Threat Detection & Response Capability Map

The capability stack that turns a SIEM-with-staff into a working detection-and-response function — telemetry, detection engineering, automated response, and identity threat detection as load-bearing disciplines.

ForCISO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices

Guided journey · Step 1 of 4

Unified Telemetry

Unified telemetry as the capability foundation. Without the data, there's no detection — and the ingest discipline determines cost.

~ 8 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

Threat detection and response is the load-bearing security capability — the thing that determines whether the SOC produces incidents or noise. This map names the four sub-capabilities that make it real: telemetry, detection engineering, identity threat detection, automated response. The SKUs are the levers; the capability is the discipline that compounds across years.

Key takeaways

Telemetry is the capability foundation — ingest discipline determines both signal and cost
Detection engineering is a continuous discipline that compounds with MITRE coverage tracking
Identity threat detection is the highest-signal vector — P2 + Identity Protection feeds Sentinel
Automation is selective — confidence gets playbooks, ambiguity gets people

Programme shape

Estimated duration: 20–36 weeks
Estimated FTE: 1 FTE SOC engineering lead + detection engineer + automation engineer + part-time identity SME
Spend tier: significant
Risk level: moderate

The capability matures over years, not quarters. Detection engineering rigour and operational cadence are the multipliers that compound.

Back to all maps