SOC Executive Dashboard
The SOC Executive Dashboard provides security leadership with a real-time operational overview of the Security Operations Center. It consolidates risk distribution, analyst performance, SLA compliance, and workload metrics into a single view — enabling data-driven decisions about team capacity, process effectiveness, and threat posture.
Dashboard Overview
flowchart TD
A["Detection Sources<br><i>RhythmX Rules · ML · Correlation</i>"] --> B["SOC Metrics Engine"]
B --> C["Risk Distribution<br><i>Entity risk map</i>"]
B --> D["Analyst Performance<br><i>Resolution metrics</i>"]
B --> E["SLA Compliance<br><i>By severity tier</i>"]
B --> F["Workload Trends<br><i>Intake vs resolution</i>"]
C --> G["Executive Decisions<br><i>Staffing · Process · Priority</i>"]
D --> G
E --> G
F --> G
style A fill:#4a148c,stroke:#9c27b0,color:#fff
style B fill:#1a237e,stroke:#534bae,color:#fff
style C fill:#0d47a1,stroke:#42a5f5,color:#fff
style D fill:#00695c,stroke:#4db6ac,color:#fff
style E fill:#e65100,stroke:#ff9d3f,color:#fff
style F fill:#6a1b9a,stroke:#ab47bc,color:#fff
style G fill:#1b5e20,stroke:#4c8c4a,color:#fffKPI Cards
The dashboard header displays aggregate KPIs:
| KPI | Description |
|---|---|
| Total Incidents | Total incident count across all entities |
| Open Incidents | Incidents in OPEN or IN_PROGRESS status |
| Closed This Period | Incidents resolved in the selected time range |
| False Positive Rate | Percentage of incidents marked as false positives |
| Avg Resolution Time | Average time from incident creation to closure |
| SLA Compliance | Percentage of incidents resolved within SLA targets |
Risk Distribution
Entity Risk Map
A risk distribution chart showing the number of entities at each risk tier:
| Tier | Score Range | What It Means |
|---|---|---|
| Critical | 76–100 | Entities with active, sophisticated threats requiring immediate action |
| High | 51–75 | Entities with significant risk — prioritize for review |
| Medium | 26–50 | Moderate concern — standard workflow |
| Low | 0–25 | Minimal risk — routine monitoring |
Risk scores are calculated using the 7-factor composite risk model.
Risk Trend
A time-series chart showing how the overall risk distribution shifts over the selected period. Rising critical/high counts indicate escalating threat activity; declining counts indicate effective response.
Analyst Performance
Resolution Metrics
| Metric | Description |
|---|---|
| Incidents Handled | Total incidents assigned and worked by each analyst |
| Avg Resolution Time | Mean time from assignment to closure per analyst |
| SLA Hit Rate | Percentage of assigned incidents resolved within SLA |
| False Positive Rate | Percentage of incidents an analyst marked as FP |
Team Velocity
Tracks the rate at which the team resolves incidents compared to the rate at which new incidents are created:
- Intake rate — New incidents created per day/week
- Resolution rate — Incidents closed per day/week
- Backlog trend — Whether the queue is growing or shrinking
When the intake rate exceeds the resolution rate for sustained periods, this signals a capacity gap that may require additional staffing or process optimization.
SLA Compliance
SLA targets are assigned based on incident severity:
| Severity | SLA Target | Threshold |
|---|---|---|
| Critical | 2 hours | Risk score ≥ 80 |
| High | 4 hours | Risk score 60–79 |
| Medium | 24 hours | Risk score 40–59 |
| Low | 48 hours | Risk score < 40 |
The dashboard displays compliance rates by severity tier, with visual indicators:
- On Track — Resolution within target
- At Risk — 75%+ of target time consumed
- Breached — Target exceeded before resolution
Trend charts show whether SLA compliance is improving or degrading over time, broken down by severity.
Workload & Capacity
Backlog Analysis
| Metric | Description |
|---|---|
| Current Backlog | Total open incidents not yet assigned or in progress |
| Aging Incidents | Incidents open beyond their SLA target |
| Days-to-Clear Projection | At current resolution rate, estimated days to clear the backlog |
Activity Heatmaps
- Alarm Activity by Hour/Day — When are detections most active? Identifies peak threat activity windows.
- Analyst Coverage — When are analysts most active? Identifies coverage gaps in off-hours or weekends.
Comparing these heatmaps reveals whether analyst coverage aligns with threat activity patterns.
Priority Queue
The dashboard includes a ranked investigation queue that orders all open incidents by:
- SLA urgency — Incidents closest to SLA breach appear first
- Risk score — Higher risk scores rank higher
- Recency — More recent activity ranks higher
This queue ensures analysts always pick up the most time-sensitive, highest-risk work first.
SOC Dashboard Workflow
| Step | What Leadership Does | Key Decision |
|---|---|---|
| 1. Review Risk Posture | Check entity risk distribution and trend direction | Is the overall threat level rising or falling? |
| 2. Monitor SLA | Review SLA compliance by severity tier | Are we meeting our response commitments? |
| 3. Assess Capacity | Compare intake rate vs resolution rate | Do we need more analysts or process changes? |
| 4. Review Performance | Check individual analyst metrics | Who needs support? Who is excelling? |
| 5. Identify Gaps | Compare activity heatmaps with coverage | Are there blind spots in our coverage? |
| 6. Report | Generate executive reports for stakeholders | What's the security posture narrative? |