Thank you for the article! Agree with you that you have to start having this conversation at some point, especially when you reach the point of making decisions on what % of MITRE ATT&CK ttps you are going to translate to alerts.
It's super easy to default to 100% coverage mode and want to alert on everything, but capacity models like this can really highlight how effective your team will be mapped to the budget allocated to SOC staffing. It's a simple message to leadership - if you want fast response time SLA's to all threats, here's how many people you will need.
Thank you for the article! Agree with you that you have to start having this conversation at some point, especially when you reach the point of making decisions on what % of MITRE ATT&CK ttps you are going to translate to alerts.
It's super easy to default to 100% coverage mode and want to alert on everything, but capacity models like this can really highlight how effective your team will be mapped to the budget allocated to SOC staffing. It's a simple message to leadership - if you want fast response time SLA's to all threats, here's how many people you will need.