Stage 1 of the SOAR Adoption Maturity Model

Characteristics of an organization in the Mostly Reactive and Highly Manual stage

At stage 1, the organization doesn’t have the personnel or processes to support investigations or the organization has very basic processes in place. Employees need assistance to quickly evaluate risk to the environment, and to block and remove the risk.

The SOC at this stage might be described as ad hoc, security as an additional duty, distributed SOC, or managed SOC. The chief information security officer (CISO) has a capable security team that does their own engineering. They have a security architect or SOC manager to manage incidents and build a security ecosystem. The SOC is usually supported by a managed security service provider (MSSP) for level 1-2 alerts and contracts with an incident responder for severe incidents. Analysts struggle with getting through critical alerts. High, medium alerts/notables are not being worked.

How to advance past this stage

The end goal of stage one is to help you automate the most basic, repetitive tasks by using apps and playbooks. The main value of this stage is the ability to scale and work faster on the following processes:

• Alert investigation and triage
• Initial blocking and quarantining
• System reimagining through corporate ticket management
• Basic enrichment