Tue, Sep 26, 2023

The State of Cyber Defense 2023: Detection and Response Maturity Model

The Detection and Response Maturity Model analyzed 1,000+ cybersecurity programs for organizations worldwide to identify their maturity.
Download the Report

The Kroll Detection and Response Maturity Model highlights the gap between organizations’ perceptions of their detection maturity status and their actual cybersecurity practices.

Kroll’s Detection and Response Maturity Model (“Model”) provides a structured framework for understanding how key detection and response components contribute to an organization’s overall maturity, considering capabilities, resources, insurance and overall preparedness. The Model highlighted a significant ROI for mature organizations, as well as considerable discrepancies between perceived and actual maturity.

View the Interactive Detection and Response Maturity Curve

Use the interactive model below to explore how revenue, region and key industries fall within the maturity curve: 


Developing the Detection and Response Maturity Curve

A hallmark of a mature cybersecurity program is the ability to rapidly and accurately detect a threat and confidently respond to it in a manner that minimizes its potential impact. However, believing you are cyber mature and actually being cyber mature is very different.

To find the right answer, we leveraged data uncovered in our The State of Cyber Defense 2023: The False-Positive of Trust, which included answers from 1,000 global security decision-makers. Layering those responses with Kroll’s frontline threat intelligence, we examined the perceptions and realities of threat detection and response in today’s landscape to develop the Model. This Model will help security leaders benchmark their programs, prioritize investments and increase resilience.

Our framework established three categories: Novice, Explorer and Trailblazer. Novices have low cyber maturity, Explorers showed average maturity and Trailblazers demonstrated the highest maturity.


They are likely to be using simpler collection and monitoring tools to detect cyberattacks and may not have any actions for responding to high-severity threats or use threat monitoring and investigation as their only defenses. They only have a few elements in their cybersecurity program.

They may have access to limited threat intelligence and can create some custom use cases/rules to alert them of known cyberattacks and use multiple tools to detect high-severity threats. They have multiple elements in their cybersecurity program. 

They are likely leveraging various sources of threat intelligence to continuously improve detection rules, proactively hunt for unknown behavior to detect cyberattacks, or some may be able detect threats in real-time. They have many actions to respond to high-severity threats, including remediation and digital forensics. They are likely to have a large toolkit in their cybersecurity program.

The Gap Between Perception and Reality Reveals Intrinsic Challenges

2023 State of Cyber Defense: Detection and Response Maturity Model

Figure 2

As demonstrated in figure 2, there is a considerable difference between businesses that think they are cyber mature compared to those that are actually cyber mature.

Organizations in the Trailblazer group are less likely to report that they are “very mature” (13%) compared to Explorer or Novice organizations. Furthermore, 43% of those placed in the Novice group feel that their detection and response measures are very mature with no improvement required. Such stance by security leadership would represent a significant blocker ahead of potential improvements to cyber resilience and the overall ROI of security investments.


Detection and Response Maturity Delivers ROI

The number of security incidents is significantly lower for Trailblazer organizations, compared with the other two groups (figure 3). This, combined with the high cost of a data breach, demonstrates that moving from Novice or Explorer level to Trailblazer status could save organizations millions of dollars a year (figure 4).   

Detection and Response Maturity Delivers ROI Figure 3


The State Of Cyber Defense 2023: Detection and Response Maturity Model Figure 4


Organizations Are Missing Key Threat Detection and Response Capabilities - and Suffering the Consequences

The State Of Cyber Defense 2023: Detection and Response Maturity Model

Figure 5

A robust detection and response strategy is comprised of the following elements listed from most basic to most advanced.

Just 3% of organizations’ cybersecurity programs include all the threat detection and response elements required to support full maturity. Worryingly, 20% of organizations only have the basic cybersecurity monitoring with no further processes in place.

Added to this, businesses who self-reported as having a high level of cyber maturity are also more likely to only have cybersecurity monitoring in place. This further illustrates the disparity between what business think is true cyber maturity and actual cyber maturity.

Threat Detection Capabilities Highlight Big Opportunity for Improvement

The State Of Cyber Defense 2023: Detection and Response Maturity Model

Figure 6

When looking at how organizations detect cyberattacks, most organizations are only taking what we’d deem the “least mature” actions, so there is evidently room for improvement.

As the number of zero-day and critical vulnerabilities being exploited grows significantly and attackers rapidly adapt tactics to circumvent basic controls, the low maturity in threat detection highlights the urgent need for more robust detection engineering. Merging threat intelligence with real-life incident investigations can provide a considerable boost to detection capabilities, as demonstrated in our detection-as-code webinar

Trailblazers Trust Security Tools the Most, but Humans Are Key to Avoiding Threats

The State Of Cyber Defense 2023: Detection and Response Maturity Model

Figure 7

Our report The State of Cyber Defense 2023: The False-Positive of Trust revealed that security teams generally trust employees to avoid falling victim to a cyberattack (66%) above the accuracy of cybersecurity alerts and the effectiveness of security tools. However, when looking at the data through the lens of cyber maturity, the statistics are flipped.

For Trailblazers, employees are trusted the least (54%) and the effectiveness of cybersecurity tools is trusted the most (69%).

Much, Much More In the Report

Download the Report

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

The State of Cyber Defense 2023: Detection and Response Maturity Model

The full report covers:

  • How to overcome challenges stemming from discrepancies between perceived and actual maturity
  • The ROI of detection and response maturity
  • The threat detection and response capabilities missing from many organizations’ strategies (including cyber insurance)

For access to the full results, complete the form to download the report.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.