Measuring SOC capability & maturity


Welcome to the SOC-CMM site. The SOC-CMM is a capability maturity model and self-assessment tool for Security Operations Centers (SOCs). The model is based on solid research into the characteristics of SOCs and verified with actual SOCs. This research has focused on the creation of a model, but also on the creation of a self-assessment tool that can be used to determine strengths and weaknesses of the SOC based on capability and maturity scoring.

SOC-CMM Maturity Results
Navigate using the tabs to learn more about the SOC-CMM. Also, you can proceed directly to the downloads section to download the self-assessment tool and start to measure and improve your Security Operations Center. Use the contact page in case of questions or comments about the SOC-CMM.



The SOC-CMM model was created by evaluating scientific and non-scientific literature to determine characteristics and features of SOCs, such as specific technologies or processes. These characteristics and features were then aggregated into respective domains. Then, a survey was held among SOCs to determine the existence of identified theoretical elements in practical situations. The outcome of that survey, combined with the initial literature review and augmented with literature review on maturity models was used to create the SOC-CMM model. The model is shown below.

SOC-CMM Maturity Model

The model consists of 5 domains and 21 aspects. The domains 'Business', 'People' and 'Process' are evaluated for maturity only (blue colour), the domains 'Technology' and 'Services' are evaluated for both maturity and capability (purple colour).

Previous | Next


Maturity is defined as an "evolutionary plateau for organizational process improvement" and provides a means for an organisation to assess and organisational element and to "characterize its performance" (source: CMMI for Services).

The SOC-CMM uses several maturity stages that are loosely based on the CMMI. These stages are characterised as follows:

In contrary to the CMMI, the SOC-CMM is a continuous maturity model. Thus, the maturity stages do not have the pre-requisite that all elements must be executed at a specified level before that level is formally reached. Instead, improvement is continuous and can be done on all aspects simultaneously and independently. The optimal maturity level for your SOC depends on the effort required to move towards a higher maturity level, the effort required to maintain that maturity level and the importance of moving towards that maturity level for the aspect under evaluation.

Previous | Next


The SOC-CMM uses a continuous approach to measuring capability across the technology and services domains. These 2 domains were selected because they express capabilities as features of implementation. These can be technical features, such as the existence of certain tooling options or other features such as service artefacts or even facilities. Each capability can be scored individually using a 5-point grading system to granularly determine the exact capability level for the aspect under evaluation.

SOC-CMM Capability Scoring

Just like with maturity scoring, capability scoring is continuous. However, where the SOC-CMM supports 6 maturity levels (including non-existent), only 4 capability levels exist. These levels are:

Capabilities can be expressed at any maturity level. Thus, capabilities do not depend on maturity levels and can be improved independently.

Previous | Next


The methodology used to create the SOC-CMM is a scientific research approach called Design Science Research. This type of research has a focus on bridging the gap between theory and practice and works well for areas that have not been extensively (scientifically) studied and clearly defined, as is the case for SOC capability and maturity. The Design Science Research approach focuses on design and validation of design through iterative testing. For a short introduction on the methodology, see the Wikipedia page on Design Science Research.

The goal of Design Research is the creation of an artefact, which is a more or less tangible results of the research effort. In this case, two artefacts were created: the SOC-CMM model, which is an abstract representation of SOCs and the self-assessment tool based on that model to evaluate capability maturity in a SOC.

This self-assessment tool (the SOC-CMM) is available in the downloads section of this page, the thesis describing the research approach in detail can be downloaded from the LTU publication portal.

Previous | Next


For the creation of the SOC-CMM, scientific and non-scientific literature was used to identify elements in the SOC. This information was then validated using a survey with actual SOCs. Some of the publically available resources that were used in the research are listed below for further reading and inspiration: