Addressing the 57% blind spot: Kaspersky reports on the aspects of SOC effectiveness to consider

A new global Kaspersky Security Services report ‘Anatomy of a Cyber World’* reveals a blind spot in enterprise Security Operations Centers (SOCs): while performance is typically measured by detection and response speed, organisations rarely assess whether they’re detecting the right threats. Large portions of collected telemetry don’t enter real-time detection pipelines, creating hidden gaps that internal assessments tend to miss – and fuelling demand for independent SOC Consulting to uncover them.

As organisations continue to invest in SOCs, measuring the real performance of these departments remains a challenge. Operational effectiveness depends not only on the volume of collected data, but on how well that data is used for detection.According to a recent Kaspersky global survey, organisations typically evaluate SOC effectiveness through a limited set of key performance indicators: mean time to respond (MTTR) and detect (MTTD) dominate the picture, while deeper indicators like false positive rates or cost per incident remain secondary. The real question is not just how fast the SOC responds, but whether it is detecting threats before they escalate.

The findings from the Kaspersky Security Services Global Report tell a consistent story: most SOCs are collecting far more data than they are using for detection. The mean correlation rule coverage across assessed organisations stands at 43%, meaning that on average, active detection logic covers less than half of all ingested data sources. The rest sits in the platform, available for retrospective investigation, threat hunting, or compliance purposes, but invisible to real-time detection.