Gartner Research

How to Start Your Threat Detection and Response Practice

Published: 30 May 2018

ID: G00349155

Analyst(s): Anton Chuvakin , Augusto Barros


Many organizations need to move beyond simple threat prevention and want to start their threat detection and response practices. This research helps technical professionals focused on security to effectively put together the processes, tools and skills required to start performing those activities.

Table Of Contents

Problem Statement

The Gartner Approach

The Guidance Framework

  • Prework
    • Justify Detection and Response Efforts
    • Gather Prerequisites
  • Perform a Threat Assessment
    • Is Your First Threat Assessment Flat?
    • Stepping Up to the Next Level
  • Perform a Gap Assessment
    • Basic Detection and Response Reference Architecture
    • Detection and Response Technologies Menu
    • Detection and Response Processes List
  • Choose the Principal Approach
    • Choose Today
    • Evolve Tomorrow
    • Choose MSSP/MDR by Default, Unless …
    • In Any Arrangement, Incident Response Stays In-House
    • What About the Tools?
    • Framing the Main Approach
  • Develop Roadmap and Timeline
    • Get Required Controls
    • Match Project to Gaps
    • Validate Foundations
    • Defining Roadmap Stages
    • Commit to a Development Timeline
  • Start Initial Projects
    • Hiring Resources
    • Organizational Structure and Relationships
    • Defining Projects Success Factors
    • Managing Residual Risk
  • Measure Results
  • Review and Refine the Plan
    • Act With Awareness of the Continuous Nature of Detection and Response
    • Perform On-Event Review
    • The Revised Plan

Risks and Pitfalls

  • No Commitment, No Results
  • Tools Don't Do Threat Detection, People Do
  • Outsource Before Thinking, Failure Looms Large
  • Threat-Oblivious Approaches to Threat Detection Do Not Work
  • Setting the Roadmap in Stone
  • Related Guidance

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.