A new global Kaspersky Security Services report, “Anatomy of a Cyber World”‡, reveals a blind spot in enterprise security operations centres (SOCs): while performance is typically measured by detection and response speed, organisations rarely assess whether they’re detecting the right threats. Large portions of collected telemetry never enter real-time detection pipelines, creating hidden gaps that internal assessments tend to miss – and fuelling demand for independent SOC consulting to uncover them.
As organisations continue to invest in SOCs, measuring the real performance of these departments remains a challenge. Operational effectiveness depends not only on the volume of data collected, but on how well that data is used for detection. According to a recent Kaspersky global survey, organisations typically evaluate SOC effectiveness through a narrow set of key performance indicators: mean time to respond (MTTR) and mean time to detect (MTTD) dominate, while deeper indicators such as false-positive rates or cost per incident remain secondary. The real question is not just how fast the SOC responds, but whether it is detecting threats before they escalate.
The findings tell a consistent story: most SOCs collect far more data than they use for detection. Mean correlation-rule coverage across assessed organisations stands at 43%, meaning active detection logic covers less than half of all ingested data sources on average – a 57% blind spot. The rest sits in the platform, available for retrospective investigation, threat hunting or compliance, but invisible to real-time detection.
This gap is not always unintentional. Some data is deliberately collected outside the scope of active correlation, to serve investigation or regulatory needs – which is more typical of mature SOCs. In less mature environments, the data is often collected but never used at all. The reasons vary: sources onboarded ahead of planned rule development, compliance-driven collection with no active-correlation requirement, unclear ownership of detection logic and resource constraints that defer engineering work indefinitely. Either way, the result is the same: significant portions of the environment go effectively unmonitored in real time.
External SOC consulting
What makes this harder to solve is that the problem grows with the organisation. SOCs managing the highest data volumes cover only around 30% of their sources with active detection logic. As infrastructure expands, detection-engineering capacity rarely scales at the same pace. The sources most consistently left uncovered are network telemetry, databases and web servers – foundational infrastructure that should sit at the core of any detection strategy.
The approach to detection logic itself varies widely. Around 50% of assessed SOCs rely primarily on vendor-provided rule sets, while roughly 40% build their logic from scratch. Vendor-reliant teams frequently face elevated false-positive rates and coverage gaps from insufficient tuning; those dependent on EDR carry blind spots where cross-source correlation is absent. Many organisations, meanwhile, set their SOC’s detection scope at initial design and never revisit it, so blind spots accumulate silently as infrastructure evolves.
“Even with defined KPIs in place, assessing SOC effectiveness internally remains difficult due to insider-view bias, which is why organisations are turning to external SOC consulting to evaluate detection logic, analyse event flows and simulate attacks to understand what is actually being caught. To improve, organisations should build a structured detection-engineering process: a repeatable discipline for developing, validating and regularly reviewing detection logic,” said Roman Nazarov, head of SOC consulting at Kaspersky.
To align internal processes and technologies with today’s evolving threat landscape, organisations can explore Kaspersky SOC Consulting, which helps build an in-house SOC from scratch, assess the maturity of an existing one or enhance specific capabilities such as detection and response procedures. In 2025, the most common consulting projects were SOC Technical Assessment (23.4%), SOC Framework Development (20%) and both SOC Maturity Assessment and SIEM Quality Assurance (11.7% each), reflecting growing demand for deeper visibility into SOC performance.
To learn more about SOC detection effectiveness and practical steps to strengthen your security monitoring, read the full report.
‡ “Anatomy of a Cyber World’ is a comprehensive global report drawing on incident statistics from Kaspersky Managed Detection and Response, Kaspersky Incident Response, Kaspersky Compromise Assessment and Kaspersky SOC Consulting, shedding light on the most prevalent attacker tactics, techniques and tools, as well as the characteristics of detected incidents and their distribution across regions and industry sectors.