Executive Summary
Cyber threats operate 24/7. Most organisations — including many large enterprises — cannot sustain a 24×7 security operations centre with the staff, tooling, and threat intelligence required to detect and respond to modern attacks.
Managed Security Operations Centre (MSOC) services close this gap. But the market is crowded, quality varies enormously, and the wrong choice can leave you with false confidence — paying for alerts that arrive too late, are too noisy to act on, or come without the response capability to matter.
This buyer’s guide is written for CISOs, IT directors, and procurement teams evaluating MSOC providers. It covers what a managed SOC actually provides, how to evaluate providers rigorously, what questions to ask, and how to measure performance after engagement.
Chapter 1: What a Managed SOC Provides
Core Managed SOC Services
A managed SOC provides continuous monitoring and response for your security environment. The core services:
Security Monitoring (24×7) Continuous analysis of security events from your environment: endpoint EDR alerts, firewall/network logs, identity events (AD/Entra ID), cloud security findings (AWS GuardDuty, Azure Defender, GCP SCC), and SIEM-detected patterns.
Threat Detection Identifying attacker activity in your environment using:
- SIEM correlation rules (detecting patterns across multiple log sources)
- Behavioural analytics (user and entity behaviour analytics — UEBA — detecting anomalies)
- Threat intelligence enrichment (correlating events with known malicious IPs, domains, TTPs)
- Managed EDR (detecting endpoint compromise)
Alert Triage Separating real incidents from false positives. Without good triage, analysts drown in alerts. Quality MSOCs tune detection rules to your environment, reducing alert volume while improving signal quality.
Incident Response Support When a confirmed incident is detected:
- Escalation with context (what was detected, where, potential impact)
- Guided response (step-by-step containment recommendations)
- Hands-on response (some providers include active containment — endpoint isolation, firewall rule changes, account disabling)
Threat Intelligence Contextualising your environment against the current threat landscape:
- IOC (Indicators of Compromise) enrichment: are observed IPs/domains/hashes associated with known threat actors?
- TTP mapping to MITRE ATT&CK: understanding attacker techniques
- Industry-specific threat intelligence: threat actors targeting your sector
Reporting Regular reporting to security leadership:
- Weekly: alert summary, incident summary, SLA metrics
- Monthly: threat landscape, detection coverage, trend analysis
- Quarterly/Annual: security posture review, programme recommendations
Chapter 2: In-House SOC vs Managed SOC
The Cost Reality
Building a 24×7 in-house SOC requires:
| Resource | Annual Cost (India, conservative) | Annual Cost (UK/US) |
|---|---|---|
| SOC Analysts (Tier 1) × 4 (24×7 coverage) | ₹80L–₹1.2Cr | $200K–$300K |
| SOC Analysts (Tier 2) × 2 | ₹60L–₹90L | $150K–$250K |
| SIEM platform licence | ₹40L–₹1Cr+ | $100K–$500K+ |
| EDR platform licence | ₹20L–₹60L | $50K–$150K |
| Threat intelligence feeds | ₹15L–₹40L | $50K–$150K |
| Infrastructure | ₹20L–₹40L | $50K–$100K |
| Total | ₹2.35Cr–₹4.3Cr+ | $600K–$1.45M+ |
Managed SOC pricing typically ranges from ₹15L–₹50L/year (India SME) to $50K–$300K/year (international), depending on scope, endpoint count, and service level.
The cost case for managed SOC is strong for most organisations below ~1,000 employees. Above that, a hybrid model (in-house team with MSOC co-management) becomes common.
When to Consider In-House vs Managed
Choose Managed SOC when:
- Fewer than 500 endpoints / <$1B revenue
- Cannot hire or retain experienced SOC analysts
- Regulatory requirement for 24×7 monitoring with documented SLAs
- Speed to deployment is important (MSOC onboards in weeks; in-house takes months)
- Budget certainty is important (predictable OPEX vs large CAPEX)
Choose In-House when:
- Highly regulated environment requiring on-premises data residency (government, defence)
- Large organisation with existing security team to augment
- Unique environment requiring deep custom detection engineering
- Competitive advantage in security operations (financial trading, critical infrastructure)
Hybrid model:
- Tier 1 monitoring outsourced to MSOC
- Tier 2/3 investigation and IR capability in-house
- MSOC handles volume; in-house handles complexity
Chapter 3: Key Capabilities to Evaluate
Detection Coverage
MITRE ATT&CK coverage mapping
Ask providers: “Show me your MITRE ATT&CK coverage heatmap.” A mature MSOC should have detection coverage across multiple tactics — not just Initial Access and Execution, but also Persistence, Lateral Movement, and Exfiltration.
Be sceptical of claims of “100% ATT&CK coverage” — this is impossible given the breadth of the framework and the diversity of enterprise environments.
Detection sources supported:
| Source | Must Support | Notes |
|---|---|---|
| Windows Event Logs | ✅ | Core for AD environments |
| Linux Syslog | ✅ | Core for server environments |
| EDR (CrowdStrike, MDE, SentinelOne) | ✅ | Should support major platforms |
| Microsoft 365 / Entra ID | ✅ | Critical for cloud identity |
| AWS (CloudTrail, GuardDuty) | ✅ | If you use AWS |
| Azure (Activity Log, Sentinel) | ✅ | If you use Azure |
| Network (firewall, proxy) | ✅ | Palo Alto, Cisco, Fortinet |
| Cloud email (Google Workspace, M365) | ✅ | Email is primary attack vector |
| Custom/proprietary logs | Verify | Can they onboard your bespoke systems? |
Response Capability
Alert → Investigate → Escalate → Respond. The response capability is what separates genuine MSOCs from “alert factories.”
| Response Level | What It Means |
|---|---|
| Escalation only | MSOC detects and notifies you; you contain |
| Guided response | MSOC provides step-by-step containment guidance; you execute |
| Managed response | MSOC executes containment with your authorisation (endpoint isolation, account disabling, firewall rules) |
| Fully managed | MSOC executes response autonomously up to defined playbooks; notifies you of actions taken |
Most SME clients want “managed response with authorisation” — the MSOC can isolate endpoints and disable accounts on detection, but notifies you before doing so.
Incident response retainer: Does the MSOC provide access to IR specialists for major incidents? Who do you call at 3 AM when ransomware hits?
Threat Intelligence
Evaluate the quality and actionability of threat intelligence:
- Coverage: Are they consuming intelligence from commercial feeds (Recorded Future, Mandiant, CrowdStrike Intel), open source (OSINT), and their own SOC telemetry?
- Industry relevance: Is the intelligence relevant to threats targeting your industry and geography?
- Integration: Is threat intel enriched automatically into alerts, or is it a monthly PDF?
- Proactive hunting: Do they proactively hunt for indicators of compromise in your environment before an alert fires?
Analyst Expertise
The quality of your MSOC is determined by the quality of its analysts. Assess:
- Certifications: Analysts should hold SOC-relevant credentials (CompTIA Security+, CySA+, GIAC GCIA, GIAC GCIH, Microsoft SC-200)
- Retention: High analyst turnover means perpetually junior coverage. Ask for average analyst tenure.
- Dedicated vs shared: Are your assigned analysts dedicated to your account, or part of a pooled team?
- Escalation path: What happens when Tier 1 doesn’t understand an alert? How is it escalated?
- Location and language: Where are analysts based? Can they communicate in your preferred language?
Chapter 4: SLAs and Performance Metrics
Critical SLAs to Negotiate
| Metric | Definition | Minimum Target |
|---|---|---|
| Mean Time to Detect (MTTD) | Time from event occurrence to alert | <15 minutes for high-severity |
| Mean Time to Notify (MTTN) | Time from alert to customer notification | <30 minutes for critical |
| Alert false positive rate | % of alerts that are not genuine threats | <20% (lower is better) |
| Platform uptime | SIEM/monitoring platform availability | 99.9% |
| Escalation response time | Time for Tier 2 to pick up escalation | <1 hour (business hours), <2 hours (out of hours) |
What to Measure Ongoing
After deployment, track these monthly:
Volume metrics:
- Total alerts generated
- Alerts escalated to customer (vs auto-resolved/tuned)
- Confirmed true positives (actual incidents detected)
- False positive rate
Performance metrics:
- MTTD per severity (critical, high, medium)
- MTTN per severity
- SLA compliance rate (% of alerts escalated within SLA)
- Coverage rate (% of log sources actively monitored)
Quality metrics:
- Analyst-confirmed true positive rate
- Detection coverage changes (new rules deployed, old rules retired)
- Threat hunting activities and findings
Red Flags in SLA Discussions
- SLAs measured in “business hours” for a 24×7 service (attacks don’t observe business hours)
- SLAs that only apply to Critical alerts but not High
- No penalty for SLA breaches
- Alert count as an SLA metric (quantity of alerts ≠ quality of detection)
- Unable to provide historical SLA performance data from similar customers
Chapter 5: RFP Requirements
Minimum RFP Information to Request
Company and service information:
- Company background, years in operation, total customers
- Analyst headcount, location, shift structure
- Certifications: ISO 27001, SOC 2, other relevant certifications
- Reference customers in your industry (contact-able references required)
Technical capabilities:
- SIEM platform (proprietary or commercial — which platform?)
- EDR platforms supported
- Log sources supported (complete list)
- MITRE ATT&CK coverage map
- Detection rule count and update frequency
- Threat intelligence sources and integration
- Data residency: where is your data stored and processed?
Service delivery:
- Onboarding timeline and process
- Dedicated vs pooled analysts
- Escalation procedure (with contact numbers for P1 incidents)
- Reporting format and frequency
- Customer portal / dashboard
Commercial:
- Pricing model (per endpoint, per GB ingested, flat fee, hybrid)
- Contract length (minimum term, renewal notice)
- Expansion pricing for growth in endpoint count or data volume
- Exit provisions: data return/deletion, transition assistance
RFP Evaluation Scoring
| Criterion | Weight |
|---|---|
| Technical capabilities (detection coverage, integrations) | 30% |
| Analyst quality and experience | 25% |
| SLA commitments | 20% |
| Pricing and commercial terms | 15% |
| References and track record | 10% |
Proof of Concept / Pilot
Require a 30–60 day pilot before committing to a full contract. During the pilot:
- Connect your production log sources
- Measure actual MTTD and MTTN against SLA commitments
- Assess alert quality (signal-to-noise ratio)
- Evaluate escalation communication quality
- Get reference calls with existing customers of similar size and industry
Chapter 6: Pricing Models
Common MSOC Pricing Structures
Per-endpoint pricing:
- Charge based on the number of managed endpoints
- Predictable for stable environments
- Typically $10–$50/endpoint/month (international); ₹150–₹800/endpoint/month (India)
- Risk: pricing balloons as you scale
Per-GB-ingested pricing:
- Charge based on volume of log data ingested
- Common with SIEM-as-a-service models
- Risk: high-volume log sources (proxy, network) create unpredictable costs
Flat-fee tier pricing:
- Tiered packages (e.g., “Up to 250 endpoints”, “250–1000 endpoints”)
- Predictable budget; may underserve at the top of a tier
- Common in mid-market MSOC offerings
Hybrid:
- Base fee (coverage + platform) + per-endpoint or per-GB component
- Most common in enterprise deals
Total Cost of Ownership
When comparing MSOC to in-house or alternative solutions, include:
- Platform licence costs (are they included or separate?)
- Onboarding and integration costs
- Training costs
- IR retainer (included in the base price or additional?)
- Reporting and executive deliverables
Chapter 7: Implementation and Onboarding
Typical Onboarding Timeline
| Week | Activity |
|---|---|
| 1–2 | Kickoff; log source inventory; access provisioning |
| 3–4 | Log source onboarding (priority sources: EDR, AD, firewall) |
| 5–6 | Detection rule review and tuning to your environment |
| 7–8 | Alert threshold calibration; baseline establishment |
| 8–12 | Additional log sources; full coverage achieved |
Key Onboarding Documents to Prepare
Asset and network context:
- Asset inventory with criticality tiers (helps analysts contextualise alerts)
- Network diagram (understanding normal traffic flows)
- IP address allocation (which ranges are production vs test vs guest)
Access and escalation:
- Emergency contact list (who to call for each incident severity)
- Escalation matrix (CISO contact, IT lead contact, on-call engineer contact)
- Authorisation matrix (who can authorise endpoint isolation, account disabling)
- Out-of-hours communication preference
Tuning information:
- Known “noisy” sources (specific servers that generate high false-positive alert volumes)
- Planned maintenance windows (exclude from alerting)
- Legitimate tools that may appear suspicious (pentest tools, vulnerability scanners)
Conclusion: Choosing the Right MSOC
The right MSOC partner is not the cheapest — it is the one that provides genuine detection capability, responds effectively when incidents occur, and communicates clearly with your team.
The three questions that matter most:
-
“Show me your MTTD and false positive rate for customers of our size and industry.” — Any provider that cannot answer with real data from existing customers should be disqualified.
-
“Walk me through exactly what happens the moment you detect ransomware in my environment at 2 AM.” — The answer reveals whether you get genuine response or just an alert.
-
“Can you provide two reference customers we can speak with who had a real incident while under your monitoring?” — References from customers who experienced real incidents reveal true capability better than any sales presentation.
CyberneticsPlus provides Managed SOC services with 24×7 coverage, MITRE ATT&CK-aligned detection, and active response for endpoints, cloud, and identity. Contact us to discuss how we can provide security monitoring for your environment.