Gartner Blog Network


Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published

by Anton Chuvakin  |  October 25, 2016  |  4 Comments

As Augusto already mentioned, our SOC paper is out. Run, not walk, to read our “How to Plan, Design, Operate and Evolve a SOC” (Gartner GTP access required). The abstract states “Technical professionals pursuing a more mature security practice may decide to centralize all or part of those activities into a SOC. This guidance presents security architects with a structured approach to plan, establish and efficiently operate a modern SOC.”

Select fun quotes follow below (check our Augusto blog for more quotes):

  • “Foundational security processes (such as IR or alert triage) maturity must be in place for the SOC to function properly. If you don’t have them, build them alongside the first phase of the SOC implementation project [or suffer the consequences – A.C.].”
  • “When creating a business case for SOC, plan for initial and ongoing proof of value, focusing on preventing decay of the SOC effectiveness [a sadly common occurence – A.C.] Build metrics from the start, to establish a baseline and have the ability to answer the question “are we getting better?””
  • “One of the challenges that plague organizations [SOCs] that purchased many security tools is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”
  • “One organization treats Level 1 through Level 3 analysts not as seniority but as equally important but different skill sets (along the lines of activity detection, early triage, final triage) and rotates analysts between levels over time. They reported higher job satisfaction and effectiveness […]”
  • “It often takes between 18 and 24 months to establish a full “physical” SOC of reasonable operational maturity.”

My recent webinar “Design a Modern Security Operation Center (SOC)” recording can be found here (and I will post the Q&A here soon). This is a way to get a tiny glimpse of this research without being a GTP client.

BTW, our 2016 update to the threat intelligence paper (“How to Collect, Refine, Utilize and Create Threat Intelligence”) has published as well. Read it, but keep in mind that this was a minor update with a lot of the original content left in place after review.

Blog posts related to the SOC research topic:

Other blog posts announcing paper publications:

Category: monitoring  security  soc  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published


  1. […] Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published […]

  2. Levon Bolibekyan says:

    Hello Anton,

    Would you please inform if this paper is available only for Gartner clients or I can read it just being registered as well ? The same question is related to premium research paper “Blueprint for Mitigating DDoS Attacks and Protecting Data Centers and Hybrid Cloud”. May be it is because of its archived state ?

    Thanks in advance.

    Levon Bolibekyan

  3. […] Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.