← All posts

MDR vs SOC-as-a-service vs running it yourself

A practical decision framework for mid-market firms choosing between managed detection and response, SOC-as-a-service and building an in-house SOC.

· Atticus Rowan

The 24x7 security monitoring question arrives at most mid-market firms sometime between the first enterprise customer security questionnaire and the second cyber insurance renewal. Both ask the same underlying question. Who is watching for intrusion attempts, and at what hours, and with what response authority?

The answers cluster into three models. Managed detection and response from a specialist vendor. SOC-as-a-service from a larger managed provider. An in-house SOC built inside the company. Each has a coherent use case, each has failure modes and the choice between them is driven as much by operating-model fit as by capability on paper.

Here is the working framework we use to help mid-market clients decide.

What each model actually does

MDR, managed detection and response

A specialist vendor operates detection, investigation and response on the company’s behalf, using a combination of the company’s security telemetry and the vendor’s platform.

Typical MDR engagement:

  • Vendor deploys or integrates with the company’s existing EDR platform
  • Vendor ingests network, identity and cloud telemetry into a shared detection platform
  • Vendor’s SOC analysts triage alerts 24x7
  • Vendor has defined response authority to contain threats (isolate an endpoint, disable an account, block traffic) with or without company approval depending on the playbook
  • Vendor produces monthly reporting on detections, responses and trends

Typical vendor examples: Arctic Wolf, Huntress, Red Canary, Expel, eSentire, Blackpoint. Most MDR providers specialize in a narrow band of the market (small-business, mid-market or upper-mid-market) and the engagement models differ accordingly.

SOC-as-a-service

A managed services provider operates a multi-tenant SOC serving multiple customers, bundled with or alongside broader managed IT services.

Typical SOC-as-a-service engagement:

  • Provider operates a multi-tenant SOC from its own facilities
  • Provider ingests customer telemetry into a shared SIEM
  • Provider’s analysts triage across the customer base
  • Response authority is usually more constrained than MDR, with a playbook emphasizing notification and coordination
  • Often bundled with a broader managed services engagement

Typical provider examples: broader MSPs offering security services, mid-tier security service providers with multi-tenant platforms.

In-house SOC

The company builds its own security operations function with dedicated analysts, tooling and processes.

Typical in-house SOC:

  • Dedicated SOC analysts (usually 4 to 12 FTE minimum for 24x7 coverage)
  • A company-owned SIEM and security operations platform
  • Custom detection engineering against company-specific context
  • Full response authority
  • Direct ownership of the detection and response quality

In-house SOC economics usually require a minimum of 500 to 1,000 employees and a defensible business case for dedicated capability. Below that threshold, in-house rarely competes on cost or capability with the managed options.

The decision framework

Three questions drive most decisions.

Question 1, what operating model fits the company

  • Prefers a specialist vendor owning security detection and response end-to-end → MDR
  • Prefers a single provider bundling IT and security services → SOC-as-a-service
  • Has a security leadership team with capacity to operate a dedicated function → In-house SOC

Question 2, what capability profile is needed

  • Standard threat landscape, moderate regulatory pressure, need credible 24x7 coverage → MDR or SOC-as-a-service
  • Significant regulatory or sector-specific detection requirements (financial services, healthcare, federal contractor) that demand custom detection engineering → MDR with a strong platform or In-house SOC
  • High-threat profile (PE-backed roll-up with acquisition-integration risk, or a firm with material IP to protect) → MDR from an upper-mid-market specialist, or In-house SOC

Question 3, what economics fit

  • Under 200 employees → MDR is almost always the right answer. SOC-as-a-service if already bundled with a managed IT provider.
  • 200 to 500 employees → MDR is the default, with SOC-as-a-service as a viable alternative for firms with a simple environment and an existing strong managed services relationship.
  • 500 to 1,500 employees → MDR remains competitive. In-house SOC becomes evaluable for firms with sector-specific requirements. SOC-as-a-service is usually outgrown at this scale.
  • Above 1,500 employees → The decision is mostly about whether to build in-house or use MDR at a different engagement model. SOC-as-a-service rarely fits.

Typical cost bands, per year, for a 500-employee firm:

  • MDR: $100,000 to $300,000 depending on vendor and scope
  • SOC-as-a-service: often bundled with managed IT, with security component around $60,000 to $180,000
  • In-house SOC: $1.2 million to $2.5 million fully loaded (staff, tooling, infrastructure)

The in-house cost is not typical for a 500-employee firm because the scale does not justify it. At 2,000 employees the same in-house SOC runs $2 million to $4 million, which is in the range of a defensible investment.

Common failure modes

MDR failure modes

  • Weak EDR underneath. MDR is only as good as the telemetry. A legacy antivirus product with an MDR layer above it produces poor detection outcomes.
  • Unclear response authority. The playbook does not specify what the MDR can do without company approval, so critical incidents stall waiting for approval from executives who are unreachable at 3 AM.
  • Inadequate context. The MDR does not know the company’s environment well enough to distinguish normal from anomalous. Usually a problem in the first 90 days that resolves with onboarding, but some MDR engagements never invest the context work.
  • Reporting theater. Monthly reports with high detection counts and no response outcomes. The count is not the signal; the response is.

SOC-as-a-service failure modes

  • Generic detections. The multi-tenant SIEM runs generic content. Detection quality is a baseline level rather than a custom level.
  • Analyst attention dilution. Each analyst covers many customers. The quality of triage reflects it.
  • Bundled engagement misaligns security priorities. When security and IT come from the same provider, security work can get deprioritized against IT delivery pressures.
  • Limited response authority. The provider notifies rather than acts. Some firms are fine with that. Others discover at incident time that they wanted action.

In-house SOC failure modes

  • Undersized team. 24x7 coverage realistically requires 4 analysts minimum, plus leadership. Firms that try with 2 analysts usually produce inconsistent coverage and analyst burnout.
  • Tooling cost escalation. SIEM licensing costs grow faster than most firms expect, and the mature detection platform is a multi-year investment.
  • Retention challenges. SOC analysts have an active external market. A small SOC loses capability with every departure.
  • Insufficient scope. The SOC covers endpoints and cloud but not SaaS, or covers production but not corporate. Gaps discovered during incidents.

A practical path for a mid-market firm

The working pattern we see across mid-market clients.

  • Below 100 employees. MDR with a strong EDR platform underneath. Usually bundled with the MSP relationship or delivered as a direct vendor engagement. Budget $50,000 to $120,000 annually.
  • 100 to 300 employees. MDR with defined response authority and a well-scoped engagement. Evidence-ready detection library. Clear escalation path. Budget $80,000 to $200,000 annually.
  • 300 to 700 employees. MDR from a specialist, with attention to the context-building work during onboarding. Coordination with the MSP or in-house team on response playbooks. Budget $120,000 to $350,000 annually.
  • 700 to 1,500 employees. MDR remains the default. Some firms begin evaluating in-house capability if sector-specific or regulatory requirements push that direction. Budget $200,000 to $500,000 annually for MDR.
  • Above 1,500 employees. A real build-vs-buy decision. Most mid-market firms continue with MDR; a minority build in-house capability. Neither is a default.

Where we fit

Atticus Rowan operates in the design-and-operate seat rather than the detection seat. The practical work:

  • Scoping the monitoring model for a client’s specific threat profile, regulatory posture and operating model
  • Selecting the MDR vendor where MDR is the right answer, with an eye toward onboarding discipline
  • Building the telemetry pipeline (EDR, identity signals, cloud logs) the MDR depends on
  • Owning the response playbook and the coordination between the MDR and the client’s executive and operational teams during incidents
  • Producing the reporting that makes the monitoring model visible to leadership and to the cyber insurance carrier

We do not operate a proprietary SOC. That is a deliberate choice. The market has credible MDR providers for every tier of the mid-market, and building competitive SOC capability in-house would replace specialist work with generalist work. Better to select the right MDR and operate the relationship well than to build a mediocre SOC.

If your firm is weighing MDR, SOC-as-a-service or in-house SOC and you want a clear read on which model actually fits the operating profile and threat landscape, schedule a discovery call. We can walk through the current posture and scope the right model.