Attackers don’t keep business hours. The most damaging incidents — ransomware deployment, data exfiltration, account takeover — happen at 2 AM on a Friday, specifically because organisations have no one watching at that moment. The solution is 24/7 security monitoring: a Security Operations Centre that never sleeps. For the vast majority of organisations, the practical answer is a Managed SOC.
This guide explains what a Managed SOC is, how it works, who needs one, and how to evaluate providers without getting talked into something that doesn’t fit your needs.
What Is a Security Operations Centre (SOC)?
A SOC is a centralised team and technology platform responsible for continuously monitoring an organisation’s security posture, detecting threats, and responding to incidents. A functioning SOC:
- Collects security logs and telemetry from endpoints, networks, cloud infrastructure, applications, and identity systems
- Monitors this data 24/7 for signs of attack or compromise
- Detects threats using a combination of rule-based detection, behavioural analytics, and threat intelligence
- Investigates alerts to determine if they represent real incidents
- Responds to confirmed incidents — containing threats, eradicating malware, recovering systems
- Reports on security posture, incidents, and trend data
A fully staffed in-house SOC requires:
- 8–12 analysts per shift (to cover Tier 1, Tier 2, Tier 3 functions around the clock)
- SIEM platform (Splunk, Microsoft Sentinel)
- EDR/XDR platform
- Threat intelligence feeds
- SOAR platform for automation
- Incident management tools
- 24/7 physical facility
The total cost: $2–5 million per year minimum for a properly staffed, properly tooled in-house SOC. For most organisations below 5,000 employees, this is simply not viable.
What Is a Managed SOC?
A Managed SOC (also called MDR — Managed Detection and Response) is an outsourced security operations service. A third-party provider maintains the analysts, technology, and processes, and delivers the monitoring and response capability to you as a service.
You pay a subscription fee. In return, you get:
- 24/7/365 monitoring of your environment
- Threat detection using the provider’s SIEM and detection content
- Analyst investigation of every alert
- Incident response support when a real incident is confirmed
- Regular reporting on threats detected, incidents handled, and security posture
The provider may deploy their own agent to your endpoints, integrate with your existing SIEM, or both — depending on the service model.
Managed SOC vs. MSSP vs. MDR
These terms are used inconsistently in the market. Here’s the distinction:
| Term | What It Typically Means |
|---|---|
| MSSP (Managed Security Service Provider) | Older term; historically focused on log management, device management, and alerting — often with limited active response capability |
| MDR (Managed Detection and Response) | Modern service focused on threat detection, investigation, and active response — analysts triage every alert and help contain confirmed incidents |
| Managed SOC | Equivalent to MDR; some providers use this term to emphasise the full SOC capability (not just detection) |
| XDR (Extended Detection and Response) | Technology platform that correlates telemetry across endpoints, network, cloud, and identity; often the underlying platform for MDR services |
When evaluating providers, focus on what they actually do — not the label they use. Key questions:
- Do analysts investigate every alert, or do they just forward raw alerts to you?
- Do they actively contain threats (isolate endpoints, block IPs, disable accounts), or do they only advise?
- What is their documented mean time to respond (MTTR)?
What a Managed SOC Monitors
A good Managed SOC has visibility across your entire environment:
Endpoint
- EDR (Endpoint Detection and Response) telemetry — process execution, file changes, network connections, registry modifications
- Windows Event Logs — login events, privilege escalation, service creation
- Antivirus / anti-malware events
Common platforms: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black
Network
- Firewall and proxy logs — what traffic is entering and leaving
- IDS/IPS (Intrusion Detection/Prevention System) alerts
- DNS query logs — malicious domain lookups, command-and-control traffic
- NetFlow / VPC Flow Logs — east-west movement, unusual port scanning
Identity
- Active Directory / Azure AD logs — login events, group membership changes, password resets, privileged account activity
- Failed authentication events — brute force, credential stuffing
- MFA events — MFA fatigue attempts, new device registrations
Cloud
- AWS CloudTrail / Azure Activity Logs / GCP Cloud Audit Logs — API calls, configuration changes, IAM activity
- Cloud security findings (GuardDuty, Defender for Cloud)
- Container and Kubernetes security events
Applications
- Web application logs — 403 storms, unusual URI patterns, injection attempts
- SaaS applications (via SIEM integrations or CASB)
- Email security — phishing detections, email forwarding rules
How Threat Detection Works
Modern Managed SOC providers use a layered detection approach:
1. Signature-Based Detection
Known bad: IOCs (indicators of compromise) matched against threat intelligence. If a file hash matches a known malware family, or a domain matches a known C2 server — immediate alert.
Example: An endpoint connects to an IP address associated with Cobalt Strike infrastructure → alert generated.
2. Behavioural Analytics / UEBA
Unusual patterns relative to baseline behaviour. Machine learning models establish what “normal” looks like for each user and entity, then flag deviations.
Examples:
- A user who normally logs in from Bengaluru authenticates from the Netherlands 2 hours later
- A service account that never runs PowerShell suddenly executes encoded PowerShell commands
- A workstation that communicates with 2–3 servers per day suddenly beacons to 40 external IPs
3. Threat Hunting
Proactive, analyst-led searches for threats that have evaded automated detection. Analysts formulate hypotheses based on threat intelligence (“APT groups targeting this industry use these techniques”) and hunt for evidence.
4. Detection Rules (MITRE ATT&CK Framework)
Detection rules mapped to known adversary techniques from the MITRE ATT&CK framework. When an endpoint performs T1055 (Process Injection) or T1059 (Command and Scripting Interpreter), a rule fires.
The Incident Response Workflow
When a threat is detected, a well-run Managed SOC follows a defined process:
Tier 1 — Alert Triage (< 15 minutes)
Analyst reviews the alert. Determines: is this a false positive, a low-severity informational event, or a potential incident requiring investigation?
Tier 2 — Investigation (< 1 hour)
For potential incidents, a senior analyst investigates. Correlates related events, expands the timeline, assesses scope, determines if malicious activity is confirmed.
Tier 3 — Incident Response (immediate upon confirmation)
Confirmed incident. The provider:
- Notifies your designated security contact (phone, email, Slack, PagerDuty)
- Recommends immediate containment actions
- Assists with containment if your service level includes active response (isolating endpoints, resetting credentials, blocking IPs)
- Coordinates with your team for remediation
- Documents the incident for reporting and post-incident review
What to Look for in a Managed SOC Provider
Coverage and SLAs
- Is monitoring truly 24/7/365 (including weekends and public holidays)?
- What is the guaranteed mean time to detect (MTTD) and mean time to respond (MTTR)?
- What is the escalation path for confirmed incidents at 3 AM?
Typical benchmarks:
- Alert triage: < 15 minutes
- Investigation: < 1 hour
- Client notification for confirmed incidents: < 30 minutes
Active Response vs. Advisory Only
Some providers only advise — they tell you what’s happening and recommend actions, but don’t take action in your environment. Others can actively contain threats (isolate endpoints, block network traffic, disable accounts) with your pre-authorisation.
Active response is significantly more valuable — every minute of dwell time matters during an incident.
Technology Stack
- What EDR do they use or support? Can you keep your existing EDR?
- What SIEM do they run? Can you access it and run queries yourself?
- Do they support your cloud provider (AWS, Azure, GCP)?
- Do they cover SaaS applications you rely on (Microsoft 365, Salesforce, Slack)?
Detection Library
- How many detection rules do they maintain?
- How frequently are rules updated based on new threat intelligence?
- Are rules mapped to MITRE ATT&CK?
- Can they add custom detection rules specific to your environment?
Reporting
- What regular reports do you receive?
- Are reports actionable (prioritised recommendations) or just raw data?
- Can you access a self-service portal to view alerts and incidents in real-time?
Compliance Support
If you’re pursuing PCI DSS, ISO 27001, SOC 2, or similar, your Managed SOC provider should:
- Produce evidence packages for auditors
- Map their services to specific compliance controls
- Have relevant certifications themselves (ISO 27001, SOC 2 Type II for their platform)
What a Managed SOC Costs
Pricing varies significantly by scope:
| Scope | Typical Range (Annual) |
|---|---|
| Basic MDR (endpoints only, ~100 endpoints) | $20,000 – $50,000 |
| Mid-range (endpoints + cloud + identity, 200 endpoints) | $50,000 – $150,000 |
| Full-scope (endpoints + cloud + network + SIEM, 500 endpoints) | $150,000 – $400,000 |
| Enterprise (large environment, dedicated analysts) | $400,000 – $1M+ |
Compare this to a fully-staffed in-house SOC at $2–5M/year. Even at the high end, a Managed SOC is 3–10x cheaper than in-house.
Offshore providers (India, Eastern Europe) can deliver capable Managed SOC services at 40–60% lower cost than US/UK providers with comparable or better detection coverage.
When You Don’t Need a Managed SOC (Yet)
Not every organisation is ready. You might not need a Managed SOC if:
- You’re pre-product — very early stage, no real customer data, minimal cloud footprint
- Your attack surface is minimal — a handful of SaaS tools, no on-prem infrastructure
- You already have capable in-house security — if you have a functioning security team with SIEM, EDR, and IR capability, an MSSP may add less value than investing in your own capability
For organisations with fewer than 50 employees and no sensitive data, a combination of good security hygiene (MFA, patching, EDR, email security) and a capable IT partner may be more appropriate than a Managed SOC.
How to Evaluate Providers: Questions to Ask
Before signing a contract:
- Can you provide a sample of the detection rules you use? Are they mapped to MITRE ATT&CK?
- What is your documented MTTD and MTTR? Can you show historical performance data?
- Walk me through a recent incident you handled for a client similar to us.
- What happens when an incident is confirmed at 3 AM on a Sunday? Who do we talk to, and how quickly?
- Can we speak with three references from clients in our industry?
- What does your onboarding process look like, and how long until we have full detection coverage?
- What integrations do you support for [your EDR / SIEM / cloud provider]?
- How do you handle false positives? What is your tuning process?
- What is included in active response, and what requires our team to act?
- How do you keep detection content current? How quickly are new vulnerabilities and threats incorporated?
The Bottom Line
Cyber threats don’t wait for business hours. For the vast majority of organisations without the budget or scale for an in-house SOC, a Managed SOC is the practical, cost-effective path to 24/7 detection and response capability.
The right provider is not the cheapest — it’s the one that matches your technology stack, provides genuine active response (not just alerting), maintains current detection content, and has the escalation speed to make a difference during a real incident.
CyberneticsPlus provides Managed SOC services with 24/7 monitoring across endpoints, cloud, identity, and network. Our SocHQ AI SOC platform accelerates detection and response with AI-driven triage. Our SOC analysts hold SIEM, EDR, and incident response certifications. We serve clients across financial services, SaaS, healthcare, and e-commerce. Contact us to discuss your monitoring needs.
Managed SOC Onboarding: What to Expect
The first 90 days of a Managed SOC engagement are the most critical. This is when detection coverage is established, baseline behaviour is learned, and the provider’s understanding of your environment is built. Understanding this phase helps you set realistic expectations and contribute to a faster time-to-value.
Week 1–2: Integration and Deployment
Data source integration: The provider connects to your log sources — typically via:
- EDR agent deployment (if using the provider’s EDR) or API integration with your existing EDR
- SIEM connector for your cloud environment (CloudTrail connector, Azure Activity Log)
- Identity provider integration (Azure AD/Entra ID sign-in logs, Okta logs)
- Network and firewall log forwarding via syslog or API
Expected friction: Agent deployment on 200+ endpoints, firewall rule changes to allow log forwarding, API credential configuration. Your IT team needs to be available during this phase. Budget 2–4 IT days for integration work.
Deliverable: All agreed log sources flowing into the provider’s platform. Confirmation report showing data ingestion and coverage.
Week 2–4: Baseline and Initial Tuning
With data flowing, the provider establishes baseline behaviour:
- Normal working hours for your organisation
- Expected geolocations for user sign-ins
- Typical outbound communication patterns from endpoints
- Normal service account behaviour
- Cloud API call patterns
Initial detection rules are activated. During this phase, expect a higher rate of false positives — the provider doesn’t yet know what “normal” looks like for your environment. Your team should expect more alert queries from the provider (“is this expected behaviour for user X?”) during this phase.
Your role: Respond promptly to queries. The faster the provider learns your environment, the faster false positive rates decline.
Month 2–3: Optimisation
Alert volume declines as false positive tuning matures. Detection coverage expands:
- Custom detection rules for your specific technology stack and industry threats
- SOAR playbooks for your environment (auto-block known-bad IPs in your specific firewall, create tickets in your JIRA project)
- Threat hunting sessions targeting your industry’s most common attack patterns
Deliverable: First monthly report with metrics (alert volume, true positive rate, incidents handled, MTTD, MTTR).
By month 3, you should see:
- Alert volume stabilised at an actionable level (< 20 alerts/day per analyst)
- First full incident handled end-to-end
- Detection coverage mapped to MITRE ATT&CK
Specific Attack Scenarios and SOC Response
Understanding how a Managed SOC responds to real attack scenarios helps evaluate provider capability before signing a contract.
Scenario 1: Business Email Compromise (BEC)
Attack pattern:
- Attacker sends spear-phishing email to finance employee
- Employee clicks link, enters credentials on fake Microsoft 365 login page
- Attacker logs in from attacker infrastructure (different IP, different country)
- Attacker creates email forwarding rule to copy all email to attacker-controlled address
- Attacker monitors email for payment request patterns
- Attacker intercepts payment request, changes bank details, emails CFO impersonating the vendor
What the SOC detects:
- Sign-in from unusual country (alert fires at step 3)
- Email forwarding rule creation by non-admin (alert fires at step 4)
- Correlation: unusual sign-in + forwarding rule creation = high confidence BEC attempt
Response (within 30 minutes of step 4):
- Analyst confirms: legitimate user location is India, sign-in is from Nigeria
- Verify with client: is this legitimate travel? (No)
- Action: disable compromised account, revoke all sessions
- Review all email forwarding rules created in last 24 hours
- Check for any draft or sent emails from compromised account
- Notify client, document incident
- Review whether any payments were intercepted (typically requires coordination with finance team)
SOC value: Without continuous monitoring, BEC attacks often dwell for weeks — attackers are patient. The average BEC dwell time (credential theft to first fraudulent wire) is 3–4 weeks. A 24/7 SOC detecting the anomalous sign-in on day 1 prevents the entire attack chain.
Scenario 2: Ransomware Deployment
Attack pattern:
- Initial access via unpatched RDP or VPN vulnerability
- Lateral movement to identify backup servers and domain controllers
- Exfiltration of sensitive data (double extortion)
- Disable shadow copies and backups
- Deploy ransomware payload across network
What the SOC detects:
- Unusual RDP connection from external IP (step 1)
- Scanning and lateral movement (Nmap, mimikatz patterns) (step 2)
- Large data transfer to external IP (step 3)
- Shadow copy deletion via vssadmin (step 4)
Response (within 15 minutes of step 2):
- Alert fires on lateral movement patterns
- Analyst investigates: confirms attacker-controlled host moving between internal systems
- Immediately: network isolate the initial compromise host
- Identify all systems the attacker touched
- Preserve forensic evidence (memory capture, network captures) before further containment
- Notify client for emergency response activation
- Escalate to Tier 3 incident response
Without SOC: Ransomware typically deploys within 24–72 hours of initial access. With 24/7 SOC detecting lateral movement in minutes, containment before ransomware deployment is achievable in the majority of cases.
Choosing Between MDR Providers: Evaluation Framework
When shortlisting managed SOC providers, use this structured evaluation framework:
Technical Evaluation (60% of decision weight)
Coverage breadth (20%):
- Which platforms and operating systems does the EDR support?
- Which cloud providers are natively integrated?
- Which SaaS applications are monitored?
- What is the minimum retention period for raw logs?
Detection quality (25%):
- What is the provider’s MTTD (Mean Time to Detect) benchmark?
- How is the detection library maintained? How frequently are new threats added?
- Can they share MITRE ATT&CK heatmap showing current coverage?
- How do they handle zero-day threats with no existing signatures?
Response capability (15%):
- Is active response included (containment actions) or advisory only?
- What actions can they take on your behalf with pre-authorisation?
- What is the process for taking containment actions on cloud resources?
Operational Evaluation (25% of decision weight)
Analyst quality:
- What certifications do Tier 1, Tier 2, and Tier 3 analysts hold?
- What is the analyst-to-client ratio?
- What is the average experience level of analysts?
Communication:
- What are the escalation communication channels?
- Who is your named point of contact?
- What does the monthly reporting include?
Onboarding:
- What is the expected time to full detection coverage?
- What does your team need to provide/support during onboarding?
- What are the SLAs during the initial tuning period?
Commercial Evaluation (15% of decision weight)
Pricing model:
- Is pricing per-endpoint, per-GB of logs, or fixed?
- What happens if you grow beyond the contracted scope?
- Is there a minimum commitment period?
- What are the exit terms?
Contract terms:
- Data ownership and portability on termination
- SLA penalties if MTTD/MTTR benchmarks aren’t met
- Liability provisions for missed incidents
Frequently Asked Questions
Q: Can a Managed SOC replace our in-house IT security team?
A: Managed SOC replaces the monitoring function, not the full security team. You still need internal security leadership (CISO or vCISO), someone to manage the vendor relationship and escalations, and an incident response coordinator. The Managed SOC handles 24/7 alert monitoring and initial response — but business decisions (whether to declare a major incident, how to communicate to customers after a breach, whether to pay ransomware) remain yours. Think of it as augmenting, not replacing, your team.
Q: How quickly can a Managed SOC detect a sophisticated attacker?
A: Detection speed depends on which stage of the attack chain the SOC detects. Commodity attacks (phishing, known ransomware families) are detected within minutes via signature-based detections. Sophisticated, custom attackers living off the land (using only built-in Windows tools, minimal network noise) may take 24–72 hours to detect via behavioural analytics. Nation-state actors with specific knowledge of your defences may be undetectable by any commercial SOC — but these represent a tiny fraction of real-world threats.
Q: What data does a Managed SOC access in our environment?
A: The provider needs read access to your security telemetry — endpoint logs, cloud API logs, identity logs, network logs. They do not need access to your business data (documents, databases, code). A reputable provider will have a clear data processing agreement, specify exactly what data is collected, and comply with relevant data protection regulations (UK GDPR, GDPR, etc.). Insist on a data processing addendum (DPA) and confirm where log data is stored geographically.
Q: What is the minimum size organisation that benefits from a Managed SOC?
A: Generally, organisations with 50+ endpoints, some cloud presence, and any sensitive data (customer PII, financial data, intellectual property) benefit from Managed SOC. Below this threshold, good security hygiene (MFA everywhere, EDR, email security, regular patching) combined with a responsive IT partner provides reasonable protection. As data sensitivity and regulatory exposure increases, so does the value of continuous monitoring.
Q: How does Managed SOC work with our existing security tools?
A: Good Managed SOC providers integrate with your existing stack rather than replacing it. If you have CrowdStrike already, they connect to CrowdStrike’s API to ingest telemetry. If you have Microsoft Defender, they integrate with Defender XDR. If you have an existing SIEM, they can typically operate it. The integration approach varies by provider — confirm before signing that your current tools are supported.
Q: What SLAs should we demand in a Managed SOC contract?
A: Industry standard SLAs for Managed SOC include: alert triage within 15 minutes for Critical, 1 hour for High; analyst notification within 30 minutes of confirmed incident; 99.9% platform availability. More importantly, negotiate consequences for SLA breaches — a provider who guarantees response times but faces no penalty for missing them is not truly accountable. Credits or termination rights for consistent SLA failures are reasonable asks.
Q: What is the difference between Managed SOC and MDR?
A: The terms are used interchangeably in most commercial contexts. MDR (Managed Detection and Response) is the industry analyst term (Gartner, Forrester) for the category. Managed SOC emphasises the full security operations centre capability (not just detection and response). In practice, evaluate the actual service capability — detection breadth, analyst quality, response actions — rather than the label. Some vendors use MSSP (Managed Security Service Provider), though this historically implied less active response.