Metrics That Matter: A Practical Framework to SOC Metric Altitudes

The second in a series of security risk articles by Craig Jones, chief security officer, Ontinue

Our second article in Ontinue’s security risk series, dives deeper into the concept of Metric Altitudes initially introduced in Security Theatre: Busy Metrics in the SOC are a Great Show, but Terrible Defense. Using noisy metrics to showcase the success of Security Operations Centers (SOCs) may look impressive, but it is a dangerous and illusionary measurement method to practice.

Metric Altitudes is a framework we innovated to categorize 100% of our SOC metrics against specific target audiences, providing key stakeholders with a clear and accurate understanding of their defensive position across the entire detection and response lifecycle – and, crucially, to quantify the impact of evolving artificial intelligence AI on SOC efficacy.

As described in our white paper, Cutting Through Hype (page 4), only about 3% of alerts, in a “quiet,” strategic SOC, should stand out as requiring immediate action. But this doesn’t mean the remaining 97% are redundant. Quite the opposite. In fact, each of the remaining 97% of alerts have distinct meanings, actions, and audiences to properly understand and address them.

Fundamentals: Categorizing Security Theatres into Metric Altitudes

Many security teams struggle with metrics that are either too abstract for decision-making or too tactical to demonstrate business value. Metrics aren’t designed to create impressive dashboards or justify technology purchases or jobs with vanity numbers. They’re built to measure real operational outcomes: faster detection, higher-quality investigations, reduced CISO burden, and demonstrable risk reduction. Every one of the hundreds of metrics in Ontinue’s library (now available) ties back to one of four fundamentals of security operations:

• Speed
• Quality
• Governance
• Business impact

Additionally, each metric includes:

• Calculation methods
• The exact measurement points needed from specific, existing systems

What makes our approach to Metric Altitudes uniquely practical is that it doesn’t just define what to measure, it explains how to measure it.

This also transforms abstract concepts like Mean Time to Investigate (MTTI) into concrete data collection requirements (for example: alert_created_time, validated_time, and the timestamps in between).

The library distinguishes between:

• Baseline measurement points – what traditional SOCs can track today
• AI-instrumented measurement points – additional telemetry needed to understand AI’s contribution

This dual-track system lets organizations measure AI impact through direct comparison, rather than assumption.

Built for Every Stakeholder

Metric Altitudes recognize a fundamental truth: different audiences need different views of security performance. For example:

• Board members/CEOs care about strategic outcomes and risk reduction.
• CISOs need operational insights into service quality and continuous improvement.
• Security managers require tactical metrics to optimize workflows and resource allocation.

The library maps more than 100 metrics across three “altitude levels,” clearly identifying which metrics matter to which audience:

1. Strategic
2. Operational
3. Tactical

This ensures boards aren’t drowning in tactical details while frontline managers get the visibility they need to defend actual cyberattacks in progress (versus repeatedly responding to rote daily alerts).

Let’s take a closer look at the three levels and the key metrics* that matter for each.

*Note: actual metrics are linked here as a separate article.

1. Board Level/CEO Level (The 30,000-Foot View)

At the board and CEO level, cybersecurity metrics must measure risk avoidance, including reputation maintenance and return-on-investment (ROI) impact versus visibility into individual alerts or investigation workflows. They need clear data that shows the organization is reducing exposure to major cyber events, protecting shareholder value, and ensuring security investments are delivering effective outcomes.

Effective board and CEO level metrics should answer four fundamental questions: How exposed are we? Are we improving? Are we investing in the right controls? How much budget is needed to close any gaps?

The below metric examples will help boards and CEOs understand cybersecurity as a business resilience function, rather than a purely technical discipline.

Key metrics to measure include:

• Financial Risk Exposure: Estimated dollar impact from different types of threat scenarios compared quarter-over-quarter.
• Cyber Insurance Readiness: Status of critical controls required for policy renewals or improved coverage terms.
• Industry Benchmarking: Comparison of key defensive indicators, such as Mean Time to Contain (MTTC), against peer organizations in the same sector.
• Strategic ROI: Percentage of the security budget and operations automated and augmented by Agentic AI to explain tangible efficiencies that also improve defenses.

2. CISO Level (The 10,000-Foot View)

Since CISOs operate at the intersection of strategy and execution, metrics at this altitude must provide clear visibility into how effectively a security program is functioning, where bottlenecks exist, and where additional investment or process changes are needed.

Metrics address operational health, compliance issues, security program maturity, and continuous improvement. This enables CISOs to answer key operational questions such as: Are our defenses improving? Where is risk accumulating? Which controls are underperforming?

The below indicators help CISOs allocate resources effectively, justify investment decisions, and demonstrate program progress to executive leadership.

Key metrics to measure include:

• Program Maturity Score: Progress against established frameworks such as NIST, CSF, or ISO 27001.
• Critical Vulnerability Burn-down: Average time required to remediate “Critical” vulnerabilities versus “High” severity findings.

• Security Debt: Percentage of assets lacking core controls, such as endpoint detection, identity protection, or logging coverage.
• Incident Impact Summary: Aggregate downtime, operational disruption, or financial impact because of security incidents.

3. SOC Analyst Level (The Ground View)

At the operational front line, SOC analysts require metrics that reflect immediate defensive performance. This information helps defenders understand whether investigations are progressing quickly enough, whether automation is appropriating noise, and whether the team is containing genuine threats before they escalate.

Unlike executive metrics, these measurements must be accurate, fast, and directly tied to daily workflows, providing clear visibility into immediate action that is needed 24/7. They also allow defenders to continuously refine detection logic, investigation workflows, and automation strategies.

Key metrics to measure include:

• Active High-Severity Incidents: Real-time count of threats currently under investigation or containment.
• AI Autonomy Rate: Percentage of alerts fully resolved by AI agents without requiring human intervention.
• False Positive Suppression Rate: Volume of benign alerts automatically suppressed through tuning and automation.
• Mean Time to Triage (MTTT): Time from alert generation to the first investigative action by the SOC.

*In addition to using this article as a guide for determining and assigning Metric Altitudes, we’ve collated Ontinue’s library into a Metric Altitudes Framework.