In-House SOC vs Managed SOC: Which Should You Build?
The real cost of staffing a 24/7 security operations centre, when building in-house makes sense, when managed detection and response is the rational choice, and the hybrid model most mid-sized organisations should actually run.
Every organisation that has been breached says the same thing afterwards: the alert was there, nobody was looking at it. Round-the-clock monitoring is the control that separates an incident from a catastrophe, and it is the control almost nobody staffs correctly.
The decision is usually framed as a buying question. It is really a staffing question, and the arithmetic settles it faster than any vendor comparison.
| In-house SOC | Managed SOC / MDR | |
|---|---|---|
| Minimum headcount for 24/7 | 5–8 analysts | None |
| Time to operational | 9–18 months | Weeks |
| Coverage during leave and attrition | Degrades | Contractual |
| Threat intelligence breadth | Your estate only | Across all clients |
| Detection engineering | You build it | Included and continuously tuned |
| Tooling cost | Licensed by you | Bundled |
| Institutional knowledge of your estate | Deep | Shallower — mitigated by a named analyst |
| Control and customisation | Total | Bounded by the service |
| Escalation to a human at 03:00 | Depends who is awake | Contractual |
The staffing arithmetic nobody shows you
There are 168 hours in a week. A full-time analyst covers roughly 40 of them, and rather fewer once you subtract leave, sick days, training and the hours they are on shift but asleep at the desk. Covering 168 hours with no single point of failure requires five analysts at absolute minimum, and realistically six to eight once you account for attrition, holidays and the fact that a lone analyst on a night shift with nobody to escalate to is not meaningfully monitoring anything.
Then add the people who are not analysts: someone to engineer detections, someone to manage the SIEM, someone to lead. Add the SIEM licence, the EDR licence, the threat intelligence feed. Add nine to eighteen months before the thing is genuinely operational rather than nominally staffed.
For most organisations in Kenya, that total is not merely expensive — it is larger than the entire IT budget. The choice was never in-house versus managed. It was managed versus nothing, and nothing is what most organisations quietly choose.
When building in-house genuinely makes sense
It is the right answer more often than managed-service vendors admit. Build in-house when your scale justifies the fixed cost — typically a large enterprise, a bank, a telco. Build when regulation or data sovereignty forbids telemetry leaving your control. Build when your environment is so unusual that generic detections are noise, or when security operations are themselves your product.
The failure mode is building a half-SOC: two analysts, business hours only, an unmanaged SIEM drowning them in alerts nobody has tuned. That configuration costs real money and provides the illusion of coverage, which is worse than knowing you have none, because it stops you buying the thing that would have worked.
What you actually get from a managed SOC
The coverage, immediately, without the hiring. But the more valuable and less obvious benefit is cross-client visibility: a managed provider sees the intrusion technique used against one client on Monday and has a detection deployed across every other client by Tuesday. An in-house team of any size only ever sees its own estate, and therefore only learns from its own incidents — which is to say, learns after being hurt.
The other thing you buy is the word managed. There is a meaningful difference between a provider that emails you an alert and one that isolates the compromised host from the network at 03:00 without waiting for you to answer the phone. When a workstation begins encrypting files, the value of a notification you will read at 08:00 is approximately zero. Ask any prospective provider precisely what they are contractually permitted to do without your sign-off, and get the answer in writing.
The hybrid model most mid-sized organisations should run
The strongest configuration we see is not either pole. It is one or two skilled internal security people who own strategy, risk, vendor management and deep institutional knowledge of the estate — paired with a managed provider supplying 24/7 eyes, detection engineering and surge capacity during an incident.
Your internal person knows that the finance server always behaves strangely on the last Friday of the month. The managed SOC knows what a Cobalt Strike beacon looks like across forty other networks. Neither is redundant, and neither alone is sufficient. This is where most organisations between one hundred and two thousand staff should land.
Key takeaways
- True 24/7 coverage needs five to eight analysts minimum — the decision is usually managed-versus-nothing, not managed-versus-in-house.
- A business-hours 'half-SOC' provides the illusion of coverage and is worse than knowing you have none.
- Managed providers see attack techniques across their whole client base; an internal team only learns from its own incidents.
- Insist on knowing what a provider may do without your sign-off — an alert you read at 08:00 is worthless.
- Most mid-sized organisations should run a hybrid: internal ownership plus managed 24/7 monitoring.
Frequently asked questions
What is the difference between a managed SOC, MSSP and MDR?
The terms overlap and vendors blur them deliberately. An MSSP (managed security service provider) traditionally manages your security devices — firewalls, antivirus — and forwards alerts to you. MDR (managed detection and response) is defined by that final word: the provider does not merely detect and notify, but takes containment action, such as isolating a host or disabling an account. A managed SOC is the function itself, delivered as a service, and may be either. The question that cuts through the marketing is simple: when you detect an active intrusion at three in the morning, what exactly do you do, and do you need my permission first?
How much does a managed SOC cost compared to hiring analysts?
Managed pricing typically scales with endpoints, users or data ingested, whereas in-house cost is dominated by salaries and is largely fixed regardless of how few incidents occur. That means managed services are almost always cheaper below a certain scale and eventually more expensive above it, and the crossover point depends on your headcount, your estate and Kenyan salary levels for experienced analysts — who are scarce and command accordingly. The comparison people get wrong is forgetting the SIEM and EDR licences, the detection engineering, the recruitment cost and the nine-to-eighteen-month ramp before an in-house team is genuinely operational. We will model both honestly for your organisation, including the case where in-house wins.
Will a managed SOC understand our specific environment?
Less deeply than an internal team on day one, and this is the real trade-off rather than the cost. It is mitigated by onboarding — mapping your crown-jewel assets, tuning detections to your baseline so that normal behaviour stops generating alerts — and by assigning a named analyst who knows your estate rather than routing you to whoever is on shift. When evaluating providers, ask whether you get a named analyst or a ticket queue. The answer predicts your experience during an incident more reliably than any feature comparison.
Can we start managed and bring it in-house later?
Yes, and it is a sound sequence rather than an admission of defeat. Running managed first gives you coverage immediately, and it teaches you what your alert volume, your genuine risks and your response requirements actually look like — which is exactly the knowledge you need to build an internal team that is correctly sized rather than guessed at. Insist on contractual clarity about data portability from the outset: your logs, your detections, your incident history should be exportable in a usable format. A provider reluctant to commit to that in writing is telling you something.