9 Realms Cybersecurity
All Posts
Security Operations

The Real Cost of Building an In-House SOC: The Math Most CFOs Have Not Done

Chuck Flynn
The Real Cost of Building an In-House SOC: The Math Most CFOs Have Not Done

The vendor demo makes it look manageable. A platform, a few analysts, some dashboards. The conversation moves fast, the tool is impressive, and somewhere in the back of the room someone is doing mental math on headcount. That math is almost always wrong, and the gap between the estimate and the reality is where most in-house SOC initiatives quietly fail.

Here is the actual math.


The 24x7 staffing reality

A 24x7 security operations center requires coverage across three shifts, seven days a week, 365 days a year. That is 21 shift-days per week. A full-time analyst works roughly five days a week before you account for PTO, sick days, training, and the inevitable turnover that follows alert fatigue.

Three analysts cannot do it. Run the math: three analysts at five days each gives you 15 shift-days of available coverage against 21 required. You are short before anyone takes a vacation. In practice, three analysts on a 24x7 rotation means 12-hour shifts, chronic fatigue, and a resignation within 18 months.

Five is the operational floor for a genuinely staffed 24x7 SOC with no single points of failure. Six gives you a workable buffer for PTO and turnover without the remaining team absorbing unsustainable load. That is the number to build the math around.


Fully loaded analyst cost in the market

The broader cybersecurity talent pool is tighter than most people assume, and salaries have moved significantly in the last three years.

A Tier 1 SOC analyst with 1-3 years of experience is running $65,000 to $80,000 base. A Tier 2 analyst capable of independent investigation and escalation judgment is $85,000 to $105,000. A Tier 3 or lead analyst who can write detection content, manage the platform, and mentor junior staff is $115,000 to $135,000. A SOC manager on top of that runs $130,000 to $160,000.

Benefits, payroll taxes, and employer overhead add 30 to 35 percent to base salary. Training, certifications, and conferences add $5,000 to $10,000 per analyst per year. A lean five-analyst team with a Tier 3 lead and a part-time management layer lands at roughly $700,000 to $900,000 in fully loaded annual personnel cost before a single tool is purchased.


The tooling cost stack

A functional SOC requires a SIEM, an EDR platform, a SOAR for orchestration and response automation, threat intelligence feeds, and a ticketing system integrated into the workflow.


SIEM licensing is volume-based on events per second or data ingest. For a mid-market environment ingesting logs from 200 to 500 endpoints plus network infrastructure and cloud workloads, you are looking at $80,000 to $200,000 per year depending on the platform. EDR at scale runs $15 to $25 per endpoint per year. SOAR platforms add $50,000 to $100,000. Curated threat intelligence feeds from reputable sources are $20,000 to $50,000 annually. Infrastructure, integrations, and ongoing platform administration add another $30,000 to $75,000.

Conservative tooling total for a mid-market operation: $200,000 to $400,000 per year. That number compounds as the environment grows.


The hidden cost: alert fatigue and turnover

The numbers above assume your analysts are functional and productive. The reality of an understaffed SOC is that they often are not, and the cost of that dysfunction is invisible until someone leaves.

The average SOC analyst handles hundreds of alerts per shift in a mid-size environment. A meaningful percentage are false positives. Without mature tuning, playbooks, and an escalation structure, analysts spend the majority of their time triaging noise rather than investigating real threats. Detection quality degrades. Response times lengthen. And at some point, a good analyst decides the workload is not worth the compensation and takes a job elsewhere.

SOC analyst turnover runs 30 to 40 percent annually in understaffed environments. Each departure costs $15,000 to $30,000 in recruiting, onboarding, and the ramp time before a new analyst is independently effective. If you are replacing two analysts per year out of a team of five, that cost is structural, not exceptional.


When in-house actually makes sense

There are environments where an in-house SOC is the right answer. Organizations above 5,000 endpoints with highly specific compliance requirements, classified data, or regulatory mandates that prohibit third-party access to certain data classes have legitimate reasons to build internal capability. Federal contractors operating under CMMC Level 3 or above often face constraints that push toward in-house or government-cleared provider models.

If you are a mid-market organization with 200 to 2,000 endpoints, no classified data, and a general commercial compliance posture, the in-house SOC math almost never closes. The capital required to stand it up, the ongoing cost to staff it correctly, and the operational burden to keep it running exceeds what most organizations can sustain.


What you buy when you buy MDR

A managed detection and response provider gives you access to an already-built SOC, an already-licensed tooling stack, and an analyst team that is monitoring your environment alongside hundreds of other clients. The cost is shared. The threat intelligence is broader because the provider sees patterns across that entire client base. The detection content is more mature because it has been refined across real incidents.

For most mid-market organizations, a quality MDR engagement runs $3,000 to $10,000 per month depending on environment size and service scope. That is $36,000 to $120,000 per year against a comparable in-house build that lands at $1.5M to $2.5M annually when staffing and tooling are fully accounted for.

The math is not subtle. It is not close. The in-house model makes sense at a scale most mid-market organizations will never reach.


The SOC is one tile

The Mosaic Model exists because no single service is the entire security program. The SOC is a critical tile. It is the continuous monitoring layer that catches what point-in-time testing misses, that surfaces the breach that happens between quarterly scans, that gives you the detection and containment capability that makes every other investment more effective.

It is also a tile you do not have to operate yourself. That is the decision worth making clearly, with the full math in front of you, rather than discovering the gap two years into a build that never reached sustainable operation.

If you want to walk through the build-vs-buy numbers for your specific environment, that is a 30-minute conversation.

See out Managed SIEM w/MDR offering at the following link.
https://9realmssecurity.com/services/managed-siem-mdr

Tags:SOC, MSSP, MDR, build vs buy, security operations, managed security