NCSC Warns Against Ineffective SOC Metrics

NCSC Warns Against Ineffective SOC Metrics

First seen 29 Apr 2026, 08:39 UTC Infosecurity-MagazineNews.Risky.Biznetaskari.substack.comwww.dataminr.com 86% similarity 42.9

Article Content

Browse articles
ThreatCluster

The UK's National Cyber Security Centre (NCSC) has issued a warning regarding the reliance on ineffective metrics to evaluate Security Operations Centers (SOCs). NCSC's CTO, Dave Chismon, stated that common metrics such as 'number of tickets processed' and 'time taken to close a ticket' can lead to careless behavior among SOC teams, incentivizing them to prioritize speed over thorough investigations. This can result in a high volume of false positives and ineffective security measures. Instead, the NCSC recommends focusing on metrics like time-to-detect (TTD) and time-to-respond (TTR) to better assess SOC effectiveness. Chismon emphasized that using no metrics is preferable to using bad ones, as the latter can demoralize staff and lead to a culture of rushing through alerts. The NCSC also advocates for allowing SOC teams to engage in hypothesis-led threat hunting and to study threat actors to enhance their defensive capabilities. The guidance aims to improve the overall effectiveness and morale of SOC teams.

Key Points: • NCSC advises against using ineffective metrics for SOC evaluation. • Common metrics can lead to careless behavior and false positives. • Time-to-detect and time-to-respond are recommended as better metrics.

ThreatCluster AI

Timeline

2026-03-11
CVE-2026-3965 published
2026-04-28
Infosecurity-Magazine publishes article on NCSC's SOC metrics warning
2026-04-29
Risky Business publishes article on NCSC's SOC metrics warning

Community

Browse all →