chevron_left Back
Cloud 20 April 2026

SOC as a Service vs. In-House SOC: What Organizations Miss

Most mid-size organizations frame the SOC decision as a security question. The organizations that get it right frame it as an economic one first.

The choice between building an in-house Security Operations Center and buying managed SOC services carries a total cost of ownership that is consistently underestimated on both sides. The in-house model looks controllable until the full scope of what it requires becomes visible. The managed model looks simple until the first contract renewal exposes what it actually delivered.

Three Takeaways

1. The real TCO of an in-house SOC extends well beyond analyst salaries. SIEM licensing, log ingestion and retention, detection engineering, continuous tuning, audit support, and the opportunity cost of internal engineers not working on architecture or cloud security all belong in the calculation. Organizations that cost only headcount are comparing the wrong number.

2. Risk ownership cannot be outsourced. Incident severity decisions, containment approval, regulator communication, and executive escalation must stay in-house regardless of which monitoring model the organization chooses. The managed SOC executes. The organization remains accountable.

3. NIS2 and DORA raise the floor for everyone. Early warning within 24 hours, incident notification within 72 hours, and a final report within one month are not optional for organizations in scope. Those obligations sit with the organization, not the provider, and they belong in the make-or-buy calculation from the start.

What an In-House SOC Actually Costs

The headcount line is the most visible cost and the least complete. A functional in-house SOC requires analysts across three shifts for round-the-clock coverage, detection engineers who build and tune the rules the analysts act on, and incident responders who handle escalations when something real happens. That is the personnel baseline.

Below it sits a layer of technology cost that grows with organizational complexity. SIEM licensing scales with log volume, and log volume grows with every new system, cloud workload, and endpoint added to the environment. Ingestion costs, retention costs, and integration work compound over time. Detection rules require continuous maintenance: the threat environment changes, the organization’s environment changes, and rules written twelve months ago produce false positives or miss entirely if nobody tunes them.

Training, tabletop exercises, and audit support consume time that is rarely budgeted explicitly. The CISO knows these activities matter. The CFO sees the headcount on the payroll and assumes the rest is included.

The cost that appears on no budget line is opportunity cost. Internal security engineers running a SOC are not improving identity architecture, cloud security posture, or resilience. For mid-size organizations where security headcount is already constrained, that trade-off is real and has a financial consequence that only becomes visible when an architecture problem turns into an incident.

When Does In-House Make Economic Sense?

There is no credible threshold by employee count. The question is whether the organization generates enough operational complexity to justify dedicated engineering and response capacity.

An in-house SOC starts to make sense when four conditions converge: the organization requires genuine round-the-clock coverage, the environment is complex enough to need custom detections rather than generic rules, regulatory pressure is high enough to require deep internal visibility into incident handling, and telemetry volume is large enough to keep a dedicated team continuously occupied.

For most mid-size organizations, one or two of those conditions apply, not all four. A financial institution under DORA may meet the regulatory condition strongly but not generate the telemetry volume that justifies a full in-house engineering function. A manufacturing organization with significant OT exposure may have complex detection requirements but lack the security headcount to staff continuous coverage.

The hybrid model addresses this gap. Core monitoring and alert triage goes to a managed provider. Detection engineering, incident ownership, and regulatory accountability stay in-house. The organization pays for coverage it cannot staff internally while retaining the functions that cannot be delegated.

What Cannot Be Outsourced

Monitoring tasks can be outsourced. Accountability cannot.

The functions that must remain in-house regardless of the SOC model are the ones that carry legal, regulatory, and business consequence. Business impact assessment: only the organization understands which systems are critical to which processes. Incident severity decisions: the determination of whether an event requires executive escalation, regulator notification, or customer communication belongs to the organization, not the provider. Containment approval: the decision to isolate a system, take a service offline, or invoke a business continuity plan is an organizational decision with financial and operational consequences that no managed provider can absorb.

Regulator and customer communication under NIS2 and DORA carries the organization’s name. Third-party oversight of the managed SOC itself is an in-house function. The provider cannot audit the provider.

This distinction matters for contract design. Organizations that outsource monitoring and response without retaining the governance functions listed above have not transferred risk. They have created a dependency while keeping the liability.

Which SOC Metrics Actually Matter

The metrics most commonly offered in managed SOC contracts are not the ones that indicate whether the service is working.

Raw alert volume tells an organization how busy the SOC is. It does not indicate whether the alerts reflect real threats or a poorly tuned ruleset generating noise. Ticket count and acknowledge time are process metrics, not security outcomes. The number of threat intelligence feeds a provider subscribes to says nothing about whether those feeds produce actionable detections for the client’s specific environment.

The metrics that matter are tied to outcomes. Coverage of critical assets and log sources: if the SOC cannot see a system, it cannot protect it, and gaps in coverage are one of the most common failure modes in managed relationships. False positive rate: a high false positive rate indicates poor tuning, which means analysts spend time on noise instead of real events. Time to qualified escalation: not acknowledge time, but the time from event to a human analyst making a quality judgment about what happened. Speed of detection rule changes: how quickly the provider can deploy a new detection when a relevant threat emerges. Evidence that alerts are tested: rules that have never fired on real data may not fire when they need to.

These metrics are harder to report and harder to commit to contractually. That is precisely why they should be negotiated at the start rather than at renewal.

What NIS2 and DORA Change

Both regulations raise the floor for incident handling, risk management, and supply-chain oversight. For organizations in scope, those obligations belong in the SOC model design from the start.

NIS2 requires early warning within 24 hours of becoming aware of a significant incident, incident notification within 72 hours, and a final report within one month. The organization submits those reports. The managed SOC supports the process but does not own the obligation.

DORA, in force since January 2025 for financial entities, adds specific requirements for ICT third-party risk management, resilience testing, and incident reporting. A managed SOC relationship is an ICT third-party relationship under DORA. That means the provider is subject to contractual requirements around audit rights, exit clauses, and concentration risk that go beyond standard SLA terms.

KSC, the Polish cybersecurity framework, adds a domestic layer that applies to operators of essential services and digital service providers. The interplay between KSC, NIS2, and DORA creates a compliance environment where the managed SOC contract needs legal review alongside security review.

The practical implication is direct: organizations that sign managed SOC contracts without mapping provider obligations to regulatory requirements discover the gap at audit time, not contract time.

Why Managed SOC Relationships Fail After Two to Three Years

The failure modes are predictable and consistent across organizations that have been through a provider switch.

Weak onboarding is the most common root cause. A managed SOC that does not complete a thorough onboarding of the client’s environment, log sources, critical assets, and business context will produce generic detections that work at a basic level but miss the threats specific to that organization. The gap is not visible in the first year, when the relationship is new and both sides are motivated. It becomes visible in year two, when the client notices that escalations are generic, tuning requests take weeks, and the provider’s analysts cannot answer questions about the client’s specific environment.

Two other failure patterns account for most of the remaining switches. The first: a significant incident that the SOC either failed to detect or detected too late. The second: a cost-reduction decision at renewal, where the client has found a cheaper provider and underestimates what the transition will cost in lost context and re-onboarding time.

The common thread is that organizations evaluate managed SOC providers on price and certification at procurement, and on actual security outcomes two years later. Those are different evaluations, and closing the gap requires asking the right questions before signing.

If your organization is working through the SOC build-vs-buy decision and wants a structured approach to TCO comparison and provider evaluation, download the SOC Decision Framework: a set of criteria covering cost components, capability requirements, regulatory obligations, and contract terms that should be resolved before the procurement process begins. [link]

FAQ

What is the minimum team size for a credible in-house SOC?

Round-the-clock coverage across three shifts requires a minimum of five to seven analysts to maintain continuous staffing without burnout and allow for training, leave, and incident response. Detection engineering and SOC management add further headcount requirements. Organizations below that threshold should evaluate hybrid or managed models rather than understaffing an in-house function that then fails to deliver genuine coverage.

What contractual protections should organizations require from a managed SOC provider?

The contract should define coverage scope explicitly, including which log sources and assets are included. It should specify escalation timelines with quality thresholds, not just acknowledge time. It should include audit rights, data portability, and exit assistance to prevent provider lock-in. For organizations under DORA, concentration risk provisions and sub-contractor disclosure requirements belong in the contract. Termination clauses should address knowledge transfer and log retention to ensure continuity if the relationship ends.

How does the SOC model affect NIS2 incident reporting obligations?

NIS2 reporting obligations belong to the organization regardless of SOC model. The managed SOC can support the process by providing technical analysis and incident timelines, but the early warning, notification, and final report are submitted by the organization to the relevant national authority. Organizations should map their reporting workflow before an incident, not during one, and verify that their managed SOC contract includes the support obligations needed to meet reporting deadlines.

What is the most common mistake organizations make when evaluating managed SOC providers?

Evaluating on price and certification rather than on the provider’s ability to understand and adapt to the client’s specific environment. Generic detection capability is a baseline requirement. The differentiator is whether the provider can build and maintain custom detections for the client’s technology stack, respond to tuning requests within a defined timeframe, and keep pace with the client’s environment as it changes. Those capabilities are best evaluated through reference checks with existing clients in similar environments, not through RFP responses.

When should an organization consider switching managed SOC providers?

The clearest signals are a pattern of generic escalations that do not reflect the client’s actual environment, repeated delays in onboarding new log sources or deploying detection rule changes, and provider responses to real incidents that reveal a lack of context about the client’s business. Cost-driven switches without addressing the root causes of poor performance typically reproduce the same problems with a new provider after a re-onboarding period that itself carries significant risk.

Joanna Maciejewska Marketing Specialist
chevron_left Previous post

Related posts

    Blog post lead
    Cloud Compliance Security

    Vendor Lock-In: Why the Rational Choice Becomes a Systemic Risk

    Vendor lock-in rarely happens by accident. It happens because someone made a rational decision. One contract, one roadmap, one support model. Less coordination, less risk of miscommunication, less chaos. The logic is sound, right up until the moment your „safe” choice turns into a shared dependency with half the market. When the same provider, the […]

    Blog post lead
    Architecture Cloud Data Platform Technology

    How to Build a Data Platform That Will Not Become Technical Debt in 18 Months

    The average data platform project starts with genuine ambition and ends with a refactoring budget nobody planned for. In our experience, the architectural decisions that cause the most damage aren’t the ones that look obviously wrong at the time. They’re the ones that look like reasonable shortcuts. What we’ve learned from building and inheriting data […]

    Blog post lead
    Cloud FinOps Operations

    Cloud FinOps in practice: controlling cloud spend without slowing product teams

    Cloud cost control still tends to be framed as a corrective action. Spend goes up, finance intervenes, and delivery teams are asked to slow down or justify decisions that were already made. This pattern is not accidental. Cloud fundamentally changes the relationship between engineering decisions and financial outcomes, yet many organisations still apply governance models […]

This website uses cookies

We use cookies to optimise the content on our website. Data may also be shared with our partners for analytics purposes or to personalise advertising. You can accept all cookies or choose individual settings. Detailed information about cookies is available in the footer of our website and in the Cookie Policy.

Adjust consent preferences

We use cookies to help you navigate efficiently and perform certain functions. Below, you will find detailed information about all cookies in each consent category.

Cookies classified as “Necessary” are stored in your browser as they are essential for enabling the basic functionalities of the website.

Necessary

These cookies are essential to enable you to navigate the website and use its features, for example by displaying the website properly depending on the device you are using. These cookies will be stored and used even if you do not consent to the use of cookies.

Preferences

These cookies allow the website to be tailored to users' needs and preferences, for example by remembering the preferred language or region. This information has very limited use and is stored only for a specified period of time. It is completely anonymous and is not used for any other purpose. We use these cookies only if you have given your consent via the cookie banner.

Statistical

These cookies collect information about how you use the website, for example which pages you visit most often, in order to determine whether the content we present is useful, what users are interested in, and how the website's performance can be improved. We also use tracking pixels to count website visits and performance cookies to check how many individual users and how often they visit our website. This information is used exclusively for statistical purposes. We use these cookies only if you have given your consent via the cookie banner.

Marketing

These cookies are used to deliver advertisements that are more relevant to you and your interests, both on external websites and on our website, in line with user preferences regarding service selection. They also help measure the effectiveness of advertising campaigns. They remember that you have visited our website, and this information may be shared with other organizations, such as advertisers. We only use these cookies if you have given your consent via the cookie banner.

Privacy Policy
Cookies Policy
© Copyright 2026 by Onwelo