In research proposed an approach in which the total time of detection, analysis and response to the actions of an attacker does not tend to a minimum value, but is within such limits, in which the possibility of active counteraction to the attacker remains, not allowing him to cause unacceptable damage, which allows to maintain the necessary and sufficient level of information security of the organization with limited resources. Calculated the average time spent by a SOC expert on the analysis of a suspicion of an incident, in which the quality of this analysis allows engineers to take effective actions to contain the attacker. Options for reducing this indicator are considered in view of the need to process all incoming incident suspicions in a high-quality manner in conditions of limited resources. As part of the proposed approach testing, the calculation of the optimal total time of detection, analysis and response for two types of incident suspicions is carried out.