How much does it cost to build an in-house SOC?

A functional in-house SOC with 24/7 coverage requires a minimum of 8 to 12 analysts across three shifts, a SOC manager, and a security engineer. Fully loaded personnel costs alone range from $1.2 million to $2.5 million annually. Add SIEM licensing, threat intelligence feeds, SOAR tools, and infrastructure costs, and total first-year investment typically exceeds $2 million, with ongoing annual costs of $1.5 million to $3 million.

What is the difference between an MSSP and MDR?

A Managed Security Service Provider (MSSP) typically provides technology management, log monitoring, and alert forwarding. Managed Detection and Response (MDR) goes further by providing active threat hunting, investigation, and response actions. MSSPs tend to be alert-centric while MDR providers are outcome-centric, actively containing threats rather than just notifying you about them.

When should a mid-market company consider a hybrid security model?

A hybrid model makes sense when you have 200 to 1,000 employees, need to maintain institutional security knowledge internally, but cannot justify the cost of 24/7 staffing. The typical hybrid approach includes one to three internal security team members who handle security strategy, vendor management, and business-hours investigation, paired with a managed provider for 24/7 monitoring, after-hours response, and specialized capabilities like threat hunting.

How do managed security services handle compliance requirements like SOC 2?

Reputable managed security providers deliver compliance-ready evidence packages including log retention reports, alert response records, incident documentation, and monitoring coverage reports. For SOC 2 specifically, they provide evidence for CC6.x access controls, CC7.x monitoring and detection controls, and CC8.x change management controls. However, you remain ultimately responsible for your compliance posture, so ensure your contract specifies evidence delivery formats and SLAs.

Managed Security Services vs In-House SOC: The Real Cost Comparison for Mid-Market Companies

The Decision Most Mid-Market Companies Get Wrong

At some point between your 150th and 500th employee, someone in leadership asks the question: "Should we build our own security operations center or hire a managed security provider?" The answer you get usually depends on who you ask. Your CISO (if you have one) wants to build. Your CFO wants to outsource. And both of them are working with incomplete numbers.

The managed-versus-in-house decision is one of the highest-stakes infrastructure choices a mid-market company makes, and the real costs are rarely what either side presents. In-house advocates underestimate total cost of ownership by 40 to 60 percent. Managed service advocates gloss over the organizational knowledge gaps and vendor lock-in risks that come with full outsourcing.

This guide breaks down the actual numbers, the hidden costs on both sides, and the hybrid models that most mid-market companies ultimately find work best. We are not selling you on one approach -- we are giving you the data to make an informed decision.

Defining mid-market: For this analysis, we define mid-market as companies with 200 to 2,000 employees, $50 million to $1 billion in revenue, and IT environments with 500 to 5,000 endpoints. These companies are too large to ignore security operations but too resource-constrained to build enterprise-grade SOCs.

The True Cost of Building an In-House SOC

When leadership hears "build a SOC," they think of a few analysts and a SIEM. The reality is far more expensive and operationally demanding. Here is what a functional in-house SOC actually costs.

Personnel: The Largest and Most Underestimated Cost

A SOC that provides 24/7/365 coverage requires a minimum of 8 to 12 analysts across three shifts, accounting for weekends, holidays, vacation, and sick time. You cannot run 24/7 operations with fewer people -- the math simply does not work without burning out your team and losing them within 18 months.

Role	Headcount	Avg Salary (US)	Fully Loaded Cost
SOC Analyst (Tier 1)	6	$75,000 - $95,000	$600,000 - $760,000
SOC Analyst (Tier 2)	3	$100,000 - $130,000	$400,000 - $520,000
SOC Manager	1	$140,000 - $175,000	$185,000 - $230,000
Security Engineer	1-2	$130,000 - $170,000	$170,000 - $450,000
Threat Intel Analyst	1	$110,000 - $145,000	$145,000 - $190,000

Total personnel cost: $1.5 million to $2.15 million annually. Fully loaded costs include benefits (typically 30-35% of salary), payroll taxes, training, certifications, and recruitment costs. And recruitment is not trivial -- the cybersecurity talent shortage means average time-to-fill for SOC analyst roles is 6 to 9 months, with annual turnover rates of 25 to 35 percent in SOC positions.

Technology Stack: Beyond the SIEM License

Every SOC needs a core technology stack. The SIEM gets the most attention, but it is typically only 30 to 40 percent of your technology spend.

Technology	Purpose	Annual Cost Range
SIEM Platform	Log aggregation, correlation, alerting	$50,000 - $250,000
EDR/XDR	Endpoint detection and response	$30,000 - $100,000
SOAR Platform	Automated response and playbook execution	$25,000 - $80,000
Threat Intelligence	IOC feeds, threat actor tracking	$15,000 - $60,000
Vulnerability Scanner	Continuous vulnerability assessment	$10,000 - $50,000
Ticketing/Case Mgmt	Incident tracking and documentation	$5,000 - $20,000

Total technology cost: $135,000 to $560,000 annually. Note that SIEM costs can balloon quickly based on data ingestion volume. A mid-market company ingesting 500 GB to 2 TB of logs daily can easily push SIEM costs toward the higher end.

Hidden Costs Nobody Budgets For

Detection engineering -- Writing, testing, and tuning detection rules requires dedicated engineering time. Most SIEMs ship with generic rules that generate massive false positive volumes without customization
Ongoing training -- Threat landscape evolves continuously. Budget $5,000 to $10,000 per analyst annually for training, certifications (SANS, GIAC), and conference attendance
Recruitment costs -- With 25-35% annual turnover, you are spending $15,000 to $25,000 per hire in recruiter fees, job postings, and interview time. Multiply by 2-3 replacements per year
Management overhead -- Your CISO and IT leadership spend significant time managing SOC operations, vendor relationships, and technology decisions. This opportunity cost is real even if it does not appear on the SOC budget
Facility and infrastructure -- Dedicated monitoring space, display walls, secure workstations, and redundant network connectivity add $50,000 to $150,000 in setup costs

Total in-house SOC cost for a mid-market company: $1.8 million to $3.2 million annually, with $200,000 to $500,000 in first-year setup costs on top. These numbers assume US-based staffing. Offshore or nearshore models can reduce personnel costs by 30-50% but introduce timezone, language, and management challenges.

The True Cost of Managed Security Services

Managed security services come in several flavors, and the pricing models vary significantly. Understanding what you are actually buying is critical to an apples-to-apples comparison.

MSSP vs MDR vs SOCaaS: What You Are Actually Buying

Service Type	What You Get	Annual Cost (Mid-Market)
MSSP	Log monitoring, alert forwarding, basic analysis, device management	$100,000 - $300,000
MDR	Active threat hunting, investigation, containment, response actions	$200,000 - $500,000
SOCaaS	Full SOC outsourcing including SIEM, EDR, analysts, and incident response	$300,000 - $800,000

Even at the high end of SOCaaS pricing, you are spending roughly one-quarter of what an equivalent in-house operation would cost. But cost is not the only factor. For a deeper look at managed security approaches for earlier-stage companies, see our guide on managed security services for startups.

What Managed Services Do Well

24/7 coverage from day one -- No recruitment timeline, no shift scheduling headaches, no coverage gaps during employee transitions
Breadth of threat intelligence -- Good providers see threats across hundreds of customer environments. Their detection capabilities benefit from collective visibility that no single mid-market SOC can match
Mature playbooks and processes -- Established providers have responded to thousands of incidents. Their runbooks are battle-tested in ways that a new in-house SOC's will not be for years
Technology included -- Most SOCaaS and MDR providers include SIEM, EDR, and SOAR capabilities in their pricing. You avoid the capital expenditure and ongoing licensing management
Scalability -- Adding endpoints, cloud environments, or data sources is a contract adjustment, not a hiring and procurement project

What Managed Services Struggle With

Business context -- External analysts do not understand your application architecture, normal user behavior patterns, or which assets matter most. This leads to alert fatigue and missed contextual threats
Response depth -- Most managed providers can isolate an endpoint or block an IP, but they cannot remediate application-level vulnerabilities, reconfigure your infrastructure, or manage your incident response plan end-to-end
Vendor lock-in -- Once your logging, detection, and response processes are built on a provider's platform, switching costs are substantial. Plan for 6 to 12 months to migrate providers
Compliance ownership -- The managed provider generates evidence, but you are still accountable. Auditors expect your team to understand what the provider does and how it maps to your continuous monitoring requirements
Customization limits -- Detection rules, response playbooks, and reporting formats may not align perfectly with your environment. Customization requests often require premium tiers or professional services engagements

The Hybrid Model: What Actually Works for Most Mid-Market Companies

After years of helping mid-market companies navigate this decision, the pattern we see work most consistently is a hybrid model: a small internal security team paired with a managed security provider that handles 24/7 monitoring and specialized capabilities.

The Optimal Hybrid Structure

For a company with 300 to 1,000 employees, the hybrid model typically looks like this:

Internal: Security Manager or Director -- Owns security strategy, vendor management, risk assessment, and executive reporting. Reports findings through structured CISO metrics
Internal: 1-2 Security Engineers -- Handle security architecture, detection engineering, tool integration, and vulnerability management
Internal: 1 GRC Analyst -- Manages compliance programs, policy documentation, audit coordination, and vendor risk assessments
External: MDR or SOCaaS Provider -- Provides 24/7 monitoring, alert triage, threat hunting, and first-response containment
External: Penetration Testing Partner -- Annual or continuous penetration testing and red team engagements

Hybrid Model Cost Breakdown

Component	Annual Cost
Internal Team (3-4 FTEs)	$500,000 - $750,000
MDR/SOCaaS Provider	$200,000 - $500,000
Penetration Testing	$30,000 - $80,000
Compliance Tooling	$15,000 - $30,000
Total	$745,000 - $1,360,000

The hybrid model costs roughly 40 to 60 percent of a fully in-house SOC while addressing the key weaknesses of full outsourcing. Your internal team provides business context, strategic direction, and compliance ownership. Your managed provider delivers the operational muscle and 24/7 coverage.

Decision Framework: When Each Model Makes Sense

Rather than prescribing a single answer, here is a framework for evaluating which model fits your organization.

Build In-House When:

You operate in a highly regulated industry where outsourcing security operations creates compliance complications (defense, certain financial services)
Your environment is so unique or classified that external providers cannot access the systems they would need to monitor
You have 2,000+ employees and the budget to sustain a dedicated security operations team long-term
Your competitive advantage depends on proprietary security capabilities (you are a security company)
You need deep integration between security operations and software development that requires full-time embedded security engineers

Go Fully Managed When:

You have fewer than 200 employees and cannot justify any dedicated security headcount beyond a fractional CISO
You need SOC 2 or ISO 27001 certification quickly and do not have time to build internal capabilities
Your environment is cloud-native and relatively standard (SaaS applications, AWS/GCP/Azure infrastructure)
You are in a geography where cybersecurity talent is extremely scarce or prohibitively expensive

Go Hybrid When:

You are a 200 to 2,000 employee company that needs mature security operations without the full in-house investment
You want to maintain strategic control over your security program while outsourcing operational execution
You need to scale security capabilities up and down with business growth
Your compliance requirements span multiple frameworks (SOC 2, ISO 27001, PCI DSS) and you need internal expertise to coordinate across them

Evaluating Managed Security Providers: What to Ask

If you decide to include a managed component, the vendor selection process is critical. Here are the questions that separate good providers from ones that will leave you exposed. For broader guidance on selecting security partners, see our guide to choosing a cybersecurity vendor.

SLA Benchmarks That Matter

Metric	Minimum Acceptable	Best-in-Class
Mean Time to Detect	Under 30 minutes	Under 5 minutes
Mean Time to Respond	Under 4 hours	Under 30 minutes
Critical Alert Escalation	Under 1 hour	Under 15 minutes
Containment Capability	Guided remediation	Direct endpoint isolation
Monthly Reporting	Standard metrics	Custom KPIs + executive summary

Critical Questions for Provider Evaluation

What is your mean time to detect (MTTD) and mean time to respond (MTTR)? Good MDR providers report MTTD under 10 minutes and MTTR under 30 minutes for critical threats. Ask for data, not promises
How do you handle alert tuning and false positive reduction? The provider should have a defined process for learning your environment and reducing noise over the first 30-90 days
What response actions can you take without calling us? Some providers can only alert. Others can isolate endpoints, block IPs, disable accounts, and quarantine emails. Know where the line is
How does your pricing scale? Some providers price per endpoint, others per GB of log ingestion, others per user. Model your costs at 2x and 3x your current scale to avoid surprises
What happens if we want to leave? Ask about data portability, detection rule ownership, and transition assistance. If the answer is vague, that is a red flag
Can you provide compliance evidence packages? If you need evidence for SOC 2 CC7.x controls or cyber insurance requirements, verify the provider delivers it in a format your auditor or insurer accepts

Red flag: Any managed security provider that cannot clearly articulate their detection methodology, show you sample alert formats, and provide customer references from companies similar to yours is not ready for your business. A polished sales deck does not equal operational maturity.

Making the Transition: Practical Next Steps

Regardless of which model you choose, the transition requires planning. Here is a realistic implementation approach.

If Moving to Managed Services

Inventory your current security stack -- Document every tool, its purpose, its cost, and who manages it. This becomes your requirements document for provider evaluation
Define your detection requirements -- What threats matter most to your business? Create a prioritized list that any provider must demonstrate coverage for
Run a parallel operation -- During the first 60-90 days, run your managed provider alongside any existing monitoring. Compare detection rates, response times, and false positive volumes
Establish clear escalation paths -- Document who at your organization is contacted for each severity level, what information the provider must include, and what decisions require your approval

If Building In-House

Start with detection engineering -- Before hiring a full SOC team, invest in building quality detection rules and response playbooks. This is the intellectual property that makes your SOC effective
Hire the manager first -- Your SOC manager designs the operating model, selects tools, and recruits analysts. Hiring analysts before you have a manager leads to inconsistent processes and early turnover
Use managed services as a bridge -- While you are building your in-house capability over 12-18 months, a managed provider keeps you covered. Plan the transition with specific milestones
Budget for year two -- Most in-house SOCs do not reach operational maturity until 18-24 months after launch. Ensure leadership understands this timeline and the associated security budget implications

Looking for the Right Security Operations Model?

Lorikeet Security's Defensive Security Bundle ($39,500/yr) provides SOCaaS, incident response planning, and threat intelligence for mid-market companies. Our Full Stack Bundle ($99,000/yr) adds offensive testing and compliance support for comprehensive coverage.

Book a Consultation View Pricing

-- views

Link copied!

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.