Let's start to talk about breaking down the different capabilities of teams:

1. Each team has their core set of processes that measure against Key Performance Indicators (KPIs) set by management.
2. The process of finding deviations against baselines is part of Discovery and Detection.
3. The process of evaluating the level of risk and taking action on the findings against the baselines is part of Risk Mitigation.
4. The data that is to be shared to the rest of the teams and at each phase is part of Data Exposure and Sharing.
5. The monitoring of KPIs is completed by the team's input into Security State Analysis the SOC (through the F3EAD process).

We know that we need to be able to share the results of the processes that we are measuring or the information that is required to be delivered to management. We can take these core capabilities and now apply them to the F3EAD process, as depicted in the following diagram:

We now have to understand how all of these security team's capabilities and the targeting process can work together in an SOC through cyber intelligence by building the communication channels.