BLOG

At its core, a SOC has three functions: detect, triage, and respond. Detection is the identification of a potential security event, an alert fired by an endpoint tool, an anomalous authentication pattern, an unusual volume of data moving across the network. Triage is the process of determining whether that alert represents a genuine threat or a false positive, and if genuine, how serious. Response is the action taken to contain, investigate, and remediate the confirmed incident, often supported by dedicated incident response services when a serious breach occurs. 

The critical word in each of these functions is ‘human.’ Detection without human triage is just noise, most enterprise environments generate thousands of alerts per day, the vast majority of which are benign. Automated tools can flag, correlate, and prioritise. But the contextual judgment required to determine whether an anomalous login at 11pm represents a remote employee working late or an attacker using stolen credentials requires an analyst who understands what ‘normal’ looks like in that specific environment.

This is the fundamental difference between a managed SOC and a managed alerting service. An alerting service delivers notifications. A SOC delivers decisions, investigated, contextualised, and actioned by people who are accountable for the outcome.

If you remember one metric from this article, let it be mean time to detect (MTTD): the average time between when an attacker gains initial access to your environment and when your security team identifies that something is wrong.

MTTD matters because attackers need time. Initial access gives them a foothold, but the most damaging actions, lateral movement, privilege escalation, data exfiltration, ransomware deployment, take time to execute. An attacker who is detected and contained within minutes of gaining access has caused a different order of magnitude of damage than one who has been in the environment for days or weeks.

Industry data consistently shows that the average breach dwell time, the time between initial access and detection, is measured in days rather than hours for most organisations without mature SOC coverage. For organisations with mature, human-led SOC capabilities, dwell times are measured in minutes to hours. That difference in detection time is the difference between an incident that costs you a contained remediation effort and one that costs you client data, operational continuity, and regulatory exposure.

When evaluating a managed SOC provider, ask for their documented MTTD by incident severity, and ask how that metric is measured. A credible provider should be able to give you a specific number — not a range, and not a marketing statement. For high-severity events, sub-15-minute detection is achievable and should be the expectation. For medium-severity events, the window extends, but should still be measured in hours, not days.

’24/7 monitoring’ can mean many things. At one end of the spectrum, it means human analysts staffed across multiple shifts, actively monitoring client environments around the clock, with escalation paths that ensure someone with decision-making authority is reachable at any hour. At the other end, it means an automated SIEM running overnight that generates alerts into a queue that is reviewed the following morning.

The distinction matters enormously, especially when organizations are relying on a documented incident response plan to coordinate actions during an active security event.  A ransomware attack that begins at 2am on a Saturday, a timing that is not accidental, as attackers consistently target weekends and holidays when response capacity is lowest, needs a human analyst to identify the early indicators of compromise, understand that what appears to be a single anomalous event is part of a coordinated attack sequence, and initiate containment before the encryption payload deploys. An automated alert delivered to an unmonitored queue provides no protection at all.

Questions to ask any managed SOC provider about their coverage model:

• How many analysts are staffed per shift overnight and on weekends?

• What is the escalation path when a senior decision is required at 3am?

• How is shift handover managed to ensure context is not lost between analysts?

• What is the documented SLA for initial analyst response to a high-severity alert?

• Can you provide reference clients who have experienced an incident outside business hours and can speak to the response?

The answers to these questions tell you whether you are buying genuine 24/7 coverage or the illusion of it.

A managed SOC is built on technology, a Security Information and Event Management (SIEM) platform that aggregates and correlates logs and alerts from across the environment, endpoint detection and response (EDR) tools that provide deep visibility into workstations and servers, and threat intelligence feeds that keep detection current against the latest attack techniques.

But technology is the infrastructure of a SOC, not the SOC itself. A SIEM generates detections based on rules. Rules are only as current as the last time they were updated. Threat intelligence is only actionable if someone is operationalising it, translating indicator feeds into blocking rules and updating detection logic based on what attack techniques are actively being used against organisations in your sector. EDR tools generate telemetry that is meaningful only when an analyst knows what to look for in it.

When evaluating a managed SOC provider, ask not just what tools they use, but how those tools are managed and updated. Specifically: how frequently are detection rules reviewed and updated? How is threat intelligence operationalised into the detection environment? What is the process for tuning the environment to reduce false positive rates? A provider who cannot answer these questions with specificity is delivering a technology deployment, not a SOC service.

One of the most revealing indicators of a managed SOC provider’s quality is their onboarding process, which should include a structured cyber risk assessment of the environment being monitored. Genuine SOC coverage requires the provider to understand your specific environment: what your normal baseline looks like, which systems are critical, what your business hours and usage patterns are, and what your existing security controls are and how they are configured.

A provider who connects their SIEM to your log sources and declares you ‘monitored’ without a structured onboarding process that establishes environmental baselines is setting you up for a high false positive rate and missed detections. Normal is different in every environment, a spike in authentication attempts at 8am might be entirely expected in a retail environment and highly suspicious in a professional services firm. Without understanding your baseline, no alert can be triaged meaningfully.

Expect an onboarding process that includes log source integration and validation, a baselining period during which the environment is observed and false positive rates are reduced, documentation of critical assets and response priorities, and a defined escalation runbook that specifies how incidents will be communicated to your team and what decisions require your involvement.

The managed SOC model was developed primarily for enterprise organisations with the budget and complexity to justify significant investment. For small and mid-sized businesses, the economics have historically been challenging, the cost of genuinely staffed, technology-backed SOC services was prohibitive.

That has changed. The emergence of platforms that allow SOC providers to efficiently manage multiple SMB environments simultaneously has made genuine 24/7 coverage accessible at a price point that SMBs can justify. The key is finding a provider who has specifically designed their delivery model for the SMB segment, with onboarding processes, escalation paths, and communication approaches that are calibrated for organisations without internal security teams.

Armour Cybersecurity’s Managed SOC is built specifically for this context. Human analysts, 24/7 coverage, documented detection SLAs, and a delivery model that works with your team’s capacity rather than assuming you have dedicated security staff available around the clock. The outcome is genuine protection, not a compliance checkbox, and not the illusion of coverage that automated alerting services provide.