Prophet Security will be at RSA 2026. Stop by the booth or meet us 1:1.
-min.webp)
Most SOCs still report on MTTR, alert volume, and MTTA. These metrics are familiar, and they made sense when analyst time was the primary bottleneck. But when AI takes over triage and investigation, the bottleneck moves. The old speedometers start measuring the wrong things.
That doesn’t mean you should throw legacy metrics out. It's a case for adding five new ones that only become relevant once AI is doing real work in your SOC.
In a traditional SOC, investigation coverage isn't really a metric because the answer is always the same: you investigate what you can and hope the rest doesn't matter. A five-person team handling 500 alerts a day might give full investigative attention to 100 of them. The rest get quick triage at best, bulk-acknowledged at worst. Everyone knows this. Nobody tracks it because the number is depressing and there was no way to change it.
AI changes the denominator. The question becomes: of all the alert sources in your environment, how many are actually being investigated by the AI? And of the remainder, how many still require full human investigation with no AI assistance at all?
This is primarily an integration and scope metric. An AI SOC analyst can only investigate alerts from sources it's connected to. If your AI covers your SIEM and EDR but not your identity provider or cloud workload alerts, you have coverage gaps that map directly to risk gaps.
Tracking the ratio of AI-investigated alerts to human-only alerts gives you a concrete way to measure ROI expansion over time. Greater coverage means less analyst fatigue, more consistent investigation quality, and better return on the AI investment. It also gives you a natural maturity roadmap: each new integration you onboard shifts alerts from the human-only column to the AI column.
{{ebook-cta}}
MTTR is a black box. It crams detection, triage, investigation, and response into a single number. A team might report a 15-minute MTTR but spend 12 of those minutes manually copying indicators between consoles and waiting for enrichment queries to return. That gap between an alert firing and an analyst actually having enough data to make a call is what matters, and standard MTTR doesn't surface it.
Time-to-context (TTC) measures how long it takes for a complete investigative picture to exist: identity data, asset context, threat intel, historical activity, peer comparisons. In an AI-driven SOC, this should approach zero. The AI gathers and correlates context the moment an alert fires, before any human touches it.
If your TTC is still measured in minutes after deploying AI, something is wrong. Usually it means the AI is connected to your alert source but lacks access to the enrichment sources it needs: your identity provider, asset inventory, or threat intel feeds. TTC is the metric that tells you whether analysts are still acting as the integration layer between your tools, which is the exact problem AI is supposed to eliminate.
Every AI SOC solution will tell you what percentage of alerts it resolves autonomously. That number is easy to inflate and meaningless on its own. An AI that closes 80% of alerts but gets 15% of those wrong is a liability, not an asset.
The metric that matters is verified disposition accuracy: of the alerts the AI resolved without human intervention, what percentage were resolved correctly? This requires a QA process, sampling closed alerts and validating the AI's conclusions against what a human analyst would have determined. Without this validation loop, your AI's autonomy rate is just a vanity metric.
Pair this with escalation accuracy: when the AI does send an alert to a human, how often is it a genuine true positive? Low escalation accuracy usually points to an enrichment problem, not a model problem. The AI lacks sufficient context to make a confident determination, so it escalates as a hedge. Tracking both numbers together tells you whether the AI is genuinely good at its job or just good at passing work along.
Rules degrade. Threat actors evolve their techniques, infrastructure rotates, and the behavioral patterns a rule was written to catch six months ago may no longer match anything an attacker actually does. This has always been true, but in a traditional SOC it's hard to prioritize detection maintenance when the team is buried in triage.
Detection staleness measures the median time since each rule was last validated, tuned, or confirmed to still match real-world attack behavior. In an AI-driven SOC, this metric becomes both more trackable and more important. More trackable because AI-generated investigation data creates a feedback loop: you can see which rules are generating alerts that consistently turn out to be benign, which rules never fire at all, and which rules are catching activity that no longer maps to current threat campaigns. More important because the capacity AI frees up should flow back into detection engineering. If your AI is handling triage but your detection logic is six months stale, you're running fast on outdated assumptions.
Track the age distribution of your detection rules and flag anything that hasn't been reviewed against current threat intelligence within a defined window. The specific window depends on your environment, but if a significant portion of your rules haven't been touched in 90 days, that's a leading indicator of coverage decay.
Speed metrics without quality control are just an incentive to game the system. A fast MTTR paired with a rising false negative rate means you're getting faster at making mistakes.
Quality-adjusted resolution means auditing a sample of resolved alerts, especially high-severity ones, to verify they were handled correctly regardless of how quickly the ticket was closed. In a human-only SOC, this kind of QA is expensive because investigation notes are inconsistent, context is scattered across tools, and reconstructing what an analyst actually did requires interviewing the analyst.
In an AI-driven SOC, the audit trail comes for free. The AI documents every step of its investigation: what data it gathered, what it correlated, what logic led to its conclusion. This makes systematic QA feasible in a way it never was before. You can review not just whether the disposition was correct, but whether the investigation was thorough, whether the right enrichment sources were consulted, and whether the reasoning holds up.
Build QA into your operating rhythm rather than treating it as an occasional audit. Sample across severity levels, across alert types, and across both AI-resolved and human-resolved alerts. The goal is a consistent quality baseline that doesn't degrade as volume increases.
Moving to an AI-driven SOC changes the capacity equation, but it also changes what you should be paying attention to. If you keep measuring the same things you measured before, you'll optimize for the wrong outcomes. Investigation coverage tells you how much of your environment the AI is actually reaching. Time-to-context tells you whether the AI is doing its core job. Disposition accuracy tells you whether you can trust it. Detection staleness tells you whether the capacity AI frees up is going somewhere useful. And quality-adjusted resolution tells you whether speed is coming at the expense of correctness.
None of these replace MTTR or alert volume. They sit alongside them and fill in the picture that legacy metrics were never designed to provide.
The SOC is a queueing system. This eBook walks through the metrics that tell you whether yours is healthy
.png)
.svg)
-min.avif)
-min.avif)
