Headcount = ƒ(alerts, time to resolve)

20 events/day to investigate with average time to resolve of 2 hours requires 40/8 = 5 headcount.


To reduce the headcount number needed to effectively work security events:

  • Decrease security events with better protection
  • Increase quality of events and detect real issues
  • Reduce the amount of time to investigate events