WatchGuard Blog

Security Operations Maturity Model II : What is it?

The security operations maturity model assesses an organization’s current security capabilities to reduce its cyber risk and incident cost by lowering its time to detect and respond to threats, become more cyber resilient, and draw a plan to mature over time. Each level builds on the prior, adding additional technology and process improvements that strengthen the capabilities of an organization’s security operation toward MTTD (mean time to detect) /MTTR (mean time to response) reductions.

SOC- Sec model

Security Operations Maturity Model Levels

The security operations model comprises the stages that define a complete threat life cycle management, from prevention to detection and response and lesson-learned analysis to improve an organization’s security posture.

The following table describes each level for the endpoint security, identifying the critical technological and workflow/process functions that should be implemented at each level.

Level 0 - MINIMAL

  1. Prevention-oriented (firewalls, antivirus, etc. in place) and reactive defense approach.
  2. Technology and functional silos.
  3. No formal incident detection and response process.
  4. Undefined or basic security policies.
  5. Blind to unknown and sophisticated threats using living-off-the-land attack techniques.

Level 1 - REACTIVE

  1. Minimal implementation of attack surface reduction practices: security controls’ health monitoring, vulnerability assessment, patch management, and detection of unprotected assets, among others.
  2. Log or event collection and retention, is primarily driven by compliance and audit requirements.
  3. No formal incident detection and response process.
  4. Blind to unknown and sophisticated threats using living-off-the-land attack techniques.
  5. Lack of technologies that identify suspicious activity in a consistent and recurrent way.


  1. Endpoint detection response (EDR) and network detection and response (NDR) solutions in place with minimal integration, working in silos.
  2. Strong and mature security policies deployed with pre-defined configuration templates to avoid human errors.
  3. Minimal log data and security event centralization in case of a data breach, with priority for servers and critical assets.
  4. Lack of people and processes for effective alert evaluation and prioritization.
  5. More resilient to cybercriminals, except those leveraging unknown, sophisticated attacks targeting blind spots, such as unprotected endpoints.

Level 3 – MANAGED

  1. Have established a basic yet formal process for continuous monitoring, behavioral analytics for anomaly detection, and containment of threats lurking in the environment through advanced EDR/NDR security solutions.
  2. Holistic log data and security event centralization.
  3. IoC-based threat intelligence integrated into analytics and workflow.
  4. Security analytics to detect known threat TTP (tactic, technique, and procedure).
  5. Basic MTTD/MTTR operational metrics.


  1. Holistic log data and events centralization with enough retention time to investigate advanced persistence threats.
  2. Cross-organizational case management, collaboration, and automation.
  3. Industry-specific IOC- and TTP-based threat intelligence integrated into security controls and workflows.
  4. Advanced security analytics for anomaly detection through AI/ML-based behavioral led by SOC experts.
  5. Established and documented investigation and response processes with playbooks, lessons learned, and continuous improvement of SOC processes and tools.
  6. 24/7 in-house or SOCaaS, including SOC analysts, responders, and hunters.
  7. Advanced MTTD/MTTR operational metrics and historical trending.

Organizations without skilled security personnel should work with an experienced managed security provider (MSP) that has made the capital investments necessary to help them level up with qualified staff. Of course, organizations can also build their own modern SOC if they have the resources and experienced people to get there.

Download and learn more about modern SOC, MDR services, and the Security Operations Maturity model in the following e-books: Modern SOCs and MDR services: what they are and why they matter and Empowering the SOC: Security Operations Maturity Model, and don't miss our series of articles:

Share this: