This post is part of a blog series highlighting new SOC optimization capabilities designed to help SOC teams maximize security value and reduce costs, leveraging tailored dynamic recommendations. In this post, we will focus on Risk-Based Optimization, an exciting new capability that helps prioritize detection coverage based on the business risks most pertinent to your organization.
Security teams often face the challenge of deciding where to focus detection efforts, especially when resources are limited and threats are constantly evolving. Traditional approaches treat all detections equally, making it difficult to align security operations with organizational priorities.
The Risk-Based Optimization capability surfaces high-value detection recommendations tied directly to financial, compliance, legal, and reputational risks, helping teams make informed decisions about where to strengthen coverage.
“Risk-Based Optimization has significantly influenced decision-making in threat management by providing a structured approach to prioritize and address risks.”
Elie El Karkafi, Senior Solutions Architect, ampiO Solutions
Importance of risk-based security prioritization
One of the most pressing challenges today is that many organizations struggle to align their detection strategies with the real-world business risks that matter most.
This disconnect is not just operational — it's organizational. Research shows that just 69% of board members see eye-to-eye with their CISOs (Harvard Business Review - Link). While business stakeholders focus on maintaining operations, controlling costs, and enabling growth, cybersecurity teams focus on threat mitigation, technical coverage, and vulnerability management. Without a shared understanding of risk, misalignment is inevitable.
For example, the board might prioritize operational continuity, while the security team might focus on patching critical vulnerabilities - even if those vulnerabilities have no meaningful impact on core business services. This mismatch leads to:
- Security blind spots where high-value assets remain under protected
- Misallocation of resources, with low-impact threats consuming equal effort
- Difficulty communicating security priorities to business leadership
- Limited ROI visibility, as security investments aren’t tied to business outcomes
What’s needed is a shared framework that allows both technical and non-technical stakeholders to view and prioritize cybersecurity risk in business terms. This includes understanding the financial impact of asset compromise — for example, what is the estimated loss if a major airline’s booking system is taken offline, millions of customer records are breached, and the incident becomes public? These are no longer theoretical scenarios — they are real and must be addressed accordingly.
A risk-based approach to prioritization begins with understanding your environment:
- Inventory critical assets, including systems, users, and processes — both internal and external
- Threat model the ways those assets could be compromised or disrupted
- Assess exposure, considering threat likelihood and your organization’s risk tolerance
- Prioritize protections by assigning financial or operational impact values to potential losses
Without this structured prioritization, organizations risk spending time and money without truly improving their security posture where it counts.
New Risk-Based Optimization solution
To help bridge the gap between business risk and security operations, we’re introducing Risk-Based Optimization.
With Risk-Based Optimization capability, customers can:
- Identify under protected, high-risk areas
- Understand which business risks are impacted, such as financial fraud, data breaches, or operational downtime
- Receive recommendations aligned with both MITRE ATT&CK tactics and business consequences
Key benefits include:
- Enhanced coverage across broad, business-risk-aligned threat scenarios
- Prioritization of high-risk threats affecting mission-critical functions
- Operational efficiency by concentrating resources on high-value detections
- Visual context through radar charts and MITRE coverage maps
- Actionable recommendations that integrate into detection tagging and configuration workflows
As part of the public preview, Risk-Based Optimization includes three foundational use cases that align threat types with specific business risks:
- Credential Exploitation
- Network Intrusion
- Data Exfiltration
These scenarios surface directly within the SOC Optimization experience in the unified portal, alongside existing recommendations. Users receive coverage scores and improvement suggestions that span both SIEM and XDR content — all mapped to relevant MITRE tactics, techniques, and sub-techniques for full visibility and traceability.
Risk-Based Optimizations offer a broad, business-centric lens to kickstart a more strategic coverage approach. Customers can begin with these high-level optimizations, then drill down into more specific threat scenarios as needed.
“Very impressed with the ease of use and intuitiveness of the feature. It enables Security Operations to focus on making risk-based decisions without being bogged down in technical complexity. The outcomes directly support broader organizational goals. I’m genuinely amazed by how straightforward it is with clear and impactful outcomes”.
Shivniel Gounder, Principal Cybersecurity Engineer, DEFEND
“It's aligning security measures with business risks, helping to focus resources on high-impact risks. And based on these insights and recommendations, we could have actionable steps to improve security coverage better and better.”
Michael Morten Sonne, blog.sonnes.cloud, Microsoft MVP
How it looks like
Risk-based optimization brings clarity to a challenge every security team faces: how do we know if we're protected where it matters most?
In the unified Microsoft security portal, SOC Optimization now surfaces a set of cards, each highlighting a different business risk where your coverage could be improved.
Let’s take Credential Exploitation as an example.
The card alerts you that your current coverage is low, and that improvements are available.
With one click on “Learn about risk types”, you're taken into a detailed view that explains what the risk entails, what business areas it impacts (like financial, compliance, legal, etc.), and how your current MITRE ATT&CK coverage compares to the recommended baseline.
The experience is designed for action — you don’t need to search for rules or hunt for guidance. The system surfaces exactly what detections to add, and with a direct link to the Content Hub, you can start improving your coverage immediately.
This connected workflow extends into the MITRE Blade as well, where you can view the scenario’s tactics and techniques across the ATT&CK framework, helping you validate improvements and maintain alignment with real-world threats.
Risk-based recommendations help transform detection management from a reactive task into a strategic advantage - bridging the gap between technical depth and business impact.
“The whole addition of Risk-Based Scenarios is fantastic in terms of driving businesses to act to configure their detection rules. I would like to see this more widely adopted in the future to really build up the visibility of business risks in detections.”
Vebjørn Høyland, Senior Cybersecurity Consultant, Move AS
Next Steps
Get started with Microsoft Sentinel in the Defender portal today to take advantage of SOC Optimization recommendations, tailored for your organization. Microsoft will continue to invest in SOC optimization features to help our customers in enhancing their security against evolving cyberthreats.
Learn More
SOC optimization documentation: SOC optimization overview ; Recommendation's logic
Short overview and demo: SOC optimization Ninja show
In depth webinar: Manage your data, costs and protections with SOC optimization
SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub
MITRE ATT&CK coverage: View MITRE coverage for your organization from Microsoft Sentinel
Microsoft