Build vs Buy · Buying committee · NIS2 / DORA
In-house SOC vs managed SOC: build or buy without fooling yourself
The right question is not "which one is better" but "which one fits my maturity, my sector and my obligations". Here we break down true cost, time to productive operation, evidence capability for NIS2 and DORA, and the hybrid models that work when neither pure option fits.
The buying committee, simplified
Building an in-house SOC costs between €600k and €900k per year in stabilised operation and takes 12 to 24 months to mature. Engaging a serious managed SOC costs €80-250k per year and enters productive operation in 4 to 8 weeks. The economic gap is large, but the right decision is not made in a spreadsheet alone: it also depends on control, sensitivity and a 3-5 year plan.
Build (in-house)
When it fits
- Fully sensitive operation where outsourcing is unacceptable
- Enough volume: 5,000+ endpoints or multiple legal entities
- The SOC is part of the product you sell
- Mature security team and a 3-5 year horizon
Buy (managed)
When it fits
- You need productive operation in weeks, not months
- Regulatory deadline (NIS2/DORA) with no slack
- No team for 24×7 and no way to hire one short-term
- Your investment is layered, not a one-shot bet
Comparison table
Ranges are indicative for a mid-sized organisation (500-2,000 endpoints) in a regulated sector. Your case may sit above or below on any row.
| Dimension | In-house SOC | Managed SOC |
|---|---|---|
| Stabilised annual cost | €600-900k (can exceed €1.5m) | €80-250k all-in |
| Time to productive operation | 12-24 months | 4-8 weeks |
| Required team | 8-10 analysts + manager + detection engineering | Your team keeps final responsibility; provider runs front line |
| Use cases | You design and maintain them | Vendor + sector and customer tuning |
| 24×7 coverage | Hard: shifts, holidays, sick leave, churn | Guaranteed by SLA |
| Customisation | Total | High if the contract allows it |
| Threat hunting | You manage it | Usually external on a monthly or fortnightly cadence |
| Main risk | Time and analyst churn | Provider lock-in without an exit plan |
| NIS2/DORA evidence | Yes, if you produce it with discipline | Yes, contractually, with traceable records |
| Better at | Control and depth | Speed and predictability |
The hybrid models that work
The vast majority of regulated organisations end up with a hybrid model. These three combinations have delivered the best outcomes in real engagements.
Hybrid A
External L1 + internal L2/L3
The provider handles 24×7 triage and filters noise. Your internal team (L2/L3) receives the meaningful cases, decides the response and retains environment knowledge. Good fit when internal maturity is high but there are no resources for night shifts.
Hybrid B
Managed SOC + vCISO
The managed SOC runs the front line under SLAs; a vCISO brings governance discipline, the board relationship and regulatory traceability. Ideal when there is no internal CISO and the priority is meeting NIS2/DORA in an orderly way.
Hybrid C
Managed SOC as a bridge to in-house
Managed SOC for 18-24 months while the internal team is built, with gradual transfer: use cases, playbooks, integrations and lessons learned are handed over progressively. The exit plan is written into the contract from day one.
Common mistakes in the decision
- Costing only salaries and ignoring SIEM platform, XDR, SOAR, threat intelligence, hunting tools, training and turnover. The real cost of in-house SOC lives outside payroll.
- Assuming a managed SOC understands your sector from day one. Without serious onboarding (3-6 weeks) and use-case validation, the first months are noise.
- Outsourcing operation and disappearing from the risk. Ownership of regulatory risk stays with you and is not outsourceable. The provider operates; you decide.
- Negotiating price without negotiating the exit plan. If the contract does not list what gets handed over at the end of service, switching costs lock you in.
- Comparing prices without comparing scope. A €60k/year managed SOC rarely covers what €180k/year covers. Demand contractual scope before price.
- Underestimating analyst churn. L1 turnover sits around 25-35% per year. Each departure costs 6-12 months of productivity. This weighs more than any upfront saving.
Related services at Hard2bit
Managed SOC and MDR
24×7 operation with measurable SLAs and assisted containment over your EDR/XDR.
View →
Enterprise MSSP
Broad umbrella: SOC, vulnerabilities, CTI, response and reporting.
View →
Threat hunting
Offensive hypotheses mapped to MITRE ATT&CK on a regular cadence.
View →
Incident response
Forensics, deep containment and regulatory communication when scope grows.
View →
vCISO
Governance and discipline above the operation, so investment turns into outcomes.
View →
EDR vs XDR vs MDR
Which technology and which managed service fit your case.
View →
Frequently asked questions
What does a real 24×7 in-house SOC cost?
A working in-house SOC needs at least 8-10 analysts to cover five shifts without burning the team out (holidays, sick leave, training). Adding competitive salaries in Spain, a SIEM/XDR platform, use cases, SOAR automation and hunting tools, stabilised annual cost starts at €600-900k for a mid-sized organisation and can exceed €1.5m in critical environments. Real time to maturity is 12-24 months.
What does a serious managed SOC include in its price?
24×7 operation with measurable SLAs (MTTD, MTTC, notification), L1-L3 analysts, sector-tuned use cases, assisted containment, periodic executive reporting, integrated threat intelligence and a documented exit plan. For a 500-2,000 endpoint estate in a regulated sector, indicative range is €80-250k per year, with or without the EDR licence depending on the model. Always pin down contractual scope in writing.
Does building an in-house SOC make sense for a mid-market organisation?
It usually does in three situations: fully sensitive operations where outsourcing is not acceptable (defence, state sector), enough volume to amortise the investment (5,000+ endpoints or multiple legal entities), or when the SOC is part of what you sell. Outside those cases, a managed SOC delivers results faster and with less financial risk.
Does a managed SOC push my team out of the operation?
No, when negotiated well. The best pattern is hybrid: the provider runs the front line under SLAs, your team retains final responsibility, runs the internal threat hunting and keeps strategic decisions. What you outsource is 24×7 presence and operational discipline, not ownership of risk.
How does a SOC contribute evidence for NIS2 and DORA?
Both frameworks require demonstrable detection, response and timely notification capability. A documented SOC — internal or managed — produces traceable records: alerts, investigations, containments, lessons learned, metrics and regulatory communications. For the auditor what matters is not who operates, but whether the evidence is available, consistent and correlatable with real incidents.
What are the risks of choosing a managed SOC?
Three main risks: provider lock-in without a clear exit plan (negotiate from the contract the handover of use cases, playbooks and integrations); provider that only alerts and does not contain (demand containment SLAs with consequences); and generic use cases that do not fit your sector (require validation with controlled false positives before the SLA goes live).
Can I start with managed and migrate to internal later?
Yes, and it is probably the most reasonable path for organisations aiming at an in-house SOC in 2-3 years. The managed SOC works as a bridge: it operates under SLAs, produces continuous evidence and, if the contract is well negotiated, transfers operational assets (use cases, playbooks, integrations, lessons learned) when it ends. The internal team builds up in parallel without owning 24×7 from day one.
How does a build-or-buy engagement start at Hard2bit?
We begin with a diagnostic of your current situation: available telemetry, IT team maturity, regulatory obligations and realistic budget over 12-36 months. From there we propose three viable options (managed, hybrid, staged internal) with cost, timeline and associated risk, so the buying committee can decide with data.
Build, buy or hybrid? Let's talk about your case
In 30 minutes we review the real cost, timelines and risks of each option for your organisation. We do not sell what does not fit: some customers we advise against outsourcing, others we advise against building.