Secure SOC — Architecture Decisions Map

The architectural decisions a CISO and SOC architect actually litigate — unified telemetry strategy, detection engineering posture, automated response model, and identity threat detection placement.

ForCISO · CIO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices

Guided journey · Step 1 of 4

Unified Telemetry

Design the unified telemetry plane — Sentinel as the SIEM anchor, Defender XDR as the cross-domain correlation, ingest tier discipline upfront.

~ 8 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

The modern SOC architecture has four load-bearing decisions: telemetry plane, detection engineering, identity threat detection, automated response. This map names each and the SKUs that anchor them. The architectural answer is Microsoft-native by default (Sentinel + Defender XDR + Entra ID P2), with the question being how much non-Microsoft signal to pull into the Sentinel plane.

Key takeaways

Sentinel + Defender XDR is the canonical pairing — SIEM + XDR is not either/or
Detection engineering is a continuous discipline, not a one-off configuration
Identity threat detection is the highest-signal vector — P2 + PIM is foundational
Automate well-understood detections; keep humans on ambiguity

Programme shape

Estimated duration: 16–32 weeks
Estimated FTE: 1 FTE SOC architect + detection engineering capacity + automation engineer
Spend tier: significant
Risk level: moderate

Telemetry tier discipline drives cost; detection engineering rigour drives signal quality; automation drives MTTR. All three need to land together for the architecture to compound.

Back to all maps