A security operations center is designed to respond to alerts and respond to known situations. The average dwell time for a network intrusion, from entry to discovery, was 229 days. A SOC responding to alerts will provide little benefit in responding to such an attack and can only serve to minimize and quantify the exposure. The best approach is a team of folks with strong investigative skills, who spend their days finding issues before the first alert sounds. Having a team with investigative skills and mindset is critical to achieving an effective organization.”]
Source: https://www.csoonline.com/article/3290397/cybersecurity-operations-dont-wait-for-the-alert.html