The starting point
The service began with a classic scope: watching the group's own assets — dozens of companies, each with its own systems, websites and quirks. That was already a challenge of scale: a multi-sector group does not have one perimeter, it has many, and the SOC had to learn each company's fine print to tell the anomalous from the merely different.
The turning point came when the group put the other half of its business on the table: the digital services it delivers to its end clients, with hundreds of managed websites and assets. If the group was responsible for those platforms, who was watching their security? Nobody — not continuously. The natural answer was to extend the SOC: the group's clients' assets would join the same 24/7 monitoring, but as what they are — third-party assets, with their own escalation and with the group as the point of contact towards its client. That turned a dedicated SOC into a multi-tenant one.
How we approached it
- Multi-tenant architecture from the design stage — telemetry, alerts and reporting segregated per client on the same platform. What belongs to the group and what belongs to each of its clients never mixes: every asset knows whose it is, which thresholds apply and through which channel it escalates.
- Industrialised onboarding in waves — you do not onboard 200-plus websites and digital assets one at a time by hand. We defined onboarding templates per asset type, and assets joined in waves — each wave closing with alert verification and a confirmed escalation chain before any asset was marked operational.
- Monitoring on three planes: availability, integrity and attacks — that the site responds; that nobody has altered its content (defacement); and that web attack patterns, brute force against login panels and anomalous spikes raise alerts. With certificate expiry and DNS changes as a supporting plane.
- Playbooks per asset type, not per client — a corporate website, an online shop and an API call for different responses to the same symptom. By standardising the playbook per type, the quality of the response does not depend on which client is affected — and the service scales without degrading.
- Differentiated escalation: the group on one channel, its clients on another — an incident on a group asset escalates straight to its team; an incident on a group client's asset escalates to the group as the point of contact, which decides how and when to communicate with its client. The SOC contains in both cases; the commercial relationship is never touched.
- Recurring support on migrations and infrastructure — out of the trust built by the continuous service came projects that were never in the original contract: platform migrations, infrastructure changes and delicate deployments with the SOC watching before, during and after.
Results
200+
websites and digital assets of the group's clients under 24/7 monitoring
minutes
to detect a defacement or a web attack on monitored public assets
SOC → platform
the group offers managed security to its clients on the back of our SOC
For the group, the most valuable result is not a detection metric: security stopped being a cost and became part of its proposition. Its clients get their websites watched around the clock without ever contracting a SOC — it comes with the digital service they were already paying for — and the group can state, with evidence, that what it manages is monitored. A defacement on a group client's website is detected within minutes and handled before the client finds out from a phone call.
And the pattern that sums up the case: when the continuous service works, the relationship grows on its own. The migrations and infrastructure projects did not come from a commercial proposal — they came from years of well-handled incidents. Operational trust is the best sales pipeline there is.
What made it work
- A multi-tenant SOC is not just a bigger SOC: it demands industrialised onboarding, playbooks and escalation. What works by hand with 10 assets breaks at 200.
- Protecting your client's clients is the natural extension of trust — and it turns the security provider into part of the group's own product.
- When the service works, the relationship grows on its own: migrations, infrastructure and new projects are born of well-handled incidents, not sales meetings.
Frequently asked questions
What is a multi-tenant SOC and how does it differ from a dedicated one?
A dedicated SOC watches one organisation's assets; a multi-tenant SOC watches several organisations' from the same platform, with each client's telemetry, alerts and playbooks kept separate. The difference is not size but architecture: it demands strict segregation between clients, repeatable onboarding, playbooks per asset type rather than per client, and escalation that knows exactly who to notify in each case. Here, the same SOC protects the group itself and, on top of that, the digital assets the group manages for its own clients.
How do you onboard hundreds of assets into the SOC without chaos?
By industrialising onboarding: assets join in waves, not all at once, using a template per asset type that defines what gets monitored, which thresholds apply and which playbook responds. A corporate website, an online shop and an API are not watched the same way — but two corporate websites are, and that is where the scale lives. Every wave ends with verification: test alerts fired, escalation chain confirmed and the asset marked operational. That is how onboarding asset number two hundred costs a fraction of what the first one did.
Can my company offer managed security to its clients on the back of Hard2bit's SOC?
Yes — that is precisely the partner model in this case. The group delivers digital services to its end clients and the 24/7 monitoring runs on our SOC underneath: we detect and contain, and the group keeps the client relationship as the single point of contact. Escalation is designed around that: alerts for the group's own assets travel one channel, alerts for its clients' assets travel another, with the group deciding how and when to communicate. Your company adds a security service to its catalogue without building a SOC of its own.
What exactly gets monitored on a public website?
Four planes. Availability: that the site responds, from several vantage points and within latency thresholds. Integrity: that nobody has altered its content — defacement detection compares the current state with the legitimate one and alerts within minutes. Attacks: web exploitation patterns, brute force against login panels, anomalous traffic spikes. And certificates and configuration: TLS expiry, DNS changes and security headers. Each plane has its own playbook — an outage and a defacement do not get the same response.
Related services
What if your company could offer managed security without building a SOC?
Our multi-tenant SOC watches your assets and your clients' 24/7 — with industrialised onboarding, playbooks per asset type and escalation that respects your commercial relationship. You bring the client relationship; we bring the watch.