A coverage measurement per asset type.
Endpoint, server, cloud, identity, data. Per type: what the SOC sees, what it misses, and what that means for your risk position.
ASSESSMENT·SOC COVERAGE REVIEW
SOC coverage review
A diagnostic study that sharpens whether your SOC or MDR still fits what you need.
Detection changes faster than contracts. A coverage review measures what your SOC actually catches, where the gaps sit, and whether the current model fits your risk position.
DurationTwo to three weeks
EffortSenior detection architect, intake and final report
For whomCISO, Detection Lead, Security Architect
THE CONTEXT
Why this assessment is often necessary
Three patterns we see again and again in SOC and MDR evaluations. On the left what shows up in the organisation, on the right what that does to the detection chain.
WHAT WE SEE
KPI reports show green, dashboards keep running.
Mean-time-to-detect, ticket volume, response time are in order. The SOC produces what the buyer asks for.
WHAT THAT DOES
What the SOC does not see stays out of sight.
An independent measurement of coverage is missing. Which attack techniques fall outside the detection chain? The board does not know, the SOC itself does not either.
WHAT WE SEE
MDR renewal is on the calendar, comparison material is missing.
The contract expires end of quarter. The renewal proposal is ready. The board asks: do we continue this way, or not?
WHAT THAT DOES
Renewal becomes a routine action instead of a choice.
Without a structured measurement of what the SOC actually catches, there is no basis for an informed decision. The contract extends, the gaps remain.
WHAT WE SEE
The architecture has shifted, the SOC works on the old scope.
Cloud migration, new SaaS stack, OT or operational expansion. The environment of two years ago is not the current one. Detection rules did not follow.
WHAT THAT DOES
Coverage gaps are explicit to no one.
No one can pinpoint exactly where the SOC is behind. At an incident in the new stack layer, it shows up only then. Too late.
Outcome
What the assessment delivers
Not a detection maturity model. An actual measurement of what you catch, and where it does not match.
A detection-chain effectiveness review.
From log source via SIEM detection to SOC response. Per step: what works, where noise sits, where signals disappear.
A model recommendation.
Build, buy or hybrid. Does the current model still fit, and if not, in which direction do you move. With reasoning.
Approach
How the study runs
Two to three weeks lead time, with the right rhythm at your end. Four steps. No RFP, an independent test of whether your current setup still fits.
DocumentSOC coverage report
Timeline2 to 3 weeks
Your time6 to 8 hours of calendar time
Our teamOne senior detection architect
#StepWhat it isWhenDuration
01
Architecture review
Current SIEM, SOC team or MDR vendor. Which logs, which detection rules, which escalation paths.
Week 1 · D1-D22 days02
SLA and accountability
What does the contract actually say. Response times, coverage, exit position, accountability during incident.
Week 1 → 22 days03
Coverage test
Use-case coverage against your crown jewels and threat profile. NIS2 and DORA requirements where relevant. Which gaps sit in it.
Week 2 · D1-D33 days04
Synthesis and recommendation
Clarity whether the current setup fits, concrete improvements, RFP input for renewal if desired.
Week 2 → 32 days