Under attack? Call 1300 112 313
Client PortalInsightsContact
Home / Insights / Guide
Template · 6 min

Basic SOC operating model

A lightweight model for alert intake, triage, escalation, evidence capture and reporting.

A practical SOC for mid-sized organisations

A Security Operations Centre (SOC) does not require a room full of screens and twenty analysts working in shifts. For mid-sized organisations, a practical SOC is a defined process for ingesting alerts, triaging them, investigating threats, and responding to incidents — with clear roles, tools, and escalation pathways.

Intake and triage

Automate the aggregation of alerts from EDR, SIEM, email security, identity protection, and cloud platforms into a central dashboard. Every alert should have a severity classification, a category, and an initial triage assignment. The goal is to ensure nothing gets lost and everything gets the right level of attention.

Define triage criteria: what makes an alert critical versus informational? Time-to-triage targets create accountability and ensure high-severity alerts are not sitting in a queue while an analyst investigates a low-priority false positive.

Escalation pathways

Define three tiers of response:

  • Tier 1: Initial triage — classify the alert, gather context, determine whether it requires investigation or can be closed as a known false positive
  • Tier 2: Investigation — analyse the alert in depth, correlate with other signals, determine scope and impact, recommend containment actions
  • Tier 3: Deep forensics and active threat eviction — typically an external incident response firm for complex compromises

Not every organisation needs all three tiers in-house. Many mid-sized organisations handle Tier 1 internally and escalate Tier 2 and Tier 3 to an external partner.

Metrics and continuous improvement

Track Mean Time to Detect (MTTD) — how long does a threat dwell before an alert fires? Track Mean Time to Respond (MTTR) — once detected, how long until containment? Track patching velocity for critical vulnerabilities on internet-facing infrastructure versus internal endpoints.

Stop tracking vanity metrics like "threats blocked" — these numbers are meaningless without context. Focus on operational health: are we getting faster? Are we finding things earlier? Are false positives decreasing?

Need help applying this?

Turn the guide into an action plan.

Tenodex can assess your current state, prioritise the practical work and help implement the operating model.

Book a Briefing