I've been working to modernize our Cyber Security Operation Center (SOC) response time service level objectives (SLOs). Like many organizations, we've seen the goal of the "1 : 10 : 60" which aims to have SOCs "detect" an event within 1 minute, "analyze" within 10 minutes, and "contain" within an hour. For a variety of reasons, we set less aggressive targets --- aiming at 15/60/240 minutes for these objectives. Might other organizations be willing to share/discuss their actual SLOs and target objectives for SOC performance?

For SOC services, looking at the criticality of operations, it is better to set very aggressive SLOs which are "1:5:30". This will help to contain actions against critical alerts and meet SOC performance objectives.

I have seen the “1:10:60” goal for improving SOC response times to be a popular target for many organizations. However, depending on your particular needs and resources, this target may not always be attainable. We have set less aggressive targets of 15/60/240 minutes for SOC performance, and these have worked for us in the past.