NCSC warns that the wrong SOC metrics can weaken security operations

The UK National Cyber Security Centre has warned that organisations may undermine their security operations centres (SOCs) if they focus on the wrong performance measures. In a recent post, the agency...

The UK National Cyber Security Centre has warned that organisations may undermine their security operations centres (SOCs) if they focus on the wrong performance measures. In a recent post, the agency said metrics that are easy to count but poor at reflecting real security outcomes can distort analyst behaviour and reduce the team’s ability to spot genuine threats.

SOCs are designed to monitor logs, investigate alerts and respond to incidents, but they are also expensive to run. Because of that, many organisations try to assess their value using familiar IT-style measures such as ticket volumes, closure times and other simple service indicators. The NCSC argues that these figures can be misleading when applied to security work.

Examples of problematic metrics

  • Tickets processed: If analysts are judged mainly on throughput, they may be pushed to dismiss alerts quickly instead of investigating them properly.

  • Time to close tickets: Shorter closure times can encourage rapid false-positive decisions rather than careful triage.

  • Number of detection rules: Counting rules can create an incentive to produce more alerts, not better ones, leading to noise and “alert inflation.”

  • Volume of logs collected: Large log intake does not automatically improve detection, especially if the data is incomplete, poorly configured or never used for meaningful alerting.

The agency said it has seen organisations where excessive attention to these measures made SOCs less effective. In some cases, teams were collecting large amounts of data without verifying whether it was useful, while in others analysts were encouraged to prioritise speed over quality.

According to the NCSC, the clearest measure of SOC performance is whether attacks are detected and dealt with quickly. Common indicators include time to detect and time to respond, although the agency notes these can be difficult to assess in practice because successful attacks may be rare.

To reduce uncertainty, the NCSC recommends using red teaming and purple teaming exercises to simulate attacks and test whether the SOC would identify and handle them in realistic conditions.