When working in a SOC (Security Operations Center) it is often required to perform metrics or KPI’s on the detection capabilities, and the flaw that some are doing, is the attempt to do “Time to detect” and “Time to respond” as these are known from the IT Incident Management, where it is often referred to as MTTD (Mean time to detect). The metrics/KPI’s is often to be to ensure improvements and uphold SLA’s. These metrics/KPI’s has a potential flaw that we will try to explain and come with a possible solution using the MITRE ATT&CK Framework.