4 Security Operations Center Frameworks You Should Know

What is a Security Operations Center Framework?

Security operations center (SOC) frameworks standardize how SOCs approach their defense strategies. It helps manage and minimize cybersecurity risks and continuously improve operations. The most advanced SOCs integrate adversarial models, like the MITRE ATT&CK framework, into analyst workflows to make investigations more effective and integrate automated tools into their processes.

Related content: Read our guide to the modern SOC

1. NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) includes threat lifecycle management standards, best practices, and guidelines. A SOC can use this framework to assess, guide, and improve key security metrics, establishing a mature enterprise security approach.

Organizations use the NIST CSF to build their cybersecurity strategy, establishing a roadmap that helps minimize cybersecurity risk. It assists organizations in describing their security posture and comparing it to the desired state. This process helps reveal and address security gaps.

NIST CSF objectives and benefits

NIST CSF helps organizations protect critical infrastructure by increasing security in various ways. It involves creating a profile to determine existing levels of cybersecurity measures and identify additional possible cybersecurity policies and standards to improve the existing state. It also helps communicate new requirements and create a new cybersecurity program as needed.

Here are the five core functions of the NIST CSF:


  • Identify—learn how to better manage cybersecurity risks to various components like assets, systems, and data.
  • Protect—implement safeguards to protect critical infrastructure services.
  • Detect—define what constitutes a cybersecurity event.
  • Respond—specify actions performed in response to a detected cybersecurity event.
  • Recover—identify services to focus on for resilience, and outline the required restore capabilities of impaired services.

2. MITRE ATT&CK Framework

The MITRE ATT&CK framework provides observable adversarial behaviors to help intelligently identify tactics occurring after an attack has started. It helps inform threat intelligence, threat detection, and analysis, red teaming and adversary emulation, as well as engineering and assessment.

The MITRE framework defines tactics as the actor’s objective and techniques as the method of achieving objectives. It uses evidence from previous attacks to learn adversarial behavior, providing a detailed understanding of how adversarial tactics manifest and the techniques used. Additionally, MITRE outlines relevant potential response steps and data sources for analysis.

Organizations can use the MITRE ATT&CK framework to strengthen their cybersecurity strategies in various ways. The threat matrix can help organizations stay informed on dangerous attacker tactics and techniques. The framework provides insights into mitigation strategies and pre-attack guidance on prepping a network.

3. Cyber Kill Chain Framework

The Cyber Kill Chain framework is a phased approach for end-to-end attack detection and prevention created by computer scientists at Lockheed Martin. The kill chain is based on the movements of a standard threat actor, providing a foundational archetype.

The kill chain consists of eight core stages, starting from reconnaissance and ending in data exfiltration. Attack vectors, like brute force or phishing, trigger activities on the cyber kill chain, and each stage is related to a specific type of activity within a particular cyber attack.

Here are the core kill chain stages:


  • Reconnaissance — during this stage, threat actors observe and attempt to assess the environment from the outside in, trying to identify tactics and targets for the attack.
  • Intrusion — using the information and decisions made during reconnaissance, threat actors start making intrusion attempts, typically by using malware or exploiting vulnerabilities.
  • Exploitation — threat actors exploit vulnerabilities and deliver malicious code to gain a better foothold into the target.
  • Privilegeescalation — threat actors use privilege escalation to get unauthorized access to more data and permissions, often by escalating to admin privileges.
  • Lateralmovement — threat actors breach into a system and then move laterally to other accounts and systems to gain leverage, like higher permissions or more data.
  • Obfuscation / anti-forensics — threat actors try to cover their tracks, typically by laying false trails, compromising data, and clearing logs to confuse or slow down forensics teams.
  • Denial of Service (DoS) — threat actors perform DoS to disrupt normal access for systems and users. Their goal is to block monitoring, tracking, or blocking attempts made on the attack.
  • Exfiltration — threat actors extract data from compromised systems during this stage. It is worth noting that the first stage can prove difficult to detect. Additionally, the kill chain does not accommodate attacks that begin within the perimeter.

It is worth noting that the first stage can prove difficult to detect. Additionally, the kill chain does not accommodate attacks that begin within the perimeter.

4. Unified Kill Chain Framework

The Unified Kill Chain framework merges the Cyber Kill Chain with the MITRE ATT&CK framework. It leverages the advantages of each framework to help overcome common gaps. It expands the attack chain to eighteen phases, breaking each phase into three core steps:


  • Initial foothold
  • Network propagation
  • Action on objectives


This unified kill chain framework provides a more accurate, time-oriented, and detailed approach to cybersecurity. It provides a baseline to strategically realign cybersecurity investments and defensive capabilities within the organization, informing intelligence, detection, prevention, and response.

SOCs can utilize the unified kill chain to establish a structured analysis and comparison of threats and attack tactics. It helps map countermeasures to discrete phases of each attack and prioritize detection according to the sequences of attack phases. During response situations, the framework helps triage and model likely attack paths.

BlueVoyant Core: MDR

End-to-end consulting, implementation and 24x7 SOC services

Get always-on cybersecurity that sufficiently covers the rapidly evolving needs of every organization.

Man Watching Computer Through Glasses

Additional Readings