The various deployment models of a modern SOC operation

Johannesburg, 28 Jun 2023

A modern SOC (security operations centre) can be built internally, although many organisations lack the in-house resources to accomplish this and struggle to find suitable staff members due to the deep skills crisis. As a result, they turn to managed security service providers, entirely or partially, that offer monitoring and proactive managed detection and response services (MDR services).

“With this bottleneck of too many alerts coming in, to succeed, modern SOCs need to automate proactive detection, investigation and response to threats and efficiently co-ordinate all the activities across the SecOps and IT teams. In other words, the modern SOC mission is to tap automation to address the issue at scale,” says Dominic Richardson, CEO of Dolos.

Currently, it is possible to offer managed detection and response services from an SOC that are implemented in different ways. All implementation alternatives have their advantages and disadvantages, which must be carefully evaluated before deciding to adopt one or another deployment model. The most common deployment models include:

Internal SOC

Building a dedicated in-house security operations centre is recommended for mature cyber security enterprises. Organisations that tend to develop internal SOCs have the budget to support an investment that includes 24/7 efforts. One of the essential advantages of building an internal SOC is maximum visibility and responsiveness across the network. A dedicated internal team will have the capability to monitor the environment, endpoints, users and applications, providing a complete picture from a threat landscape perspective.

Some disadvantages include the struggle to recruit and retain talent and high upfront investment costs. This model typically takes a considerable amount of time to build and maintain at an adequate level.


The term SOCaaS (security operations centre as a service) refers to a type of managed security service that is cloud-based, built on a multi-tenant software as a service (SaaS) platform, to deliver 24/7 SOC functions.

Selecting a SOCaaS is recommended for organisations that seek assistance from an outside firm to perform highly skilled monitoring, detection and response tasks. Some organisations may be mature from a cyber security perspective. However, budget constraints and limited expertise may hinder the ability to build a fully functional, internal 24/7 modern SOC.

Consequently, some organisations require better expertise to quickly manage monitoring, detection and response (MDR) efforts and delegate them to a SOCaaS.

The advantages of this model make it the quickest, simplest, most scalable and most cost-effective model to implement.

Hybrid SOCaaS

A hybrid model incorporates the best of both worlds; in-house staff complemented by third-party experts, offering a secure approach to detection and response. Most organisations at this level are large enough to build a small team of their own. However, they cannot build a fully functional internal 24/7 modern SOC. This solution is efficient because of its quick up-and-running time. Also, there is a lower alerts and indicators backlog due to the additional analysts who work through advanced technologies and processes.

Additionally, this model offers the best learning experience thanks to the support of the partner’s skilled security operations (SecOps) team.

Finally, this model offers the best learning path for an organisation and cyber security team, as it provides knowledge transfer from partner experts.

Consider all modern SOC deployment models’ pros and cons before making any decision:

  • An in-house SOC is costly and complex. Still, the margins are high, and the differentiation can make it worthwhile.
  • SOCaaS accelerates time-to-market but commoditises the MDR services. A service provider would not be able to add their unique touch to differentiate its offering from other service providers. Ensure that all relevant parties agree on who owns the customer information and when, how and who could get in contact with them. 
  • Hybrid SOCaaS allows partners to gradually mature their security operations practices while maintaining the client relationship, but some investment in people, technology, training and operations is still needed.

While many threats try to gain access from the outside (financial gain, hacktivism, competitive intelligence and IP theft motivated), there are many malicious insiders (unprotected endpoints, negligent workers, departing employees, third-party partners) who could open the door to external threats and cause damage or steal data.

A proactive approach from a modern SOC ensures that you uncover suspicious activity before it becomes a major breach. Speak to our knowledgeable team at Dolos to find out more.