You've probably seen the acronym in security pitches. SOC. Security Operations Center. The vendor says they have one. Your insurance application asks if you have access to one. A peer in your industry mentioned theirs.
And maybe you've been quietly wondering: what is it, do I actually need one, and how much should it cost?
Plain-language version follows. We run one — so we'll be specific about what we do, what we don't, and where the marketing language outpaces reality.
What a SOC is, in one sentence
A Security Operations Center is a team of people watching your security alerts in real time, deciding which ones matter, and acting on them — including in the middle of the night.
That's it. Everything else (the dashboards, the AI, the threat feeds) is in service of that one job: turn an alert into an action, fast enough that the attacker doesn't win.
Why "you'll just get an alert" is the wrong answer
Most SMB security stacks today generate alerts. Microsoft 365 generates alerts. Your EDR generates alerts. Your firewall generates alerts. Your password manager, your backup software, your printer — they all generate alerts.
The average mid-size business produces somewhere between 500 and 10,000 security alerts per month. The vast majority are noise — a user logged in from a coffee shop, a benign script ran on a finance laptop, a vendor's vulnerability scan triggered a detection.
Some are not noise. Some are the first 90 seconds of a ransomware attack.
Without a SOC, here's what happens: alerts pile up in a dashboard nobody watches. The IT person checks it on Monday morning. The real incident from Saturday at 2am has had 36 hours to spread.
What a SOC actually does
A real SOC does four things, in order:
1. Triage
An analyst (or, increasingly, an AI assistant supervised by an analyst) reads every alert. They decide: is this real, suspicious, or noise? They tune detections so the same false positive doesn't fire 200 times a day. They escalate the small percentage that look real.
2. Investigate
For escalated alerts, the analyst pulls context: who is this user, what device, what did they do before and after the alert, is this consistent with their normal behavior? They check threat intel: is this IP address known bad? Is this file hash on a watchlist? Is this domain registered yesterday?
3. Respond
If it's confirmed, they act. Isolate the device from the network. Disable the user account. Force a password reset. Kill the malicious process. Pull a memory image. Call you.
The time between alert and action is the entire point. Industry benchmarks call this MTTR — Mean Time to Respond. A good SOC measures it in minutes. A bad one measures it in days.
4. Improve
After the dust settles, the SOC writes up what happened, what worked, what didn't, and what detection or process needs to change so the same thing doesn't take as long next time.
Do you need one?
The honest answer depends on three questions:
Does your business have data an attacker would want?
If you handle protected health information, financial data, client trust funds, defense contractor data, or anything covered by HIPAA, GLBA, CMMC, SOX, or similar — you are a target. The attackers have automated tools that scan for businesses like yours every day.
If you're a 5-person marketing agency with no client PII, your risk is lower. (Still nonzero — ransomware doesn't care what business you're in.)
What does an hour of downtime cost you?
Add up: lost revenue, recovery cost, regulatory penalties, client trust. For a typical SMB, an hour of downtime ranges from $1,000 to $100,000+. A ransomware incident that takes a week to recover from costs the median victim about $300,000 — and that's before regulatory fines.
If those numbers are scary, the math on a SOC works out.
Does your insurance require one?
Increasingly, yes. The cyber insurance market is consolidating around requirements for "24x7 monitoring" or "managed detection and response (MDR)." If your renewal questionnaire asks about either, a SOC is the answer.
SOC vs MDR vs MSSP — the alphabet soup
These terms overlap heavily and the industry has done a poor job of distinguishing them.
- SOC is the function — people watching alerts.
- MDR (Managed Detection & Response) is SOC delivered as a service, usually scoped to a specific product (e.g., "MDR for CrowdStrike").
- MSSP (Managed Security Service Provider) is the broader business — SOC + identity + vulnerability management + compliance support + advisory.
You don't need to know the difference to buy the service. You just need to ask: who is watching my alerts at 3am on a Sunday, what do they do when they see something, and how fast?
Building it yourself vs. outsourcing
Running a real SOC in-house requires a minimum of 5-6 analysts (to cover 24x7x365 with vacation and turnover), a SIEM, a threat intel feed, runbooks, an EDR integration, and a manager. Fully loaded cost: $800K to $1.5M per year, conservatively, and that's before tooling.
Outsourcing to a managed SOC (MDR or MSSP) for a 100-endpoint SMB typically lands in the $8K to $15K per month range, depending on scope. That covers the same analyst coverage you'd get in-house at a fraction of the cost, because the cost is amortized across many clients.
For nearly every business under 500 employees, outsourced is the only math that works.
Questions to ask before you sign
If you're shopping for SOC coverage, the right questions aren't about features. They're about commitments.
- What's your MTTR target, and what was the actual MTTR last quarter?
- Who answers the phone at 3am — a human, or a ticket queue?
- Can your analyst take action on my behalf (isolate a host, disable an account), or just send me an email?
- What's the escalation path if your analyst needs me to make a decision?
- Show me a sample incident write-up from a real (anonymized) incident.
If the answers are vague, walk. The whole value of a SOC is in the specifics.
WHT runs a 24/7 AI-assisted SOC. Our analysts use AI to triage the noise, but every confirmed escalation is reviewed and actioned by a human before anything reaches your environment. We answer the phone. Average response time to confirmed incidents: under 12 minutes.
The bottom line
A SOC isn't a luxury product. For most SMBs in regulated industries — or any business where downtime has real cost — it's the only way to get from "alerts pile up in a dashboard" to "someone actually does something about it."
You don't need to build it. You do need to have access to one. Whether that's us, or a competitor, or your own team — the question isn't whether. It's how fast.
Want this audited for your environment?
A 30-minute call. We'll tell you what's already solid, what needs work, and what we'd charge. No deck. No pressure.