Gartner Blog Network


About The Tri-Team Model of SOC, CIRT, “Threat Something”

by Anton Chuvakin  |  July 7, 2016  |  2 Comments

From the clients with THE MOST mature security operations, we learn the so-called “tri-team” model for detection and response:

  1. SOC – primarily monitoring and threat detection in near real-time, and of course alert triage.
  2. CSIRT – security incident response
  3. “Threat something” (no standard name: we heard “theat fusion center”, “threat management center’’”, “threat intelligence team” and many others)profile threat actors, organize and refine threat intelligence, create internal intel, hunt, etc [in a few cases, in fact, the intel creation and hunting teams were separate too, or hunting was with the CSIRT above]

This model allows for a clean, logical separation – but also collaboration! – between detection/monitoring, response and intelligence functions. It also seems to align well with the skills of the analysts hired for each function (e.g. ex-intel agency people fit into #3). Of course, there are many, many tricks to making it work in real life, and having a 9-digit security budget helps a lot too….

P.S. This post is clearly for:

sec ops maturity-marker hi

Blog posts related to threat intelligence:

Category: security  soc  threat-intelligence  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on About The Tri-Team Model of SOC, CIRT, “Threat Something”


  1. Joe Oney says:

    Anton, I agree with this setup, but one aspect that has to be completely flushed out is a formal communication channel like an ISAC, not just between the holy trinity setup you’ve proposed, but also with the internal customers of the business.

    • Thanks for the comment. In this model, the “threat team” is the most likely part that interacts with ISACs and sharing communities, but of course all teams benefit from that.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.