Speed is now the defining variable in cybersecurity. A threat actor who has gone undetected for hours has had time to move laterally, escalate privileges, exfiltrate data, and cover their tracks. Detection alone isn’t enough — it’s how fast you can act on what you detect.
The 1-10-60 benchmark sets the bar:
- 1 minute to detect a threat
- 10 minutes to investigate and understand scope
- 60 minutes to contain and remediate
Most organisations are operating at 10x or 100x those timelines. The gap isn’t about effort — it’s about tooling, automation, and process.
Why the Gap Exists
Traditional SOC workflows are manual-heavy. An alert fires, a analyst reviews it, escalates if needed, pulls in logs from separate systems, and eventually produces a recommendation. That chain can take days.
Meanwhile, the average dwell time for an attacker in a compromised network is still measured in weeks. Detection has improved dramatically, but response hasn’t kept pace.
Where Microsoft Sentinel Changes the Equation
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform built specifically to close this gap.
On detection: Sentinel ingests signals from across the Microsoft ecosystem — Azure, Microsoft 365, Defender, Entra ID — and correlates them with AI-powered analytics. Threats that would have been buried in separate log systems surface as unified incidents with context already assembled.
On investigation: The investigation graph in Sentinel lets analysts trace an attack path visually — from the initial entry point to affected resources — in minutes rather than hours. Machine learning baselines flag anomalous behaviour before signatures even exist for a new threat pattern.
On remediation: Automation playbooks (built on Logic Apps) execute response actions automatically. Block a user, isolate a device, revoke tokens, notify the team — all triggered the moment an incident is confirmed, without waiting for a human to work through a checklist.
What This Looks Like in Practice
For a financial institution, the 1-10-60 target becomes realistic when:
- All identity, endpoint, email, and cloud logs feed into a single Sentinel workspace
- Detection rules are tuned to the organisation’s specific risk profile
- Automation playbooks handle the high-frequency, low-ambiguity responses
- The security team focuses human attention on the genuinely complex cases
The goal isn’t to remove humans from the loop — it’s to make sure humans are only in the loop where their judgement adds value.
Getting There
Meeting the 1-10-60 benchmark requires investment in the platform, but more importantly, it requires the right architecture from the start. A Sentinel deployment that isn’t properly scoped, with tuned rules and working playbooks, won’t deliver the results the platform is capable of.
If your organisation is evaluating SIEM modernisation or wants to understand what closing the detection-to-remediation gap looks like in your environment — start with a conversation.