Skip to content

Chapter 14 Quiz: Operating Model, Staffing, and SLAs

Test your knowledge of SOC operating models, staffing strategies, SLA frameworks, and career development.

Questions

1. An organization runs a SOC from 08:00–20:00 on weekdays only. Which coverage model does this represent?

  • A) Follow-the-sun
  • B) 8×5
  • C) 16×5
  • D) 24×7
Answer

C — 16×5

16×5 means 16 hours of coverage per day, 5 days per week (weekdays only). 8×5 would be business hours only. 24×7 is full coverage. Follow-the-sun uses geographically distributed teams to provide 24×7 coverage without requiring overnight shifts.

2. What is the primary advantage of a follow-the-sun SOC model compared to a 24×7 single-location model?

  • A) Lower total staff count
  • B) Analysts work normal business hours in their time zone, reducing burnout
  • C) Faster detection times due to global threat intelligence
  • D) Easier to comply with data sovereignty regulations
Answer

B — Analysts work normal business hours in their time zone, reducing burnout

The primary human benefit of follow-the-sun is eliminating overnight shifts. Each regional team covers their business hours, handing off to the next region. It typically requires MORE total staff than a single-location model, not fewer.

3. Which metric is used to track how long an analyst spends investigating a single alert (from acknowledgment to triage decision)?

  • A) MTTD
  • B) MTTR
  • C) MTTI
  • D) Alert throughput
Answer

C — MTTI (Mean Time to Investigate)

MTTI = Average(Decision Timestamp - Acknowledgment Timestamp). It measures investigation efficiency. MTTD is attack-to-detection; MTTR is detection-to-resolution; alert throughput measures volume processed.

4. A SOC handles 400 alerts per day with 6 Tier 1 analysts. Each analyst can process approximately 25 alerts per day at quality standards. What is the approximate capacity utilization?

  • A) 150% (over capacity)
  • B) 267% (over capacity)
  • C) 100% (at capacity)
  • D) 60% (under capacity)
Answer

B — 267% (over capacity)

Capacity = 6 analysts × 25 alerts/day = 150 alerts/day. Volume = 400 alerts/day. Utilization = 400/150 = 267%. This SOC is severely over capacity, which will lead to SLA misses, analyst burnout, and quality degradation.

5. Under which SOC operating model does the organization retain full control over all tools, data, and processes, but requires the highest staffing investment?

  • A) Fully outsourced MSSP
  • B) Co-managed (hybrid) MSSP
  • C) In-house (internal) SOC
  • D) Virtual SOC
Answer

C — In-house (internal) SOC

In-house SOCs provide maximum control, customization, and institutional knowledge retention but require the highest staffing investment (24×7 coverage across all roles). MSSPs trade control for cost efficiency.

6. What is the primary risk of measuring analyst performance using alert closure rate as the primary KPI?

  • A) It under-counts the number of real threats
  • B) It incentivizes analysts to close alerts quickly without quality investigation
  • C) It does not account for analyst specialization
  • D) It cannot be calculated automatically
Answer

B — It incentivizes analysts to close alerts quickly without quality investigation

When closure rate is the primary metric, analysts are rewarded for speed, not accuracy. This creates pressure to close alerts as FP to meet throughput targets — a classic Goodhart's Law failure mode. Real threats may be dismissed to improve the metric.

7. Which role is typically responsible for SOAR playbook development and automation logic?

  • A) Tier 1 Analyst
  • B) Detection Engineer
  • C) SOC Manager
  • D) Threat Intelligence Analyst
Answer

B — Detection Engineer

Detection Engineers (sometimes called Security Engineers) build and maintain both detection rules and automation/SOAR logic. Tier 1 analysts execute playbooks. Threat Intelligence Analysts focus on intelligence production. SOC Managers focus on operations and people.

8. A SOC team has one analyst who is the sole owner of the cloud detection domain. When this analyst takes leave, the team has no coverage for cloud threats. Which risk category does this represent?

  • A) Tool availability risk
  • B) Staff dependency risk
  • C) Detection gap risk
  • D) Compliance gap risk
Answer

B — Staff dependency risk

Staff dependency risk occurs when a single person owns a critical function with no backup or cross-training. The typical response is cross-training and documentation. This is a frequent finding in smaller SOC teams.

9. Which of the following correctly describes the career path progression for a typical SOC analyst?

  • A) Tier 1 → Threat Intelligence → Tier 2 → Detection Engineer → SOC Manager
  • B) Tier 1 → Tier 2 → Tier 3/Specialist → Senior Engineer/Manager
  • C) Detection Engineer → Tier 1 → Tier 2 → SOC Manager
  • D) All roles are at the same level; specialization determines progression
Answer

B — Tier 1 → Tier 2 → Tier 3/Specialist → Senior Engineer/Manager

The standard progression is: Tier 1 (alert triage) → Tier 2 (investigation/escalation) → Tier 3 (complex cases, IR lead) → specialization (Detection Engineer, CTI Analyst, etc.) → senior/management roles.

10. An SLA requires critical alerts to be acknowledged within 15 minutes. The SOC measures 78% compliance. Which action should the SOC manager prioritize?

  • A) Adjust the SLA target to 30 minutes to improve compliance
  • B) Investigate root causes: staffing levels, alert volume, queue management
  • C) Report the 78% as "within acceptable range" and monitor next month
  • D) Add a new monitoring dashboard without further investigation
Answer

B — Investigate root causes: staffing levels, alert volume, queue management

SLA misses are a symptom, not the root cause. The correct response is root cause analysis: Is the team understaffed? Is alert volume too high? Is the queue routing working correctly? Adjusting the SLA target (A) masks the problem rather than solving it.

Scoring

Score Performance
9–10 Expert — Ready to manage or advise on SOC operations
7–8 Proficient — Strong operational understanding
5–6 Developing — Review Chapter 14 coverage models and SLA sections
<5 Foundational — Re-read Chapter 14 before proceeding

Return to Chapter 14 | Next: Chapter 15