SOC for mid-sized companies: Buy, build, or hybrid?
Key Takeaways
- A functioning 24/7 internal SOC requires at least six to eight analysts — at current security analyst salaries, that means €600,000–800,000 in personnel costs annually before technology and infrastructure
- Managed SOC / MDR provides immediate operational readiness without hiring, but handover during critical incidents and depth of environment knowledge need careful evaluation
- The hybrid model — two to three internal staff for strategic direction and critical incident response, plus 24/7 monitoring from a managed provider — is often the best compromise for mid-market organisations
- NIS2 and cyber insurers require demonstrable detection and response capabilities — passive or informal monitoring is no longer sufficient
- The first step before any model decision: clearly define what events must be detected and what response is required
The question of whether an organisation needs a Security Operations Center has long been answered for most mid-sized companies. Cyberattacks are increasing in frequency, regulatory requirements such as NIS2 demand demonstrable detection and response capabilities, and insurers increasingly require continuous monitoring.
The real question is: How?
Model 1: Build your own SOC
An internal SOC offers maximum control and deep understanding of your own environment. Analysts who work exclusively for your organisation know the specifics of your infrastructure and can better contextualise anomalies.
The reality: a functioning 24/7 SOC requires at least six to eight qualified analysts — simply to cover shift operations, holiday cover, and sick leave. At current salaries for security analysts, this means personnel costs of 600,000 to 800,000 euros annually, plus technology, tooling, and infrastructure.
For most mid-sized organisations, this is neither economically nor practically feasible. The skills shortage in the security sector makes recruitment additionally challenging.
Model 2: Managed SOC / MDR
A Managed SOC or Managed Detection and Response service outsources operational security monitoring to a specialised provider. The vendor operates the technology, provides the analysts, and handles initial detection and triage of security events.
The advantages are apparent: immediate operational readiness, no own staff required, predictable costs, and access to expertise that would be difficult to build internally.
The risks are less obvious: dependency on a single provider, potentially lower understanding of your specific environment, and the question of how well handover works during critical incidents. A Managed SOC typically handles detection and initial assessment — response and remediation typically remain with the organisation itself.
Model 3: Hybrid
The hybrid model combines the strengths of both approaches. A small internal core team — typically two to three people — handles strategic direction, threat intelligence management, and response to critical incidents. Operational 24/7 monitoring and alert triage is outsourced to a Managed SOC provider.
This model offers a good compromise: internal competence ensures that security decisions are made with knowledge of the own environment, while the external partner provides scale and continuous operations.
Decision criteria
The choice depends on several factors:
Budget: A dedicated SOC is the most expensive option. Managed SOC is the most affordable. The hybrid model sits between the two.
Internal expertise: If you already have security expertise in-house, the hybrid model can leverage it effectively. Without existing competence, a Managed SOC is the faster path.
Regulatory requirements: Some industries require certain functions to be delivered internally. Check whether your regulations impose restrictions on outsourcing.
Organisational outlook: Do you want to build internal security competence long-term? Then the hybrid model is a sensible starting point.
The first step
Regardless of the chosen model: begin with a clear definition of what you need to detect and respond to. Without this foundation, any SOC model will be inefficient.
If you would like to develop the right SOC strategy for your organisation, please get in touch.
Frequently Asked Questions
What does a Managed SOC handle, and what remains with the organisation?
A Managed SOC typically handles 24/7 monitoring, initial detection, and alert triage. The actual response — containing an attack, communicating with affected parties, and restoring systems — generally remains with the organisation. This division must be clearly defined in the contract, particularly the escalation process and handover protocol for critical incidents.
How long does building an internal SOC typically take?
An internal SOC is not a project measured in months. Recruiting qualified security analysts alone can take six to twelve months. Add platform setup, detection rule development, and process establishment, and twelve to eighteen months to full operational readiness is a realistic expectation. For organisations facing immediate regulatory pressure, a Managed SOC can bridge this gap.
What internal skills does a hybrid SOC model require?
In the hybrid model, the internal team of two to three people needs threat intelligence skills, incident response capability, and deep knowledge of the organisation’s own environment. They must be able to evaluate escalations from the managed provider, independently manage critical incidents, and define the strategic direction of the security monitoring programme. Detection engineering at scale sits primarily with the external partner.
What SLAs should we negotiate with a Managed SOC provider?
At minimum, three areas should be contractually defined: response time for critical alerts (typically under 15 minutes), the escalation process for severe incidents, and availability of a dedicated contact for the organisation. Additionally, reporting frequency and measurable quality indicators — false positive rate, detection coverage against MITRE ATT&CK — should be specified and regularly reviewed.