SA0.10 The Automation Maturity Model

5 hours · Module 0 · Free

Figure SA0.10 — The Security Automation Maturity Model. Five levels across 8 dimensions. Most SOCs start at Level 1. This course builds to Level 3-4.

Operational Objective

Without a maturity model, automation efforts lack direction. Teams build playbooks reactively — automating whatever the latest pain point is without a structured progression toward a target state. The maturity model provides the roadmap: where you are now, where you need to be, and the specific steps to get there. This sub defines the five maturity levels, the eight assessment dimensions, and the scoring methodology that produces your automation roadmap.

Deliverable: The Automation Maturity Model Assessment — a scored evaluation of your current SOC against the five maturity levels, producing the prioritised roadmap for the 90-day automation program in SA12.

⏱ Estimated completion: 25 minutes

The five maturity levels

Level 1 — Ad Hoc. No intentional security automation. Default Defender AIR may be running unmonitored. A few Sentinel automation rules for severity changes. Possibly one or two dead playbooks. All enrichment, triage, and containment is manual. This is where most SOCs start and where NE is today. The defining characteristic: the SOC operates identically whether automation exists or not.

Level 2 — Basic Enrichment. Three to five enrichment playbooks running in production and monitored. The most common alert types are automatically enriched with context. Basic notification (email alerts for High/Critical). Two or three FP auto-close rules for the noisiest false positive patterns. Analysts notice the difference — enriched incidents are faster to triage. The defining characteristic: automation saves measurable analyst time, but does not take any response actions.

Level 3 — Playbook Response. Full enrichment pipeline covering all incident types. Evidence auto-collection at alert time. Notification pipeline with severity routing, Teams adaptive cards, and ticket creation. The first containment playbooks are deployed — typically AiTM session revocation and ransomware endpoint isolation, both with confidence thresholds and safeguards. The defining characteristic: automation both enriches and acts, with human judgment preserved for medium-confidence detections.

Level 4 — Orchestrated. Cross-environment containment coordinated across identity, endpoint, and network. Confidence-based automation tiering is calibrated using measured FP rates. Full governance: version control, staging workspace, monitoring, runbooks, and monthly reviews. Metrics dashboard tracks MTTA, MTTR, automation action count, FP rate, and analyst time saved. MSSP coordination is automated. The defining characteristic: automation operates as a coordinated system, not a collection of independent playbooks.

Level 5 — Adaptive. The automation improves itself. Confidence thresholds adjust based on rolling FP rates. New FP patterns are automatically detected and added to suppression watchlists. Dynamic playbook routing adapts containment actions based on real-time blast radius assessment. Continuous improvement is data-driven, not intuition-driven. The defining characteristic: the system learns from its operational data and requires less manual tuning over time. Level 5 is aspirational for most organisations — Level 4 is the realistic target that this course builds to.

Assessing your current level

Score your SOC across eight dimensions. Each dimension is scored 1-5 matching the maturity levels:

Dimension 1: Enrichment coverage. 1 = no enrichment automation. 2 = 1-2 enrichment playbooks. 3 = full enrichment pipeline (5+ sources). 4 = enrichment with watchlist-driven dynamic logic. 5 = enrichment with automated quality feedback.

Dimension 2: Evidence collection. 1 = all manual. 2 = partial (one incident type). 3 = full auto-collection for top 3 incident types. 4 = auto-collection with chain-of-custody metadata. 5 = adaptive collection that adjusts scope based on alert severity.

Dimension 3: Notification maturity. 1 = manual email. 2 = basic automated email. 3 = Teams cards + tickets + severity routing. 4 = approval gates + MSSP coordination + escalation timeouts. 5 = context-aware notification that adapts content per audience automatically.

Dimension 4: Containment automation. 1 = all manual. 2 = FP auto-close only. 3 = one containment playbook with safeguards. 4 = cross-environment containment with confidence thresholds. 5 = adaptive containment with self-tuning thresholds.

Dimension 5: Governance. 1 = no governance. 2 = some monitoring. 3 = version control + monitoring + runbooks. 4 = full governance with staging workspace and testing. 5 = automated governance (CI/CD for playbooks, automated testing).

Dimension 6: MSSP coordination. 1 = no coordination. 2 = manual email coordination. 3 = automated incident sharing. 4 = automated ownership assignment and deconfliction. 5 = unified automated response across MSSP and internal SOC.

Dimension 7: Metrics. 1 = no metrics. 2 = basic counts (playbook executions). 3 = MTTA/MTTR tracking. 4 = full dashboard with FP rate, rollback frequency, time saved. 5 = predictive analytics on automation performance.

Dimension 8: Continuous improvement. 1 = none. 2 = reactive (fix when broken). 3 = quarterly review. 4 = monthly review with tuning cycle. 5 = continuous data-driven improvement.

Scoring: Add all eight dimension scores. Divide by 8. Round to the nearest level. NE’s current score: 1+1+1+1+1+1+1+1 = 8/8 = Level 1.

The 90-day target raises NE to: 3+3+3+2+2+2+2+2 = 19/8 = Level 2.4 (solid Level 2, approaching Level 3). The six-month target reaches Level 3-4 across most dimensions.

⚠ Compliance Myth: "We need to reach Level 5 maturity before our automation program is acceptable for audit"

The myth: Auditors expect maximum maturity. Anything below Level 5 is a finding.

The reality: Auditors expect appropriate maturity for your organisation’s size, risk profile, and resources. An 810-person manufacturing company at Level 3 with documented governance, monitored playbooks, and measured confidence thresholds is a strong finding. Level 5 adaptive automation is aspirational even for Fortune 500 security teams with 50+ analysts. The audit looks for: documented processes (do you have a framework?), evidence of operation (do your playbooks run?), evidence of monitoring (do you know when they fail?), and evidence of improvement (are you getting better?). Level 3 with good governance is better than Level 4 with no governance.

Automation Maturity Assessment — Northgate Engineering
Dimension Current (Level) 90-Day Target 6-Month Target
1. Enrichment 1 (none) 3 (full pipeline) 4 (watchlist-driven)
2. Collection 1 (manual) 3 (top 3 types) 4 (chain of custody)
3. Notification 1 (manual) 3 (Teams + tickets) 4 (approval gates)
4. Containment 1 (manual) 2 (FP close + 1 playbook) 3 (cross-environment)
5. Governance 1 (none) 2 (monitoring) 3 (full framework)
6. MSSP 1 (none) 2 (auto-share) 3 (ownership routing)
7. Metrics 1 (none) 2 (basic counts) 3 (MTTA/MTTR)
8. Improvement 1 (none) 2 (reactive) 3 (monthly review)
Total 8 (Level 1) 19 (Level 2.4) 27 (Level 3.4)

Dimension	Current (Level)	90-Day Target	6-Month Target
1. Enrichment	1 (none)	3 (full pipeline)	4 (watchlist-driven)
2. Collection	1 (manual)	3 (top 3 types)	4 (chain of custody)
3. Notification	1 (manual)	3 (Teams + tickets)	4 (approval gates)
4. Containment	1 (manual)	2 (FP close + 1 playbook)	3 (cross-environment)
5. Governance	1 (none)	2 (monitoring)	3 (full framework)
6. MSSP	1 (none)	2 (auto-share)	3 (ownership routing)
7. Metrics	1 (none)	2 (basic counts)	3 (MTTA/MTTR)
8. Improvement	1 (none)	2 (reactive)	3 (monthly review)
Total	8 (Level 1)	19 (Level 2.4)	27 (Level 3.4)

Decision point: Your maturity assessment reveals you are Level 1 across all dimensions. Your CISO asks: “What is the fastest path to visible improvement?” The answer is Dimension 1 (enrichment) — deploy three enrichment playbooks in Month 1. Enrichment has zero blast radius, requires minimal governance (Tier 1), and produces immediately visible results. When analysts open incidents and find enrichment data already attached, the value is obvious. Enrichment is the gateway that builds organisational support for the higher-tier automation that follows. Do not start with containment (the flashiest outcome). Start with enrichment (the safest, fastest, most visible outcome).

Try it: Score your SOC's automation maturity

Score each of the 8 dimensions from 1-5 for your current SOC. Be honest — this assessment is for your internal planning, not for a report.

Calculate your total score and divide by 8 to find your overall level.
Identify the two dimensions with the lowest scores — these are your highest-priority improvement areas.
Set a 90-day target for each dimension. Be realistic — jumping from Level 1 to Level 4 in 90 days is not achievable. Level 1 to Level 2-3 is.
Map the improvements to the course modules: enrichment (SA2), collection (SA3), notification (SA4), containment (SA5-SA7), governance (SA11), MSSP (SA4/SA7), metrics (SA12), improvement (SA12).

Your maturity scores before and after this course are the evidence of the course’s value — and the evidence your CISO needs to see.

A SOC has 4 enrichment playbooks running reliably, automated Teams notifications for High severity, one containment playbook for AiTM (session revocation with VIP check), monitoring on all playbooks, but no version control, no staging workspace, and no documented runbooks. What maturity level is this SOC?

Level 4 — they have containment automation with safeguards. They have elements of Level 3-4 in enrichment and containment, but their governance is Level 2 (monitoring only, no version control, no testing, no runbooks). The overall level is limited by the weakest dimensions.

Level 2-3 overall. Strong in enrichment (Level 3) and notification (Level 3), developing in containment (Level 3), but governance (Level 2) drags the overall score down. The SOC has good automation but is at risk of the governance failure mode — when the containment playbook breaks, nobody can fix it without the builder. The priority is governance improvement before building more automation.

Level 1 — no governance means the automation is not sustainable. Level 1 means no automation at all. This SOC clearly has automation — enrichment, notification, and containment are operational. The governance gap is a risk, not a negation of the automation that exists.

Level 3 — governance is a nice-to-have, not a maturity requirement. Governance is not optional. It is the dimension that determines whether the automation is sustainable. A SOC at Level 3 in everything except governance will regress to Level 1 when the builder leaves, the API changes, or the managed identity expires. Governance preserves the investment in every other dimension.

Where this goes deeper. SA12 builds the full automation program including the 90-day roadmap, the automation candidate scorecard, the metrics dashboard, and the monthly review template. The maturity assessment from this sub is the starting point for the roadmap — it tells you where to invest first and what Level 3-4 looks like for your specific SOC.

Operational Artifact — Automation Maturity Model Assessment

Score your SOC now. Record the scores. You will repeat this assessment at the end of the course (SA13 capstone) and compare. The delta between your starting scores and your ending scores is the quantified impact of the automation program you build. Use the assessment template: 8 dimensions, scored 1-5, with a current state, 90-day target, and 6-month target for each. This is the roadmap input for SA12 and the business case evidence for your CISO.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← SA0.9 The Automation Governance Framework SA0.11 Interactive Lab: Automation Assessment →