Hard2bit
← Back to the cybersecurity blog

What is a SOC and which services it can include, depending on each organisation's needs

By Thilina Manana · COO y Director Técnico de Seguridad hard2bit · Published: 08 July 2026 · Updated: 08 July 2026
What is a SOC and which services it can include, depending on each organisation's needs

A Security Operations Centre (SOC) is the function that watches an organisation's systems continuously, spots the signs of an attack and acts before an intrusion becomes a breach. The label is used loosely, though: two providers can both call themselves a SOC and deliver very different things. Understanding those differences is what lets you buy the right level for your risk, rather than paying for capability you will not use — or discovering a gap the day it matters.

This article explains what a SOC actually does, the service levels it can offer, the technologies behind it and how it maps to NIS2, DORA and Spain's ENS.

At a glance

  • The job: continuous detection and response, not a dashboard someone glances at now and then.
  • The tiers: from monitoring only, through triage and coordinated response, to full managed security with forensic investigation.
  • The tooling: a SIEM for correlation, EDR/XDR on the endpoints and playbooks that turn alerts into action.
  • The compliance angle: NIS2, DORA and ENS all expect detection and incident handling — a SOC is how most organisations meet it.

What a SOC really does

Behind the acronym, a SOC combines people, process and technology to answer one question around the clock: is something happening right now that should not be? It ingests telemetry from endpoints, identity, network and cloud, correlates it in a SIEM, and separates the noise from the handful of signals that matter — a credential used from two countries at once, lateral movement between servers, or data exfiltration starting quietly out of hours.

The value is not the alert; it is the speed and judgement of what happens next. A mature SOC shortens the time between the first suspicious event and containment, because that window is where an incident is either stopped or turns into a headline.

A SOC does not always mean the same level of service

It helps to think in tiers, because the word covers all of them:

  • Monitoring-oriented SOC. Collects and correlates telemetry and raises alerts. Useful, but it puts the burden of interpretation on your team.
  • SOC with analysis and triage. Analysts qualify each alert, discard false positives and tell you what is real and how urgent it is.
  • SOC with coordinated response. Beyond flagging, it acts — isolating an endpoint, disabling an account, containing the spread — usually with EDR/XDR and agreed playbooks.
  • SOC with forensic investigation. When an incident is serious, it reconstructs what happened, how far it reached and what was touched, feeding incident response and digital forensics.
  • SOC as a managed security capability. The full package: continuous detection and response run as a service, so the outcome — not just the tooling — is the provider's responsibility.

Advanced capabilities a mature SOC can add

Beyond detection and response, a mature SOC often layers in threat hunting — proactively searching for adversaries that have slipped past automated rules — together with vulnerability management, threat intelligence to prioritise what is actually being exploited, and regular drills that turn lessons into improved playbooks. These are what separate a SOC that reacts from one that anticipates.

The technology a SOC typically uses

The core stack is a SIEM for log correlation, EDR (often extended to XDR) on endpoints and identities, and SOAR-style automation to execute repetitive containment steps quickly. Tools alone do not make a SOC, though — the difference is the analysts and the playbooks that decide what a signal means and what to do about it.

How a SOC fits NIS2, DORA and ENS

NIS2 expects essential and important entities to detect, handle and report significant incidents within tight deadlines; continuous monitoring is what makes those deadlines achievable. For financial entities, DORA demands operational resilience and the ability to detect and manage ICT incidents. In the Spanish public sector, the ENS requires monitoring and response commensurate with the system's security level. None of the three names a "SOC" explicitly, but a SOC is how most organisations meet the underlying obligation — and it aligns naturally with an ISO 27001 management system.

When it makes sense to add forensic investigation

Not every organisation needs forensic depth on day one, but the moment a real incident hits — ransomware, account takeover, suspected data theft — the questions change from "is this real?" to "how did they get in, how far did they go, and what do we have to report?". A SOC that can escalate into forensic investigation answers those questions with evidence, which is exactly what regulators, insurers and boards ask for.

The bottom line

A SOC is not a product you switch on; it is a level of assurance you choose. The useful conversation with a provider is not "do you have a SOC?" but "which level do we need, and can you take it from monitoring all the way to response and investigation as our risk grows?". If you want to work through that for your own environment, talk to us or explore our managed SOC for businesses.

Frequently asked questions

What is a SOC in cybersecurity?

A SOC (Security Operations Centre) is the function that continuously monitors an organisation's systems to detect, analyse and respond to threats. It combines people, process and technology to spot the signs of an attack and contain it before an intrusion becomes a breach.

Are a SOC and a SIEM the same thing?

No. A SIEM is a technology that collects and correlates logs to raise alerts. A SOC is the wider capability — analysts, process and playbooks — that uses the SIEM (and EDR/XDR and other tools) to interpret those alerts and act on them.

Does NIS2 require a SOC?

NIS2 does not name a SOC explicitly, but it requires essential and important entities to detect, handle and report significant incidents within tight deadlines. Continuous monitoring and response — which a SOC provides — is how most organisations meet that obligation.

Does DORA require a SOC?

DORA focuses on the operational resilience of financial entities and their ability to detect and manage ICT incidents. It does not mandate a SOC by name, but a SOC is the usual way to deliver the continuous detection and response the regulation expects.

Does Spain's ENS require a SOC?

The ENS requires monitoring and incident response commensurate with the system's security level. A SOC is the common way to satisfy those requirements, especially at medium and high levels.

Can a SOC include forensic investigation?

Yes. A mature SOC can escalate a serious incident into forensic investigation, reconstructing how the attacker got in, how far they reached and what was affected — the evidence regulators, insurers and boards expect.

Do all clients need the same level of SOC?

No. A SOC ranges from monitoring only, through triage and coordinated response, to full managed security with forensics. The right level depends on your risk, regulatory obligations and internal capacity.

What is the difference between monitoring, response and forensic investigation?

Monitoring detects and flags suspicious activity; response acts to contain it, such as isolating an endpoint or disabling an account; forensic investigation reconstructs a serious incident after the fact to establish scope, impact and reporting obligations.