SOC Maturity Model
What is SOC Maturity Model?
SOC Maturity ModelA framework that scores a Security Operations Center across people, process, technology, and services to guide a multi-year improvement roadmap.
SOC maturity models help organisations benchmark their detection-and-response capability against industry practice. The Hewlett Packard Enterprise 5-level model and the open SOC-CMM by Rob van Os are the most widely used; both score domains such as governance, intelligence, monitoring and detection, response, threat hunting, automation, and continuous improvement. Each domain is rated on a 0-to-5 scale (Initial, Basic, Defined, Managed, Optimised) using interviews, evidence reviews, and self-assessments. The output is a heatmap that identifies weakest areas and supports investment decisions, hiring plans, and tooling roadmaps. Maturity is not the same as effectiveness, so models are typically used alongside outcome metrics like dwell time and detection coverage.
● Examples
- 01
An HPE-style assessment scoring "Threat Hunting" at Level 2 (Basic) with a roadmap to Level 4.
- 02
Using SOC-CMM to justify hiring two threat hunters and rolling out SOAR.
● Frequently asked questions
What is SOC Maturity Model?
A framework that scores a Security Operations Center across people, process, technology, and services to guide a multi-year improvement roadmap. It belongs to the Defense & Operations category of cybersecurity.
What does SOC Maturity Model mean?
A framework that scores a Security Operations Center across people, process, technology, and services to guide a multi-year improvement roadmap.
How does SOC Maturity Model work?
SOC maturity models help organisations benchmark their detection-and-response capability against industry practice. The Hewlett Packard Enterprise 5-level model and the open SOC-CMM by Rob van Os are the most widely used; both score domains such as governance, intelligence, monitoring and detection, response, threat hunting, automation, and continuous improvement. Each domain is rated on a 0-to-5 scale (Initial, Basic, Defined, Managed, Optimised) using interviews, evidence reviews, and self-assessments. The output is a heatmap that identifies weakest areas and supports investment decisions, hiring plans, and tooling roadmaps. Maturity is not the same as effectiveness, so models are typically used alongside outcome metrics like dwell time and detection coverage.
How do you defend against SOC Maturity Model?
Defences for SOC Maturity Model typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SOC Maturity Model?
Common alternative names include: SOC-CMM, SOC capability maturity model.
● Related terms
- defense-ops№ 1040
SIEM Rule Tuning
The continuous process of adjusting detection rules in a SIEM to reduce false positives, close gaps, and align with the organisation's threat model.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 882
Purple Team
A collaborative engagement model in which red and blue teams work openly together to improve detection and response in near real time.