CyberTrap Blog

DORA Detection Capability Checklist for SOCs

Written by Adi Reschenhofer | July 15, 2026 3:30:44 AM Z

A regulator, auditor, or board does not need to know how many alerts your SIEM produced last quarter. They need to know whether your security operation can recognize a material intrusion, establish what happened, and show the evidence behind its decisions. That is the operational test behind a DORA detection capability checklist.

For financial entities subject to the EU Digital Operational Resilience Act, detection is not a dashboard feature. It is part of an ICT risk management capability that must stand up during an incident, after an incident, and under scrutiny. The hard part is that many established SOCs already collect the required data. What they lack is proof that raw telemetry becomes reliable, actionable knowledge quickly enough to matter.

A SIEM can retain billions of events and still leave analysts unable to answer a basic question: is this a real attacker, a broken process, or background noise? The checklist below is designed to expose that gap before an incident does.

The DORA detection capability checklist

1. Can you prove what is visible, not just what is connected?

A list of integrated log sources is not proof of detection coverage. Start with the business services and assets whose disruption would create operational or regulatory impact: payment systems, identity infrastructure, cloud control planes, customer data platforms, trading applications, and critical third-party connections.

For each one, identify the telemetry that can reveal meaningful misuse. Then test whether the data arrives consistently, is searchable, retains the necessary fields, and can be correlated with related activity. A source that sends authentication events without host identity, user context, or timestamps synchronized to the rest of the environment may satisfy an integration inventory while contributing little to an investigation.

The evidence should be measurable: data-source health, ingestion delay, field completeness, retention periods, and known blind spots. This is less glamorous than writing another rule, but it establishes whether a detection result can be trusted.

2. Can detections follow attacker behavior across time and systems?

A single alert often describes one event. An intrusion is usually a sequence: an identity change, a system access, a privilege request, an unusual connection, and an action against a business service. Those events may span endpoint, identity, network, cloud, and application records over minutes or days.

Your SOC should be able to demonstrate how it joins that sequence. Ask whether correlation relies only on static rule logic, or whether it can relate activity by time, entity, session, and changing context. AI can help here when it performs a defined task: correlating temporally related events into an ordered activity chain. It does not replace investigation judgment. It reduces the analyst's need to manually reconstruct a timeline from separate consoles.

Test this with a controlled scenario. Generate an approved sequence across at least two data domains and measure whether the SOC receives isolated alerts or a coherent account of the activity. The distinction matters. Alert volume is not detection capability.

3. Can you distinguish suspicion from evidence of intent?

This is where many detection programs become expensive. A behavioral anomaly can be useful, but it is still a hypothesis. Unusual access at 2 AM may reflect an attacker, an administrator responding to an outage, or an automated job with a changed schedule. Escalating every hypothesis creates a queue that analysts cannot defend or clear.

Validation should be a separate control objective. Deception-based validation is particularly useful because a deception interaction can be designed so that no legitimate user or process should trigger it. When that interaction occurs, the result is deterministic evidence rather than a statistical guess. Claims of zero false positives only hold in this narrow, architectural sense: the deception object and its access path must be engineered to have no authorized use.

This approach has trade-offs. Deception requires governance, careful placement, monitoring, and review when environments change. Poorly placed assets can create confusion. Properly designed validation, however, gives the SOC a way to separate a high-confidence intrusion signal from the much larger population of ambiguous alerts.

4. Does the analyst receive a formed case instead of a pile of alerts?

Consider the analyst on the overnight shift. At 2:07 AM, an endpoint alert, a privileged identity alert, and a network anomaly arrive within eight minutes. If the analyst must search three tools, identify the common host, confirm the user session, assess the business service, and write a timeline before deciding whether to escalate, the organization has detection data but not operational certainty.

A formed case should put the relevant facts in one place: the affected entities, ordered event timeline, evidence supporting the connection, confidence rationale, severity context, and the records needed for investigation and escalation. The analyst should be able to see why these events belong together, not merely that a correlation engine assigned them a score.

Measure the time from first relevant signal to a reviewable case. Also measure how often analysts reopen closed alerts because essential context was missing. These are more meaningful than counting rules or tracking the total number of daily alerts.

5. Can you show the decision trail after the incident?

DORA-driven resilience conversations quickly move beyond whether a tool detected something. Stakeholders need to understand what was known, when it was known, who made the triage decision, what evidence informed it, and how the event affected a critical service.

Your case record should preserve source events, timestamps, enrichment, analyst actions, escalation decisions, and changes in confidence. It should also identify data gaps discovered during the investigation. This is not only useful for post-incident reporting. It improves detection engineering because it turns vague feedback - "we missed it" - into a specific question about coverage, correlation, validation, or workflow.

The record must be available in the deployment model your organization requires. For regulated institutions, data sovereignty and access control are design constraints, not later procurement details. On-premises, private-cloud, and customer-designated deployments may each be appropriate depending on the institution's architecture and jurisdiction.

6. Have you tested detection during disruption, not only in normal operations?

Detection capability degrades when organizations need it most. Log pipelines lag, analysts are diverted to recovery work, identities are changed under emergency procedures, and third parties are involved. A quarterly rule review does not reveal how those conditions affect triage.

Run exercises that include degraded telemetry, delayed enrichment, unavailable integrations, and cross-team handoffs. Define which signals remain sufficient for escalation and which gaps require compensating action. The goal is not to simulate every possible incident. It is to prove that the SOC has a repeatable method for making defensible decisions when perfect information is unavailable.

This is also where ownership becomes clear. Detection engineers may own logic, the SOC may own triage, infrastructure teams may own telemetry health, and risk teams may own reporting requirements. Unless the handoffs are explicit, evidence disappears between teams precisely when the organization needs it.

What the checklist will not solve

No checklist makes an organization compliant, and detection alone does not deliver operational resilience. Response authority, recovery planning, third-party risk management, crisis communications, and testing discipline still determine the broader outcome.

It also cannot compensate for missing data. A platform layered over an existing SIEM can improve correlation, validation, and case formation without new agents or log pipelines, but it cannot observe systems that generate no usable telemetry. CyberTrap Engage addresses the structural gap between uncertain alerts and confirmed cases by correlating activity over time, validating suspicious behavior through deception, and forming analyst-ready cases. The institution still needs to decide what evidence it requires and where its blind spots remain.

The value of this assessment is not a longer controls register. It is a clearer answer to a question every SOC director should be able to defend: when the signal matters, can we prove what happened before the impact spreads?

Detection is not proven by the alerts you collect. It is proven by the decisions you can defend.