1.1 SOC Operating Models

8-10 hours · Module 1 · Free

SOC Operating Models

Introduction

A SOC operating model defines how security monitoring, detection, and response are staffed and delivered. The model you choose determines your coverage hours, your response speed, your staffing costs, and your ability to scale. There is no universally correct model — the right choice depends on your organization’s size, budget, risk tolerance, and existing security maturity.

This subsection describes the four primary operating models, their trade-offs, and selection criteria. Most mid-sized organizations do not operate a pure model — they run a hybrid that combines elements based on their specific constraints.

Model 1: Dedicated in-house SOC

What it is: A fully staffed security operations team employed by the organization, operating from a dedicated facility or virtual workspace. All analysts, detection engineers, and incident responders are internal employees.

Coverage: Typically 8×5 (business hours) for smaller teams, 24×7 for larger teams. 24×7 requires a minimum of 5–6 analysts to cover three shifts with redundancy for leave and training.

Advantages:

Complete control over detection rules, investigation priorities, and response actions
Deep institutional knowledge — analysts understand the business, the users, the environment
No data sharing with external parties
Fastest response for high-severity incidents (no handoff delay to a third party)

Disadvantages:

Expensive — 24×7 coverage with qualified analysts, a SOC manager, and a detection engineer costs $400,000–$600,000+ annually in the UK
Recruitment and retention challenge — experienced SOC analysts are in high demand
Single point of failure for expertise — if your senior analyst leaves, institutional knowledge leaves with them
Requires investment in training, tools, and continuous development to keep pace with the threat landscape

Best for: Large organizations (1,000+ employees) with significant security budgets, regulated industries requiring data sovereignty, or organizations with unique threat profiles that generic managed services cannot adequately address.

Model 2: Managed SOC (MSSP / MDR)

What it is: Security monitoring and initial triage are delivered by an external managed security service provider (MSSP) or managed detection and response (MDR) provider. The provider operates their own SOC and monitors your environment alongside other clients.

Coverage: Typically 24×7 — the provider’s SOC operates continuously across their client base.

Advantages:

24×7 coverage without the cost of staffing three shifts internally
Access to the provider’s collective threat intelligence across their client base
Faster time to operational than building an internal team from scratch
Predictable costs (monthly subscription rather than salary and benefits)

Disadvantages:

Limited customization — the provider’s detection rules and playbooks are designed for their entire client base, not your specific environment
Handoff friction — when the provider identifies a potential incident, there is a handoff to your internal team for investigation and containment. This handoff adds latency and can lose context.
Less institutional knowledge — the provider’s analysts do not understand your business processes, your user behavior patterns, or your organizational context
Data sharing — your log data flows to the provider’s platform, raising data sovereignty and confidentiality considerations
Alert fatigue transfer — many MSSPs generate high volumes of low-context alerts and declare them “your responsibility to investigate”

Best for: Small to mid-sized organizations (100–1,000 employees) that need 24×7 coverage but cannot justify the cost of an internal 24×7 team. Organizations early in their security maturity journey that need immediate monitoring while building internal capability.

MDR vs MSSP — the distinction matters

An MSSP typically monitors your environment and sends you alerts. An MDR provider monitors, investigates, and takes response actions on your behalf (with your pre-authorization). The MDR model is more expensive but delivers more value — the provider handles triage and initial investigation, not just alert forwarding. When evaluating providers, ask: "When your team identifies a confirmed compromise at 02:00, what actions do you take before calling us?" If the answer is "we send you an email," that is an MSSP. If the answer is "we revoke the user's tokens, disable the forwarding rule, and then call you with the containment summary," that is an MDR.

Model 3: Hybrid SOC

What it is: Internal analysts handle business-hours monitoring, investigation, and response. An external provider handles after-hours monitoring and initial triage. Complex investigations and containment are escalated to the internal team regardless of the hour.

Coverage: 24×7 through the combination of internal (business hours) and external (after hours).

Advantages:

24×7 coverage at lower cost than a fully internal 24×7 team
Internal team retains deep investigation and response capability
The external provider handles the highest-volume, lowest-complexity work (overnight alert triage)
Internal team focuses on high-value work: detection engineering, complex investigations, improvement

Disadvantages:

Handoff complexity — transferring context between internal and external teams at shift boundaries
Requires clear escalation criteria so the external provider knows what to escalate versus what to handle independently
The external provider’s quality determines overnight coverage quality — if they miss something at 02:00, you find out at 08:00
Contract management overhead — SLAs, performance reviews, and relationship management

Best for: Mid-sized organizations (200–2,000 employees) with a small internal security team (2–5 people) that cannot staff 24×7 but need continuous coverage. This is the most common model for organizations at intermediate security maturity.

Model 4: Virtual SOC

What it is: Security monitoring responsibilities are distributed across IT team members who have other primary roles. There is no dedicated SOC team — instead, IT administrators, network engineers, and system administrators share monitoring duties alongside their primary responsibilities.

Coverage: Best-effort during business hours. No dedicated after-hours coverage.

Advantages:

Lowest cost — no dedicated security headcount
Leverages existing IT team knowledge of the environment

Disadvantages:

Security monitoring is always secondary to primary job responsibilities — when a server goes down at the same time an alert fires, the server gets attention first
No consistent investigation quality — each team member has different security skills and different approaches
No detection engineering, no playbook development, no systematic improvement
Reactive only — incidents are discovered when they become visible problems, not when detection rules fire

Best for: Small organizations (under 100 employees) with no security budget. This model is a starting point, not a destination. The goal should be to mature into a hybrid or managed model as the organization grows.

Selecting your model

Factor	Dedicated	Managed (MDR)	Hybrid	Virtual
Organization size	1,000+	100–1,000	200–2,000	Under 100
Annual security budget	$400K+	$100–300K	$150–400K	Minimal
Coverage requirement	24×7 internal	24×7 external	24×7 combined	Business hours
Investigation depth	Full internal	Provider triage, internal investigation	Internal primary, provider overnight	Ad hoc
Detection engineering	Internal team	Provider-managed + limited custom	Internal team	None
Maturity level	Advanced	Early to intermediate	Intermediate	Initial

Most organizations in this course’s target audience — mid-sized companies running M365 with 1–5 security staff — operate a hybrid model or a managed model. The detection rules, playbooks, and documentation from this course are designed to work within any model, but they deliver the most value in hybrid and dedicated models where the internal team has the authority and capacity to deploy and maintain them.

Try it yourself

Assess your current SOC operating model:

Which model does your organization currently use? (It may be a hybrid of two.)
What are the coverage hours? Are there gaps?
If you use a managed provider, what actions can they take independently versus what requires your approval?
Based on the selection criteria, is your current model appropriate for your organization's size, budget, and risk profile?

Check your understanding

1. A mid-sized manufacturing company (500 employees) has 2 IT staff with some security training. They need 24×7 monitoring but their annual security budget is $150,000. Which operating model is most appropriate?

Hybrid SOC. The 2 internal staff handle business-hours monitoring, investigation, and detection rule management. An MDR provider handles after-hours monitoring and initial triage. $150,000 covers an MDR subscription ($60–100K annually for a mid-sized environment) plus internal training and tooling. A dedicated 24×7 team is unaffordable at this budget. A purely managed model loses the internal institutional knowledge that makes detection rules and playbooks effective. The hybrid model maximizes both coverage and internal capability within the budget.

Dedicated SOC — they should hire more analysts

Virtual SOC — distribute monitoring across the IT team

Hybrid maximizes coverage and capability within budget constraints. The internal team builds and maintains the detection and response capability (this course's content). The MDR provider extends coverage to 24×7 without the headcount cost of three shifts.

2. Your organization uses an MSSP that sends you 200 alerts per day, of which 190 are false positives. Your 2-person internal team spends all day triaging these alerts and has no time for detection engineering or improvement work. What is the operational problem?

The MSSP is forwarding raw alerts rather than triaged, investigated findings. A 95% false positive rate from the provider means they are not performing triage — they are forwarding every alert to your team and calling it "managed security." The operational problem is that your internal team is doing the MSSP's job (triage) instead of their own job (detection engineering, investigation, improvement). Options: (1) renegotiate the MSSP contract to require them to triage before forwarding (only send confirmed or high-confidence alerts), (2) switch to an MDR provider that investigates before escalating, (3) implement suppression rules on the MSSP's alert feed to filter known false positive patterns before they reach your team.

200 alerts per day is normal — the team needs to triage faster

The MSSP's detection rules need tuning — request they reduce false positives

An MSSP that forwards 190 false positives per day is not providing managed security — it is providing alert forwarding. The internal team is consumed by triage that the provider should be doing, leaving no capacity for the high-value work that only the internal team can do. Fix the provider relationship or replace the provider.

You're reading the free modules of SOC Operations

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

1.2 Analyst Tiers and Role Definitions →