Buy vs. Build | Critical Start
Our new MOBILESOC UI makes alert resolution and collaboration on the go more efficient and intuitive.
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

Build vs. Buy

How MDR boosts the value provided by a traditional Security Operations Center (SOC)

In this paper, you will learn how to uncover the hidden costs involved in deploying and staffing a SOC. We’ll take a realistic look at the effort, expertise and infrastructure necessary and break down the best option for a cost-effective yet strong approach to information security.

Build vs. Buy

How MDR boosts the value provided by a traditional Security Operations Center (SOC)

Executive Summary

In this paper, you will learn how to uncover the hidden costs involved in deploying and staffing a SOC. We’ll take a realistic look at the effort, expertise and infrastructure necessary and break down the best option for a cost-effective yet strong approach to information security.

Topics Include:

  • How to calculate human capital costs, including analyst hiring versus alert volumes, certifications and continuing education
  • Technology requirements including IDS/IPS, EDR, SIEM and more
  • Real estate costs and other support expenses
  • A comparison of “do-it-yourself” SOC vs. working with a Managed Detection and Response (MDR) provider
  • The ramifications of both internal and third-party options to security

No One Doubts the Cost of a Cyberattack

When calculating the cost of security, it’s good to remember what’s at stake.

These numbers don’t include the operational impacts, the negative customer experience or the reputational damage that a business can experience as the result of an attack. The hard truth is that an attacker only needs to be successful one time to steal data or severely disrupt your business. As the defender, you must be successful every time—time after time—to make sure that your organization is secure.

This is why all companies need a dedicated Security Operations Center (SOC). Building a SOC costs time and money—expenses that can be alleviated by using a services provider such as Managed Detection and Response (MDR) to reduce both human and operational costs. But which option, an internally developed SOC or working with an MDR partner, will make the most sense for your specific operational environment? Let’s break down some of the costs to see if we can offer a clear answer to that crucial question.

Case in Point

According to the Cost of a Data Breach Report compiled by IBM and the Ponemon Institute, the global average cost of a data breach is $3.86 million, with the United States fielding the highest individual average country cost at $8.64 million.

Building a SOC Internally, Cost by Cost

There are a variety of expenses incurred when a company tries to deploy a SOC internally, including staffing and expertise, equipment and software, facility expenses for the SOC and recurring costs. Let’s take a look at the first of these expenses, physical costs, and break down the scope of investment needed for an internal deployment.

Physical Costs

Non-human expenses will also consume a large part of a SOC capital investment. Depending on the make-up of your SOC, you may be deploying Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), Vulnerability Scanners, Security Information and Event Management (SIEM) systems, Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR), threat intelligence, and forensic tools.

Beyond technology investment, there are also facility considerations to include such as the square footage cost where the analysts will be located and the utilities necessary to support their mission. With square footage costs ranging anywhere from $20 per square foot all the way to $85 per square foot, space costs for internal staff need to be taken into account.

Case in Point

To provide insight into some of the considerations, take SIEM as an example. According to an IDG report published by Microsoft Azure, cloud-based SIEM users invest an average, $541,000 per year to support their SIEM, while on-premises solutions are costing companies $607,000 on average annually. But then other ancillary expenses must be evaluated, including licensing costs, the integration of data sources into the SIEM, and any other equipment costs necessary to support the technology.

Human Costs

On average, a single endpoint will generate 5,000 alerts annually. If a hypothetical business has 2,000 endpoints, it will translate into 10,000,000 alerts per year that security analysts will need to investigate.

Here’s what that looks like:

Critical-Priority Alerts
.1% of total events
2 – 3 analysts


High-Priority Alerts
.9% of total events
21 – 22 analysts


Medium-Priority Alerts
29% of total events
697 – 698 analysts


Low-Priority Alerts
70% of total events
1,682 – 1,683


There’s One More Thing To Consider

This example is based on an assumption of 8-hr shifts. But an attack rarely comes when it’s convenient. To provide 24×7 protection will require a minimum of 10 individuals, regardless of the size of the organization or the number of alerts generated. With an average annual cost of $75,000 per analyst, that’s a minimum of  $750,000 per year.

Many companies may attempt to control costs by only investigating critical- or high-priority alerts. But this can be an expensive mistake as many of today’s ransomware attacks are only detected through medium- or low-priority alerts.

Putting It All Together

Once you’ve calculated the costs to hire analysts in your area, and you’ve determined the ongoing educational and certification expenses, and you’ve defined the real estate costs where your SOC will be located, the formulas for Total Cost of Ownership look something like this:

Annual Salary
+ Training
+ License
+ Space Costs
= Per Analyst Annual Cost


Alerts Per Year
/ 2 Alerts Per Hour

= Number of Analysts Required


Number of Analysts
x Per Analysts Annual Cost

= Yearly Total Cost of Ownership


Case in Point

Analyst costs do not stop at the annual salary. Recruitment, regular certifications, continuing professional education and the training necessary to keep pace with a constantly evolving threat matrix must all be added to the equation

Sounds Expensive. Is There Another Option?

After running through the previous calculations, you may come to the conclusion that deploying a 24x7x365 SOC internally is an expensive proposition. And you’re right. But there are options that can cut this expense dramatically, such as working through a service provider to obtain the human and technical resources to protect your business without the prohibitive expense.

Providers that offer services like Managed Detection and Response (MDR) can help you take advantage of economies of scale to shrink TCO while increasing the expertise and resources you have at your disposal. The analysts provided by an MDR provider work across a variety of industries, enabling you to capitalize on their expertise while taking advantage of the cost efficiencies of not shouldering the entire burden of bringing these individuals on as full-time employees. The MDR provider will already have the real estate, technology, and expertise to integrate efficiently with your current environment. Software license costs can be significantly reduced, since the MDR provider can purchase licenses at scale, distributed across their entire client base.

Capability That’s Hard to Put a Price On

Beyond the cost savings, there’s an even more important consideration. What kind of capabilities can you leverage through MDR that might not even be possible if your company were to deploy their own SOC? When working with a limited budget, corners are inevitably cut. But what if they didn’t have to be?

Consider the example of alerts. Investigating all alerts is usually cost prohibitive for an internal SOC. But an MDR can work with a client to build a trusted registry of alerts that are normal. The result is less alerts that need to be investigated, which translates into the capability for alerts of all priorities that fall outside of the registry to be treated equally. This approach eliminates “risk acceptance” and can auto resolve 98% of events, while enabling SOC analysts to focus on the remaining 2% that can indicate a real threat. Confirmed threats and corrective actions can then be escalated and reported to the client.

Less SOC = Less Security

Organizations that keep their SOC in-house often have less capabilities. But consider that in a recent breach involving MGM resorts resulted in 142 million guests having their details for sale on the dark web. When it only takes a single breach to do such damage, what can less capabilities truly cost an organization?

Putting it All Together

If we take all of these variables and put them together to build a comparison of SOC deployment options, it looks something like this:

Total Cost of SOC Ownership



SOC Analysts

$750k – $100,000,000+ based on number of alerts processed


Alerts processed

Typically critical/high only

All alerts resolved

Technology cost

$500k – $1,000,000


Real-estate cost

$25 – $85 per square foot


Level of expertise


Very high, spanning multiple industries, security environments and threat scenarios

Level of protection


Extremely high


The Bottom Line

If you follow the process we’ve outlined here, you should gain a clear picture of the total cost of your security options. In doing so, also keep in mind the intangibles — such as strategic advantages gained from security posture improvements, like using an MDR provider to focus on the daily challenges of alert resolution while your in-house team takes on the issues that can drive future opportunities for your business.

If you need support in calculating a real-life Total Cost of Ownership for your own enterprise, CRITICALSTART security experts can survey your security landscape and help put together options to increase threat identification, shrink response time, and meet the unique security and compliance goals of your organization.

To request an evaluation or learn more, contact an MDR specialist at:

[email protected]

Additional PDFs you may be interested in: