A new global Kaspersky Security Services report ‘Anatomy of a Cyber World’* reveals a blind spot in enterprise SOCs: while performance is typically measured by detection and response speed, organizations rarely assess whether they’re detecting the right threats.
Large portions of collected telemetry don’t enter real-time detection pipelines, creating hidden gaps that internal assessments tend to miss – and fueling demand for independent SOC Consulting to uncover them.
Limits of traditional SOC performance metrics
As organizations continue to invest in Security Operations Centers (SOCs), measuring the real performance of these departments remains a challenge.
Operational effectiveness depends not only on the volume of collected data, but on how well that data is used for detection.
According to recent Kaspersky survey, organizations typically evaluate SOC effectiveness through a limited set of key performance indicators:
mean time to respond (MTTR) and detect (MTTD) dominate the picture, while deeper indicators like false positive rates or cost per incident remain secondary, The real question is not just how fast the SOC responds, but whether it is detecting threats before they escalate.
43% detection coverage across SOC environments
The findings from the Kaspersky Security Services Global Report tell a consistent story: most SOCs are collecting far more data than they are using for detection.
The mean correlation rule coverage across assessed organizations stands at 43%, meaning that on average, active detection logic covers less than half of all ingested data sources.
The rest sits in the platform, available for retrospective investigation, threat hunting or compliance purposes, but invisible to real-time detection.
Causes behind the SOC visibility gap
This gap is not always unintentional. Some data is deliberately collected outside the scope of active correlation, serving investigation or regulatory requirements.
But in many cases, sources are onboarded without a clear detection plan or with rule development deferred and never completed, In less mature environments, data is often collected but never actually used.
Reasons include unclear ownership of detection logic, compliance-driven ingestion without correlation needs, and resource constraints delaying engineering work, The result is unmonitored areas across the environment.
Scaling challenges in large SOC environments
What makes this harder to solve is that the problem tends to grow with the organization, SOCs managing the highest data volumes cover only around 30% of their sources with active detection logic.
As infrastructure expands, detection engineering capacity rarely scales at the same pace, Network telemetry, databases and web servers are among the most frequently uncovered sources, despite being critical to detection strategies.
Detection strategy differences across organizations
The approach to detection logic itself varies widely. Around 50% of assessed SOCs rely primarily on vendor-provided rule sets, while roughly 40% build their logic from scratch.
Vendor-reliant teams frequently face elevated false-positive rates and coverage gaps from insufficient tuning; EDR-dependent setups create blind spots due to missing cross-source correlation.
Many organizations also fail to revisit SOC detection scope after initial deployment, allowing blind spots to accumulate over time.
Expert view on improving SOC effectiveness
“Even with defined KPIs in place, assessing SOC effectiveness internally remains difficult due to insider view bias, which is why organizations are turning to external SOC Consulting to evaluate detection logic, analyze event flows and simulate attacks to understand what is actually being caught.
To improve, organizations should build a structured detection engineering process: a repeatable discipline for developing, validating and regular reviewing detection logic,” comments Roman Nazarov, Head of SOC Consulting at Kaspersky.
Kaspersky SOC Consulting and industry demand
To align internal processes and technologies with today’s evolving threat landscape, organizations can explore Kaspersky SOC Consulting, which helps build an in-house SOC from scratch, assess the maturity of an existing one or enhance specific capabilities such as detection and response procedures.
In 2025, SOC Technical Assessment led demand (23.4%), followed by SOC Framework Development (20%), while SOC Maturity Assessment and SIEM Quality Assurance both accounted for 11.7%, reflecting rising demand for deeper SOC visibility.
Read Also
Kaspersky supports INTERPOL’s operation Ramz in MENA region, resulting in over 200 arrests
Kaspersky Report: Trusted Relationships and Public Apps Lead Cyberattack Vectors
