
| Metric Attribute |
Details |
| Definition |
The uptime percentage of each integration involved in detection delivery, measured by tracking integration failures over a defined period |
| Formula — Per Integration |
(Total Time Integration was Available / Total Measurement Period) × 100 |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Continuous / Weekly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SOAR Platform, SIEM or Data Platform Key Fields: Integration Failure Logs, Integration Availability Status, Failure Timestamp, Recovery Timestamp Requirements: Failure and recovery events must be logged with timestamps per integration across SOAR and any system involved in detection delivery — including EDR, ticketing platforms, threat intelligence feeds, and identity platforms. Without structured failure logging at the integration level, availability percentages cannot be calculated. |
| Notes |
A degraded integration will silently impact Playbook Success Rate and detection delivery before it becomes visible as a pattern — these metrics should be reviewed together. Each integration should be tracked independently so that a single failing system does not mask the health of others across the detection pipeline. |
Manual Touchpoints
Manual Touchpoints measures the average number of human interventions per playbook workflow that is not fully automated to resolution. Fully automated workflows that close without any human involvement are excluded — this metric is scoped specifically to workflows where automation falls short of full resolution and a human must intervene to complete the process. It is the inverse signal of Automated Response Rate: where ARR measures how much automation is resolving, Manual Touchpoints measures how much human effort remains in the workflows that are not yet fully automated.
| Metric Attribute |
Details |
| Definition |
The average number of human interventions per SOAR-managed playbook workflow that does not reach automated resolution |
| Formula |
Total Human Interventions across Non-Fully-Automated Workflows / Total Non-Fully-Automated Workflows |
| Tier |
Secondary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Playbook Execution Logs, Human Intervention Events, Resolution Type (Automated vs Manual), Workflow Identifier Requirements: The SOAR platform must log human intervention events per workflow execution with a queryable resolution type. Fully automated resolutions must be distinguishable from workflows requiring human intervention — without this attribution the scope of this metric cannot be accurately defined. |
| Notes |
Manual Touchpoints is a portfolio awareness metric — not everything needs to be fully automated, and some workflows will always require human judgment by design. The value of this metric is understanding what proportion of your playbook portfolio is fully automated versus partially automated, and where human effort is being spent. A rising average on specific workflows may indicate an automation gap worth investing in, while a stable average on others may simply reflect intentional design. Read alongside Automated Response Rate to build a complete picture of automation coverage across the program. |
Tertiary Metrics
Tertiary metrics provide operational insights that inform on the maturity, hygiene, and developmental aspects of the threat detection program. These metrics are used internally by detection engineering teams to optimize processes, track backlog and rule lifecycle, and measure long-term improvements. They are important for maintaining a healthy detection program but are not typically used as primary indicators of success.
Volume Metrics
Volume Metrics capture the daily counts of all inputs and outputs across the detection pipeline. Each metric is tracked as both a raw daily count and an average daily rate over a longer period — the count surfaces anomalies and spikes on a given day, while the trend rate reveals whether volume is growing, stable, or shrinking over time. Together they provide operational awareness of system load, analyst workload, and pipeline activity.
Shared Formula Pattern
| Metric Attribute |
Details |
| Formula |
|
| Daily Count |
Raw count of events for the day |
| Average Daily Rate |
Total Count for Period / Number of Days in Period |
Shared Table Fields
| Metric Attribute |
Details |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Daily / Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
Event Volume
The total number of events across all data points monitored by detections. This is the broadest input metric in the pipeline — it reflects the raw volume of data the detection program is processing and provides the baseline against which all downstream volume metrics are contextualized.
| Metric Attribute |
Details |
| Definition |
The total number of events ingested and monitored across all detection data sources |
| Daily Count Formula |
Count of all Events ingested across monitored data sources per day |
| Average Daily Rate Formula |
Total Events for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: SIEM or Data Platform Key Fields: Event Ingestion Logs, Data Source Identifier, Event Timestamp |
Detection Volume
The total number of detections that execute daily. This metric reflects the operational load on the detection engine and provides context for downstream alert and ticket volumes.
| Metric Attribute |
Details |
| Definition |
The total number of detection rules that execute daily across the environment |
| Daily Count Formula |
Count of Detection Executions per day |
| Average Daily Rate Formula |
Total Detection Executions for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: SIEM or Data Platform, Detection Rule Repository Key Fields: Detection Execution Logs, Rule Identifier, Execution Timestamp |
Alert Volume
The total number of alerts generated across detection rules daily. Alert Volume is the first downstream output of detection execution and is a key signal for analyst workload and detection noise.
| Metric Attribute |
Details |
| Definition |
The total number of alerts generated across all detection rules daily |
| Daily Count Formula |
Count of Alerts Generated per day |
| Average Daily Rate Formula |
Total Alerts for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: SIEM or Data Platform Key Fields: Alert Generation Logs, Rule Identifier, Alert Timestamp |
Ticket Volume
The total number of tickets generated across alerts daily. Ticket Volume reflects the downstream output of alert triage and is a direct gauge of analyst workload and system noise reaching the case management layer.
| Metric Attribute |
Details |
| Definition |
The total number of tickets created from alerts daily |
| Daily Count Formula |
Count of Tickets Created per day |
| Average Daily Rate Formula |
Total Tickets for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: Case Management System Key Fields: Ticket Creation Logs, Alert Identifier, Ticket Creation Timestamp |
Ignore Event Volume
The total number of detections that are prevented from creating tickets daily. This metric captures the volume of events that the detection program intentionally suppresses before they reach the ticketing layer — providing visibility into how much noise is being filtered out of the analyst workflow.
| Metric Attribute |
Details |
| Definition |
The total number of detection events prevented from generating a ticket daily |
| Daily Count Formula |
Count of Ignored or Suppressed Detection Events per day |
| Average Daily Rate Formula |
Total Ignored Events for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: SIEM or Data Platform, SOAR Platform Key Fields: Suppression Logs, Ignore Rule Identifier, Event Timestamp |
Automation Usage
The total number of automations executed daily. This metric tracks the operational load on the automation layer and provides a baseline for understanding how actively SOAR workflows are being utilized across the detection pipeline.
| Metric Attribute |
Details |
| Definition |
The total number of automated workflows or actions executed daily |
| Daily Count Formula |
Count of Automation Executions per day |
| Average Daily Rate Formula |
Total Automation Executions for Period / Number of Days in Period |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Automation Execution Logs, Workflow Identifier, Execution Timestamp |
Detection Conversion
Detection Conversion measures how volume moves through each stage of the detection pipeline — from detection execution to alert generation to ticket creation. Tracked as three separate conversion rates, it reveals where drop-off is occurring in the pipeline and whether detections are successfully surfacing through to analyst hands.
| Metric Attribute |
Details |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Daily / Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Formula — Detection to Alert Rate |
(Alerts Generated / Total Detection Executions) × 100 |
| Formula — Alert to Ticket Rate |
(Tickets Created / Total Alerts Generated) × 100 |
| Formula — End-to-End Conversion Rate |
(Tickets Created / Total Detection Executions) × 100 |
| Dependencies |
Analytical Layer: SIEM or Data Platform, Case Management System Key Fields: Detection Execution Logs, Alert Generation Logs, Ticket Creation Logs |
| Notes |
The three formulas should be read as a funnel — a low Detection to Alert Rate indicates detections are firing but not surfacing alerts, while a low Alert to Ticket Rate indicates alerts are being dropped before reaching the case management layer. The End-to-End rate gives a single number for the full pipeline but use the individual rates to diagnose where drop-off is occurring. |
Stale Count
Stale Count measures the number of detections or automations that have not been reviewed, tested, or updated within a defined time window — typically six months. Stale detections and automations are a hygiene and risk signal: they may no longer reflect the current threat landscape, environment, or data sources, leading to blind spots or unreliable automation behavior.
| Metric Attribute |
Details |
| Definition |
The number of detections or automations that have not been reviewed, tested, or updated within a defined time window |
| Formula |
Count of Detections or Automations where Last Review Date > Defined Staleness Threshold |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, SOAR Platform Key Fields: Last Review Date, Last Updated Date, Last Test Date per Detection or Automation |
| Notes |
The staleness threshold should be defined and documented by the team before tracking this metric — six months is a common starting point but may vary by environment or detection type. A rising Stale Count is a backlog signal and should be treated as a prioritization input for the engineering team. |
Time to Triage
Time to Triage measures the average time taken by an analyst to disposition an alert from the moment it is assigned. It is a direct reflection of the quality and completeness of the data provided with each alert — well-enriched alerts with clear context are triaged faster than alerts that require manual investigation to understand.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from analyst assignment to alert disposition |
| Formula |
Sum of (Disposition Time − Analyst Assignment Time) / Total Alerts Triaged |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Case Management System Key Fields: Analyst Assignment Timestamp, Disposition Timestamp, Alert Identifier |
| Notes |
Time to Triage is as much a measure of alert quality as it is of analyst efficiency — a high average often indicates that alerts are arriving without sufficient context or enrichment. Use this metric to identify which detection rules are producing the most analyst friction and prioritize enrichment or playbook improvements accordingly. |
Development Time
Development Time measures the average time it takes to build, test, and deploy a new detection or automation from concept to production. It is a measure of engineering throughput and process efficiency — a long development time may indicate bottlenecks in the build, test, or review pipeline.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from detection or automation concept to production deployment |
| Formula |
Sum of (Deployment Time − Concept or Request Time) / Total Detections or Automations Deployed |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, SOAR Platform, Ticketing or Project Management System Key Fields: Request or Concept Timestamp, Deployment Timestamp, Detection or Automation Identifier |
| Notes |
Development Time should be tracked separately for detections and automations as their build and test cycles differ. A rising Development Time is a process health signal — investigate whether bottlenecks exist in testing, peer review, or deployment pipelines rather than assuming engineering capacity is the constraint. |
Suppression Ratio
Suppression Ratio measures the total count of suppressions applied per detection, broken down by Manual and Automated methods. It provides visibility into which detections are generating the most suppression activity and whether that suppression is being applied by automation or by analysts.
| Metric Attribute |
Details |
| Definition |
The total count of suppressions applied per detection, categorized by Manual and Automated suppression method |
| Formula — Total Suppressions per Detection |
Count of Suppression Events per Detection Identifier |
| Formula — Manual Suppression Count |
Count of Suppression Events where Method = Manual per Detection Identifier |
| Formula — Automated Suppression Count |
Count of Suppression Events where Method = Automated per Detection Identifier |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SIEM or Data Platform, SOAR Platform Key Fields: Suppression Event Logs, Suppression Method (Manual vs Automated), Detection Identifier, Analyst or Team Identifier for Manual Suppressions |
| Notes |
A high suppression count on a specific detection is a tuning signal — the detection may be too broad, targeting a known benign pattern, or operating on a low quality data source. Manual suppressions should be attributed to the team and analyst who applied them to enable accountability and pattern analysis. Suppression activity also maps to True Negative rate and should be considered alongside FPR when evaluating detection fidelity. |
Detection Effectiveness
Detection Effectiveness measures the percentage of detection rules that successfully trigger during red team simulations, atomic testing, or validation exercises. It is the only metric in this catalog that validates detection capability through active testing rather than production data — providing ground truth on whether detections work as designed.
| Metric Attribute |
Details |
| Definition |
The percentage of detection rules that successfully trigger during validation exercises such as red team simulations or atomic testing |
| Formula |
(Detection Rules that Successfully Triggered / Total Detection Rules Tested) × 100 |
| Tier |
Tertiary |
| Type |
KPI |
| Preferred Collection Method |
Ad-Hoc |
| Cadence |
Per Exercise |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: SIEM or Data Platform, Detection Rule Repository Key Fields: Test Execution Logs, Detection Trigger Status per Test, Rule Identifier Requirements: A defined testing methodology must be in place — atomic tests, red team exercises, or purple team engagements. Results must be logged against specific rule identifiers to calculate coverage per exercise. |
| Notes |
Detection Effectiveness is the ground truth check for the detection program — a rule that exists in the repository but fails to trigger during a controlled simulation provides no real protection. This metric should be run regularly and treated as a validation gate for new detections before and after deployment. |
Coverage Drift
Coverage Drift measures the change in detection coverage over time — indicating whether detection capability is expanding or regressing between periods. A positive value means coverage is growing; a negative value means coverage has decreased and warrants investigation.
| Metric Attribute |
Details |
| Definition |
The period-over-period change in detection coverage percentage |
| Formula |
Current Period Coverage % − Previous Period Coverage % |
| Tier |
Tertiary |
| Type |
KRI |
| Preferred Collection Method |
Automatic |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, MITRE ATT&CK Framework or Control Framework Key Fields: Active Rule Count, Coverage Percentage per Period |
| Notes |
Negative Coverage Drift should be treated as a KRI escalation signal — a shrinking coverage percentage means the program is losing ground, whether through rule deprecation, data source loss, or environment changes. Even a stable coverage percentage warrants review if the threat landscape has evolved significantly in the same period. |
Deployment Frequency
Deployment Frequency measures how often new detections, automations, playbooks, and integrations are successfully deployed to production within a given timeframe. It is a key indicator of engineering agility and the team's ability to deliver capability improvements continuously. Tracked across four sub-categories, it provides a complete picture of output across all program components.
| Metric Attribute |
Details |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
Detections Created
| Metric Attribute |
Details |
| Definition |
The number of new detection rules deployed to production in a given period |
| Formula |
Count of Detection Rules where Deployment Date falls within Period |
| Dependencies |
Analytical Layer: Detection Rule Repository Key Fields: Deployment Date, Rule Identifier, Rule Status |
Automations Created
| Metric Attribute |
Details |
| Definition |
The number of new automations deployed to production in a given period |
| Formula |
Count of Automations where Deployment Date falls within Period |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Deployment Date, Automation Identifier |
Playbooks Created
| Metric Attribute |
Details |
| Definition |
The number of new playbooks deployed to production in a given period |
| Formula |
Count of Playbooks where Deployment Date falls within Period |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Deployment Date, Playbook Identifier |
Integrations Created
| Metric Attribute |
Details |
| Definition |
The number of new integrations deployed to production in a given period |
| Formula |
Count of Integrations where Deployment Date falls within Period |
| Dependencies |
Analytical Layer: SOAR Platform Key Fields: Deployment Date, Integration Identifier |
Change Frequency
Change Frequency measures how often existing detections, automations, or playbooks are modified in a given period. It indicates responsiveness to threat evolution and process improvement — a healthy change frequency reflects an active, adaptive detection program rather than a static one.
| Metric Attribute |
Details |
| Definition |
The number of changes made to existing detections, automations, or playbooks within a given period |
| Formula |
Count of Change Events across Detections, Automations, and Playbooks within Period |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Detection Rule Repository, SOAR Platform Key Fields: Change Timestamp, Object Identifier, Change Type, Object Type (Detection, Automation, Playbook) |
| Notes |
Change Frequency should be reviewed alongside Deployment Frequency — a high change rate with low deployment frequency may indicate the team is spending more time maintaining existing content than building new capability. A very low change frequency may indicate the program is not keeping pace with threat or environment evolution. |
Task Automation Ratio
Task Automation Ratio measures the percentage of tasks automated versus total tasks per incident type, specifically for ad-hoc automation commands and scripts executed manually by analysts within a case or incident — outside of structured playbook workflows. This metric lives in the bounds of the case management system and reflects analyst-initiated automation rather than SOAR-orchestrated automation.
| Metric Attribute |
Details |
| Definition |
The percentage of ad-hoc tasks per incident type that are executed through analyst-initiated automation versus manually |
| Formula |
(Automated Tasks Executed / Total Tasks Executed) × 100 per Incident Type |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Ad-Hoc |
| Cadence |
Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Case Management System Key Fields: Task Execution Logs, Task Type (Automated vs Manual), Incident Type Identifier Requirements: The case management system must log individual task executions with a distinguishable automated vs manual execution flag. Without task-level logging, this metric cannot be derived. |
| Notes |
Task Automation Ratio is distinct from Manual Touchpoints and Automated Response Rate — it measures analyst-initiated ad-hoc automation within cases, not structured SOAR workflows. Read all three together to build a complete picture of automation coverage across both structured and unstructured response activity. |
Platform Uptime measures the operational reliability of the detection and SOAR platforms, tracked as an availability percentage per platform. It is the foundational health metric for the entire detection program — if the platforms are unavailable, no other metric in this catalog can be trusted.
| Metric Attribute |
Details |
| Definition |
The availability percentage of the detection and SOAR platforms over a defined measurement period |
| Formula — Per Platform |
(Total Time Platform was Available / Total Measurement Period) × 100 |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Continuous / Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Platform Monitoring Tools, SIEM or Data Platform, SOAR Platform Key Fields: Platform Availability Logs, Downtime Events, Recovery Timestamps per Platform |
| Notes |
Platform Uptime should be tracked per platform independently — SIEM, SOAR, and case management system uptime are distinct signals. Downtime events should be correlated against other metrics for the same period: a spike in MTTD, a drop in Playbook Success Rate, or a gap in Volume Metrics during a known downtime window should be annotated rather than treated as a true program performance change. |
Investigation Duration
Investigation Duration measures the average time elapsed from analyst assignment to case resolution, scoped per detection rule and per case. It is a proxy for detection complexity — a rule that consistently produces long investigations is a signal that the alert may lack sufficient context, the rule logic may be too broad, or there is insufficient automation supporting the analyst through the workflow. Coupling this metric with rules that have no playbook coverage surfaces the highest-friction detections in the program and points directly at where engineering investment would have the greatest return.
| Metric Attribute |
Details |
| Definition |
The average time elapsed from analyst assignment to case resolution, tracked per detection rule and per case |
| Formula — Program Wide |
Sum of (Resolution Time − Analyst Assignment Time) / Total Investigations |
| Formula — Per Detection Rule |
Sum of (Resolution Time − Analyst Assignment Time) / Total Investigations for that Rule |
| Formula — Per Case |
Resolution Time − Analyst Assignment Time for each Case |
| Tier |
Tertiary |
| Type |
Operational |
| Preferred Collection Method |
Automatic |
| Cadence |
Weekly / Monthly |
| Visibility |
Engineering Lead, Detection Engineering Team |
| Dependencies |
Analytical Layer: Case Management System Key Fields: Analyst Assignment Timestamp, Resolution Timestamp, Detection Rule Identifier, Case Identifier Requirements: Cases must be linked to their originating detection rule identifier so that per-rule investigation durations can be derived. Without this attribution, only program-wide and per-case averages are calculable. |
| Notes |
Detection rules with consistently high Investigation Duration and no associated playbook coverage are the highest-priority candidates for automation investment. The program-wide average provides a baseline but per-rule tracking is where the actionable signal lives — a single complex rule can inflate the aggregate while the majority of the portfolio performs well. Read alongside Time to Triage to distinguish between alerts that take long to start investigating versus cases that take long to resolve. |
