SOC-CMM Security Operations Maturity Model

Source: soc-cmm.com

SOC-CMM is a free, open self-assessment model for measuring the maturity and capability of a Security Operations Center. Rob van Os built it from a 2016 MSc thesis and released the first version in 2017. The deliverable is a spreadsheet tool: an organization scores itself against a fixed question set and reads back per-domain maturity and capability levels. It is the incumbent SOC maturity standard, and the model the wiki’s Agentic SOC Capability Maturity Model is written to extend rather than replace.

Structure

SOC-CMM decomposes a SOC into five domains, themselves subdivided into roughly 26 aspects and more than a thousand scored elements.

DomainCovers
BusinessSOC mandate, drivers, charter, governance, customer scope
PeopleStaffing, roles, training, certification, retention
ProcessOperational, analytical, and management procedures
TechnologySIEM, analytics, telemetry collection, and supporting tooling
ServicesThe detection, response, and adjacent services the SOC delivers

The first three rows expand the classic people–process–technology triad; Business and Services were added to capture the SOC’s mandate and its output.

Maturity and capability scales

SOC-CMM scores two distinct axes, a separation the wiki’s autonomy-versus-maturity distinction borrows.

  • Maturity (all five domains), a 0–5 scale derived from CMMI and ISO/IEC 15504: 0 non-existent, 1 initial, 2 limited, 3 defined, 4 managed, 5 optimizing. Maturity asks how well a thing is organized and repeatable.
  • Capability (Technology and Services only), a 0–3 scale. Capability asks what the SOC can actually deliver, independent of how maturely it is run.

Plotting both axes per domain is the assessment’s main output, distinguishing a SOC that runs immature processes around strong tooling from one with disciplined processes and thin capability.

Adoption

SOC-CMM is a free SOC maturity self-assessment with a third-party ecosystem around it. The tool is downloaded from soc-cmm.com under a permissive license, and a partner program certifies assessors. Commercial platforms wrap the assessment, for example SOCSCOPE, and a CERT-specific variant (SOC-CMM for CERTs) extends the structure to incident-response teams. The academic prior art the Agentic SOC CMM builds on treats it as the incumbent baseline. The latest documented tool release is version 2.3 (June 2023); the author continues to publish an annual SOC maturity report.

Reach is asserted, not measured

No independent adoption metric was located for SOC-CMM: no download counts, SOC-survey share, or published-assessment count. The “de facto standard” framing traces to soc-cmm.com’s own description, so the reach claim here is an inference from the surrounding ecosystem (partner program, third-party tooling, academic baseline use), not a measured figure. The official downloads page was unreachable at fetch time (HTTP 403), so a release newer than v2.3 could not be ruled out.

The AI gap

As of its 2025 self-assessment report, SOC-CMM does not yet model AI, autonomy, or agentic automation. That absence is the opening the wiki’s Agentic SOC CMM occupies: it adds a per-function autonomy ladder and AI-specific maturity domains while crosswalking back to SOC-CMM’s maturity scale. The MDPI AI-Augmented SOC survey supplies the worked correspondence between the two, mapping its five autonomy levels onto SOC-CMM maturity 1–5.

Relations

Sources