SOC Maturity Benchmarking Platform

Finally know exactly
where your SOC stands.

Replace spreadsheets and expensive consultants with a continuous, data-driven SOC maturity platform. Benchmark against real industry peers. Track improvement over time. Keep your data exactly where you need it.

Request a demo โ€บ See how it works
392
Assessment questions
15
Capability domains
4
Industry frameworks
100%
Data sovereignty
Compliance Ready
๐Ÿ›๏ธ ISO 27001 Aligned
๐Ÿ”’ SOC 2 Type II Ready
โš–๏ธ GDPR Compliant
๐ŸŒ Sovereign Hosting Available
๐Ÿ‡ฌ๐Ÿ‡ง UK & EU Data Residency
The Problem

SOC maturity shouldn't
live in a spreadsheet.

Every year, security teams waste weeks on manual assessments that produce a number โ€” but no context, no benchmarks, and no roadmap forward.

๐Ÿ“Š
No peer comparison
You know your score. You have no idea if it's good. Is 3.2 out of 5 impressive in financial services? Average in healthcare? Without peer data, a maturity score is just a number with nothing to anchor it.
๐Ÿ”„
Assessments don't improve things
Consultants deliver a report. Twelve months later you commission another one. Nothing tracked between them. No continuous visibility. No accountability for whether anything actually changed.
๐Ÿ“‹
Frameworks work in silos
Your NIST team, ISO auditor, and SOC analyst all assess the same controls โ€” separately. Evidence gathered three times. The same gaps missed between the cracks. Every. Single. Year.
NIST CSF 2.0
ISO 27001:2022
MITRE ATT&CK v14
SOC-CMM 2024
Financial Services
Healthcare
Government & Defence
Retail & E-Commerce
Energy & Utilities
UK Data Residency
EU Data Residency
NIST CSF 2.0
ISO 27001:2022
MITRE ATT&CK v14
SOC-CMM 2024
Financial Services
Healthcare
Government & Defence
Retail & E-Commerce
Energy & Utilities
UK Data Residency
EU Data Residency
The Platform

One platform. The complete picture.

Assessment Engine

10 capability domains. 392 questions. Zero spreadsheets.

A comprehensive two-part assessment โ€” Part A covers 10 strategic capability domains scored 0โ€“5, while Part B integrates the full SOC-CMM 2024 Advanced operational assessment. Everything your team needs to understand SOC maturity from strategy through daily operations. Complete it in sessions. Pick up where you left off. Evidence captured throughout.

3.8
Strategy
2.9
Detection
4.1
Response
Benchmarking

Know your percentile, not just your score.

Anonymised peer comparison across sectors and sizes. Finally answer the question your board actually asks.

Your SOC
2.8
Sector avg
3.2
Top quartile
4.2
Finance avg
3.5
Confidence Scoring

Present results you can defend.

Every score comes with a confidence band โ€” completion rate, evidence quality, assessor authority. No more hoping nobody asks how you got there.

0.87
High
Completion
40%
Evidence
40%
Assessor
20%
SOC-CMM 2024 Advanced

The industry standard assessment โ€” delivered as a service.

The SOC Capability Maturity Model is the most widely used operational SOC assessment in the industry. We've integrated the full 2024 Advanced edition โ€” 273 questions across 5 operational domains โ€” directly into the platform. No Excel files. No version conflicts. Full evidence capture and team-based progress tracking built in.

Business (44q)
People (58q)
Process (38q)
Technology (32q)
Services (101q)
Data Sovereignty

Your security data stays exactly where you need it.

SOC maturity data reveals exactly where your defences are weakest. It's among the most sensitive information your organisation holds. We've built the platform accordingly.

๐Ÿ‡ฌ๐Ÿ‡ง
UK & EU data residency
Choose where your data lives โ€” UK, EU, or your own on-premise infrastructure. No data leaves your chosen jurisdiction. Suitable for UK public sector and regulated industries.
๐Ÿ—๏ธ
Dedicated hosted environments
For organisations with strict data sovereignty requirements, we provide dedicated hosted environments in your chosen jurisdiction โ€” single-tenant, isolated infrastructure, managed by us.
๐Ÿ”’
Benchmark pool privacy by design
Scores contribute to peer benchmarks only with explicit consent. Anonymised at the point of contribution. Your identity is cryptographically separated from your benchmark contribution.
โš–๏ธ
GDPR Article 30 compliant
Records of processing activities maintained. Data subject rights implemented. Consent audit trail. DPA available. No data sold, ever. No advertising. No tracking.
ISO 27001
ISO/IEC 27001:2022 Aligned
Platform architecture and controls designed to the 2022 standard. Assessment questions map directly to Annex A controls โ€” accelerating your own certification journey.
SOC 2
SOC 2 Type II Ready
Security, availability, and confidentiality trust service criteria addressed throughout. Audit-ready evidence capture at every level of the platform.
GDPR
Privacy by Design
Data subject rights built in from day one. Breach notification workflow included. Configurable retention policies per organisation. Right to erasure fully implemented.
UK Gov
Public Sector Suitable
UK data residency, dedicated hosted environments, and OFFICIAL classification suitability make SOC Benchmark appropriate for UK public sector, CNI operators, and defence supply chain.
Maturity Model

Five levels. One number
you can act on.

Every question scored 0โ€“5. Domain scores aggregate with weighted importance. Overall score is confidence-weighted โ€” so you always know exactly how much to trust it.

0โ€“1
Initial
No formal capability. Reactive, individual-dependent. Unable to evidence controls to auditors.
1โ€“2
Developing
Capability being built. Partially implemented. Inconsistently applied across the team and tools.
2โ€“3
Defined
Formally documented. Consistently applied. Reviewed on a defined schedule. Evidenceable.
3โ€“4
Managed
Measured with KPIs. Metrics tracked and reported to leadership. Demonstrably improving.
4โ€“5
Optimised
Continuously improved. Industry-leading posture. Proactive, predictive, and peer-benchmarked.
Pricing

Simple, transparent pricing.
No surprises.

Every plan includes the full assessment engine and benchmarking. Contact us for pricing tailored to your organisation size and deployment requirements.

Starter
Talk to us
for SME pricing
  • Full Part A assessment (119 questions)
  • 10 capability domains scored
  • Maturity score + confidence band
  • Framework coverage reporting
  • PDF report generation
  • Up to 3 users
  • UK/EU data residency
  • Email support
Get started
Most Popular
Professional
Talk to us
for team pricing
  • Everything in Starter
  • Full Part B SOC-CMM assessment (273q)
  • Peer benchmark comparison
  • Trend analysis across assessments
  • MITRE ATT&CK coverage mapping
  • Up to 10 users
  • Evidence document upload
  • Priority support
Get started
Enterprise
Custom
contact us
  • Everything in Professional
  • Unlimited users
  • Available on request
  • In-country dedicated infrastructure
  • SSO / SAML integration
  • Custom framework mapping
  • SLA-backed support
  • Dedicated account manager
Talk to us
Consultant
Per client
reseller pricing available
  • Multi-client management portal
  • White-label reporting option
  • Conduct assessments on behalf of clients
  • Comparative client reporting
  • External Consultant role access
  • Partner programme
  • Co-branded collateral
Partner with us
Framework Coverage

One assessment.
Four frameworks. Zero duplication.

Stop assessing the same controls three times for three different auditors. Every question maps to multiple frameworks simultaneously โ€” evidence captured once, usable everywhere.

๐Ÿ“‹
NIST CSF 2.0
NIST Cybersecurity Framework โ€” 2024 Edition
All six functions โ€” Govern, Identify, Protect, Detect, Respond, Recover โ€” scored directly from your assessment responses. Ideal for organisations aligning to US federal standards, working with US-regulated clients, or seeking a comprehensive risk management foundation.
Strategy and monitoring domains fully mapped โ†’
๐Ÿ›๏ธ
ISO 27001:2022
International Standard for Information Security Management
All 93 Annex A controls mapped. Evidence captured at question level is directly usable in ISO 27001 audits โ€” dramatically reducing audit preparation time and the cost of maintaining certification year on year.
93 Annex A controls mapped โ†’
โš”๏ธ
MITRE ATT&CK v14
Adversarial Tactics, Techniques & Common Knowledge
Detection and response capability mapped to specific adversary techniques and tactics. Understand exactly which threat actor TTPs you can and cannot detect. Prioritise your detection engineering backlog based on real threat intelligence.
Technique-level detection coverage โ†’
๐ŸŽฏ
SOC-CMM 2024 Advanced
SOC Capability Maturity Model โ€” Community Standard
The industry-recognised open standard for operational SOC assessment, fully integrated as Part B. Replace the Excel-based assessment with a proper multi-user, evidence-backed, version-controlled workflow. Fully compatible with existing SOC-CMM programmes and reporting.
273 questions across 27 sub-sections โ†’
Built for Your Whole Team

The right view for
every stakeholder.

From SOC analysts completing questions to board members reviewing results โ€” everyone gets precisely what they need, with sensitive operational detail appropriately protected.

๐Ÿ“Š
Executive
CISO ยท CEO ยท Director ยท Board
Board-ready view that shows the strategic picture without exposing operationally sensitive control detail. Everything you need for a confident board presentation.
  • Overall score and maturity band
  • Domain-level aggregate scores
  • Peer benchmark comparison
  • Trend analysis over time
  • Executive PDF report
๐Ÿ”ฌ
Assessor
SOC Analyst ยท Security Engineer
Designed for the people who actually know the answers. Complete questions, attach evidence, save progress across sessions, and submit when ready.
  • Complete Part A & Part B questions
  • Attach evidence (URL or document)
  • Multi-session workflow
  • View completed results
๐Ÿ‘”
Org Admin
SOC Manager ยท Security Director
Full platform control โ€” team management, assessment oversight, billing. The person accountable for driving the maturity programme forward.
  • Manage team & assign roles
  • Create and oversee assessments
  • Access all results & reports
  • Manage subscription
๐Ÿค
External Consultant
MSSP ยท Auditor ยท vCISO
Bring in external expertise without compromising control. Consultants complete assessments with full evidence capture, transparent confidence scoring, and scoped access.
  • Complete assigned assessments
  • Attach and reference evidence
  • Scoped access only
  • Confidence factor applied transparently
Security & Privacy

We take security
as seriously as you do.

You're assessing your security posture. The platform you trust with that data had better be built right. Here's how.

๐Ÿ”’
Encryption Everywhere
TLS on all connections. Data encrypted at rest. Assessment responses, evidence, and scores are never accessible in plaintext inside or outside the platform.
๐Ÿ›ก๏ธ
Role-Based Access Control
Eight precisely scoped roles enforced at the API layer on every request. An executive cannot access individual question responses, regardless of how they try to reach them.
๐Ÿ“‹
Immutable Audit Trail
Every login, assessment change, role assignment, and evidence upload is logged with timestamp, user identity, and IP address. Full history available to authorised administrators.
๐Ÿ”‘
Enterprise SSO
OAuth2, OIDC, and SAML support. Integrates with Microsoft Entra ID, Okta, Ping, and Google Workspace. Multi-factor authentication enforced at the identity layer.
๐Ÿข
Complete Tenant Isolation
Your data is filtered at the database layer on every API call. No shared data stores between customers. No possibility of cross-organisation data exposure from application layer issues.
โš–๏ธ
GDPR & Privacy by Design
Consent audit log on every benchmark change. Right to withdraw. Data erasure built in. Configurable retention policies. DPA available on request. No data sold. No advertising.
What's Coming

Built to grow
with your security programme.

Phase 1 is live and taking customers. Each subsequent phase adds capability while the core platform continues to improve based on customer feedback.

1
Available Now
Foundation
Phase 1 ยท Live
  • Full assessment engine (Part A + Part B)
  • Maturity scoring with confidence bands
  • Peer benchmarking with privacy rules
  • NIST CSF & ISO 27001 framework mapping
  • 8-role access control with SSO
  • PDF report generation
  • Evidence capture and management
  • UK & EU hosted data residency
2
In Development
Intelligence
Phase 2 ยท Q3 2026
  • MITRE ATT&CK coverage heatmaps
  • Executive board-ready PDF report
  • Automated gap analysis with recommendations
  • Improvement roadmap generator
  • Scheduled executive report emails
  • Trend analysis across assessments
  • SAML & enterprise SSO integration
  • White-label consultant edition
3
On the Roadmap
Continuous
Phase 3 ยท 2027
  • SIEM integrations (Splunk, Sentinel, QRadar)
  • Automated detection rule coverage analysis
  • Continuous maturity monitoring
  • Threat-informed defence scoring
  • Open API for partner integrations
  • AI-assisted gap recommendations
  • Mobile companion app
  • Sector-specific assessment modules

Ready to know where
your SOC stands?

Talk to us about your requirements. We'll show you the platform, discuss deployment options, and get you started. First assessment on us.

Request a demo โ€บ Get in touch
info@soc-benchmark.org