Managed SOC Services

24/7 detection, triage, and response. Built on a Tier 1-4 SOC operating model.

Managed detection and response (MDR) is a fully managed service that combines 24/7 monitoring, threat detection, and active incident response, delivered by an outsourced Security Operations Center (SOC). A managed SOC watches your environment around the clock, investigates every alert across Tier 1–4 analysts, and contains threats in real time — giving you enterprise-grade defense without building an in-house team.

A fully managed Security Operations Center with continuous monitoring, in-house threat intelligence, SOAR automation, and integrated incident response. Available as a service-only engagement on your existing SIEM or as a turnkey deployment with platform, rules, and 24/7 analysts.

A SOC that runs on your side, not at a distance.

Most managed detection offerings stop at Tier 1 alerts. The analyst on duty closes false positives, escalates suspicious activity, and waits for the client to decide what happens next. The hard work — investigation, correlation, threat hunting, custom rule development, and incident response — falls back on the internal team. The advertised 24/7 coverage protects the noise floor and not much else.

Armour Cybersecurity's Managed SOC is built on a Tier 1-4 operating model. Tier 1 analysts monitor alerts continuously. Tier 2 conducts advanced investigations and malware analysis. Tier 3 hunts proactively and resolves complex incidents. Tier 4 handles reverse engineering, custom detection development, and incident response leadership. The same team that triages the alert is the team that contains the incident, with no vendor handoff and no chain-of-custody gap.

The engagement is technology-agnostic. The service-only model utilizes the organization's existing SIEM and applies an offensive-perspective optimization of rules, correlations, run books, and playbooks. The turnkey model deploys a fully licensed monitoring platform with custom rule development and SOAR automation built in. Either model includes in-house threat intelligence, threat hunting, and integrated 24/7 incident response.

Tier 1-4
Full analyst coverage across monitoring, investigation, threat hunting, and incident response leadership
SOAR
Automated playbooks for incident management, enrichment, investigation, and remediation actions

Tier-1 noise floor vs. full-spectrum SOC.

The difference between a SOC that absorbs work and one that creates it for the internal team usually comes down to the depth of analyst coverage and whether incident response is integrated into the same operating model.

The Problem

Alert forwarding dressed up as managed detection.

A third-party SOC sends a queue of unenriched alerts to the internal team. Tier 1 closes the obvious false positives and escalates everything else. There is no Tier 3 hunting, no custom detection development, and no Tier 4 reverse engineering. When an alert becomes an incident, a separate IR vendor is called in, evidence is reconstructed after the fact, and the chain of custody is fragile. Reporting consists of alert counts. The board cannot tell whether the SOC is reducing risk or simply forwarding work.

The Solution

One team, four tiers, monitoring through to containment.

The same team that monitors Tier 1 also runs Tier 2-4. Alerts are enriched, correlated, and triaged before they reach the client. Custom detection rules are developed continuously from the offensive perspective. Threat hunting is proactive, not reactive. SOAR playbooks automate the response actions that should never need a human. When an incident is confirmed, IR engages from the same team that opened the ticket, with evidence preserved from the first event and a documented chain of custody.

How managed SOC and MDR compare.

MDR, MSSP, SIEM, and EDR are often used interchangeably, but they are not the same. Here is how they differ on what they are, who operates them, and whether they actually respond to threats.

SolutionWhat it isWho operates itActive response?
MDRManaged detection and response serviceProvider's SOC analystsYes — contains and responds to threats
Managed SOCOutsourced 24/7 Security Operations CenterProvider's Tier 1–4 analystsYes — full monitoring + response
MSSPManaged security service provider (device/tool management)ProviderLimited — alerts you, often no hands-on response
SIEMLog aggregation & correlation softwareYou / your teamNo — a tool, not a service
EDREndpoint detection & response softwareYou / your teamEndpoint-only, requires staff to act

What each SOC tier does

TierRoleResponsibilities
Tier 1Alert triageMonitors alerts 24/7, filters noise, escalates real threats
Tier 2InvestigationInvestigates escalated alerts, scopes incidents, begins containment
Tier 3Threat huntingProactive hunting, advanced analysis, detection engineering
Tier 4SOC leadershipIncident command, strategy, reporting, continuous improvement

Armour Cybersecurity covers all four tiers 24/7 in-house, rather than forwarding Tier 1 alerts and leaving deeper work to the client's team.

What the SOC delivers.

Nine integrated capabilities, exercised across the Tier 1-4 operating model and supported by the in-house threat research lab and 24/7 incident response team.

01 / MONITORING

24/7 Tier 1-4 Monitoring

Continuous monitoring across endpoint, network, cloud, identity, and application telemetry. Tier 1-4 analysts cover triage, investigation, threat hunting, and reverse engineering without vendor handoffs.

02 / SIEM

SIEM Deployment & Optimization

Either operate the existing SIEM with offensive-perspective rule optimization, or deploy a fully licensed monitoring platform with custom connector development and ongoing tuning.

03 / DETECTION

Custom Detection Rules

Over five hundred custom detection rules layered on top of built-in analytics, tuned to the client's environment, industry threat landscape, and the TTPs of relevant adversaries.

04 / SOAR

SOAR & Automated Playbooks

Automated playbooks for incident assignment, ticket creation, enrichment, geolocation, threat intelligence correlation, user validation, and remediation actions including block, isolate, and disable.

05 / INTELLIGENCE

In-House Threat Intelligence

Dedicated research team analyzing adversary TTPs from an attacker's perspective. Custom rule creation from current threat data, mapped to MITRE ATT&CK and fed into SOC detection on a continuous cycle.

06 / HUNTING

Proactive Threat Hunting

Tier 3 analysts hunt continuously for adversary activity that has bypassed existing controls. Custom KQL-style queries integrated into investigations, with findings fed back into detection logic.

07 / FORENSICS

Advanced Forensic Capabilities

Tier 4 forensic capability including memory analysis, malware reverse engineering, and adversary behaviour reconstruction. Evidence preservation from the first alert, ready for incident response handoff.

08 / IR

Integrated 24/7 Incident Response

Incident Response team operates from the same SOC, eliminating handoff delay when an alert becomes an incident. Chain of custody preserved from the moment the first event triggered investigation.

09 / REPORTING

Reporting & Dashboards

Weekly status reports, monthly programme reports, immediate notifications for high and critical incidents, lessons-learned reports after material events, and interactive dashboards for client analysts.

Who this engagement serves.

Built for organizations that need continuous detection and response capability without building, staffing, and operating a SOC internally.

Mid-Market to Enterprise Organizations

Companies that need 24/7 SOC coverage but cannot justify the cost and staffing of an internal Tier 1-4 operation. Either model (service-only or turnkey) scales to organizational size and existing investment.

Regulated Industries

Finance, healthcare, legal, and government organizations subject to obligations that require documented continuous monitoring, incident detection, and response capability with audit-ready evidence.

Cloud-First & Hybrid Environments

Organizations operating across multi-cloud and on-premises infrastructure who need a SOC that ingests data from any source, supports custom connectors, and detects threats across the full attack surface.

Internal Security Teams Needing Augmentation

Security teams that want a partner to handle 24/7 Tier 1-2 monitoring, custom rule development, and threat hunting so internal analysts can focus on strategic projects, response, and engineering.

A disciplined methodology across six phases.

Onboarding follows a three-phase model that brings the SOC to operational maturity in six to eight weeks. The same six execution phases continue cyclically once the SOC is live, so detection, hunting, and tuning improve continuously over the lifetime of the engagement.

1

Onboarding & Connectivity

One to two weeks. Deployment of the event collector, configuration of log forwarding from organizational data sources, data source review, ingestion filtering, and threat intelligence setup. Go-live connectivity confirmed.

2

Mapping & Standardization

Two to four weeks. Kickoff of Tier 1-2 monitoring, SIEM rule customization to the client environment, working methodology established, custom connectors built, and playbooks reviewed and adapted.

3

Ongoing Tier 1-4 Operations

24/7 monitoring at Tier 1-2 with full Tier 3-4 support. Ongoing threat intelligence, proactive threat hunting, SIEM rule enhancement, and playbook updates. Incident response team coverage at all times.

4

Threat Research & Rule Creation

Continuous research from multiple Threat Intelligence Platforms on current adversary TTPs. Custom rules developed from an offensive perspective, deployed into client detection logic on a regular cycle.

5

Escalation & Incident Response

Tier 2-3 confirmation of true positives triggers internal escalation to the Incident Response team. Forensic investigation, containment, eradication, and recovery follow on a documented chain of custody.

6

Reporting & Continuous Improvement

Weekly status reports, monthly programme reports, immediate notifications for high and critical incidents, and lessons-learned reports that drive corresponding updates to detection rules and playbooks.

What the organization walks away with.

Nine integrated deliverables, refreshed on a continuous cycle and structured to support audit evidence, board reporting, and direct analyst access for the internal team.

DELIVERABLE 01

24/7 Tier 1-4 SOC Monitoring

Continuous coverage across all four analyst tiers without vendor handoffs, with multilingual analyst support across global time zones and integrated 24/7 incident response.

DELIVERABLE 02

SIEM Deployment & Optimization

Either operation of the existing SIEM with offensive-perspective rule and playbook optimization, or full deployment of a licensed monitoring platform with custom connectors and tuning.

DELIVERABLE 03

Custom Detection Rules & Correlations

Over five hundred custom detection rules, tuned to the client environment and industry threat landscape, mapped to MITRE ATT&CK and continuously refreshed by the threat research team.

DELIVERABLE 04

SOAR Automation Playbooks

Playbook library covering incident management, enrichment and investigation, and remediation actions, integrated across the security tool stack and executable manually or automatically.

DELIVERABLE 05

Threat Intelligence Feeds

Actionable intelligence feeds from the in-house research team covering adversary TTPs, IOCs, persistency methods, and known patterns, integrated directly into SOC detection logic.

DELIVERABLE 06

Proactive Threat Hunting

Continuous threat hunting from Tier 3 analysts, with findings fed back into detection logic and documented in monthly reports so leadership can see what was discovered and how it was addressed.

DELIVERABLE 07

Integrated 24/7 Incident Response

IR team operating from the same SOC, eliminating handoff delay when an alert becomes an incident, with chain of custody preserved from the first event through to post-incident review.

DELIVERABLE 08

Weekly & Monthly SOC Reports

Weekly status reports covering threat statistics, alerts triaged, and SLA performance, plus monthly programme reports with operational metrics and prioritized recommendations.

DELIVERABLE 09

Interactive Dashboards & Workbooks

Interactive dashboards and workbooks giving client analysts direct visibility into log data, investigations, and SOC operations, with the option to run custom queries and reports.

The numbers behind the work.

Founded by military intelligence veterans with senior advisors from PwC, KPMG, Deloitte, EY, and Mandiant. The track record reflects the discipline.

260+

Clients Served

Organizations across finance, healthcare, technology, energy, legal, and government trust Armour Cybersecurity to protect what matters.

97%

Client Retention Rate

Long-term engagements built on consistent quality, predictable delivery, and consulting relationships that compound in value over time.

52+

Industries · Worldwide Reach

Cross-sector experience spanning every major regulated industry, with operations supporting clients across North America, Latin America, and beyond.

80+

Cybersecurity Technology Solutions

A vetted catalogue of technology partnerships and proprietary methods deployed in support of 24/7 SOC monitoring, detection engineering, and incident response.

Put a full Tier 1-4 SOC behind your environment.

Schedule a fifteen-minute discovery call to scope the engagement. Protecting What Matters starts with a SOC that does the work, not one that forwards it.

Book Discovery Call

Frequently asked questions.

Common questions from CISOs, CIOs, and security architects evaluating a Managed SOC engagement.

What is managed detection and response (MDR)?
Managed detection and response (MDR) is a fully managed cybersecurity service that delivers 24/7 threat monitoring, detection, and active incident response through an outsourced Security Operations Center. An MDR provider watches your environment continuously, investigates alerts, and contains threats — providing enterprise-grade protection without the cost of building an in-house SOC.
What is the difference between MDR and an MSSP?
An MSSP (managed security service provider) typically manages your security tools and sends you alerts, but stops short of hands-on response. MDR goes further: the provider's SOC analysts actively investigate and contain threats on your behalf, around the clock. In short, an MSSP tells you something happened; MDR does something about it.
How much does a managed SOC cost?
Managed SOC and MDR services are usually priced per monitored asset (about $10 to $20 per asset per month) or per user/endpoint (roughly $50 to $200 per user per month, or $8 to $30 per endpoint per month). Comprehensive 24/7 coverage for small-to-midmarket organizations commonly runs $120,000 to $360,000 per year — still far below the cost of building and staffing an in-house 24/7 SOC. Compliance requirements such as HIPAA, PCI, or CMMC and faster response SLAs increase the price.
How is a Managed SOC different from EDR or threat hunting alone?
EDR protects endpoints. Threat hunting searches for adversary activity that controls missed. A Managed SOC sits above both, providing 24/7 monitoring across the entire environment (endpoint, network, cloud, identity, application), correlation through a SIEM, Tier 1-4 analyst triage, automated response through SOAR, and integrated incident response when an alert becomes an incident. The SOC is the centralized detection and response function for the organization, and the other capabilities feed into it.
Do you support our existing SIEM or do we have to switch?
Both models are available. The service-only engagement utilizes the organization's existing SIEM, with optimization of rules, correlations, run books, and playbooks from an offensive and defensive perspective. The turnkey engagement provides a fully licensed monitoring platform, deployment, custom rule development, and ongoing management. The decision typically comes down to whether the organization wants to consolidate vendors or extract more value from an existing investment.
What do Tier 1 through Tier 4 SOC analysts actually do?
Tier 1 analysts monitor alerts continuously, close false positives, and handle basic investigations. Tier 2 analysts work on more advanced investigations, malware analysis, and adversary research. Tier 3 focuses on deeper investigations, complex alert resolution, and proactive threat hunting. Tier 4 covers reverse engineering, custom detection development, and incident response leadership. All four tiers are covered 24/7 by Armour Cybersecurity rather than relying on a single tier to handle everything.
How long does onboarding take?
Onboarding runs one to two weeks for collector deployment, data source connection, log forwarding configuration, and threat intelligence setup. A subsequent two to four week mapping and standardization phase customizes SIEM rules, establishes playbooks, and operationalizes Tier 1-4 monitoring. Ongoing 24/7 monitoring and threat hunting begin during the second phase. Time to first value is measured in weeks, not months.
How does the SOC handle automation and SOAR?
Automated playbooks integrate across security tools to handle incident management (analyst assignment, ticket creation, status sync, team notifications), enrichment and investigation (geolocation lookup, threat intelligence correlation, user validation), and remediation actions (block IP, disable account, isolate host, trigger conditional access). Playbooks can run on-demand on entities and alerts, or trigger automatically on specific incident types. The result is faster mean time to respond and fewer manual touchpoints.
How is incident response integrated with the SOC?
The SOC and Incident Response team are integrated rather than separate services. When a Tier 2 or 3 analyst confirms a true positive that crosses the incident threshold, the same team escalates internally to the IR function for containment, forensic investigation, and recovery. This eliminates the handoff delay typical of organizations using separate SOC and IR vendors and preserves chain of custody from the first alert.
What kind of reporting does the client receive?
Weekly status reports document threat statistics, alerts triaged, incidents handled, and SLA performance. Monthly programme reports cover SOC operational metrics, detection coverage, and recommendations. High and critical incidents trigger immediate notifications with technical and operational detail. After significant incidents, a lessons-learned report documents root cause, response effectiveness, and corresponding improvements to detection rules and playbooks. Interactive dashboards are available for client analysts who want direct visibility into log data and investigations.

Engage a SOC that runs on your side.

Reach out to scope a Managed SOC engagement. Discovery calls are scheduled within two business days.

Talk to Armour Cybersecurity.

📞
Phone
1 866 803 0700
Email
info@armourcyber.io
📍
Headquarters
77 Bloor St West, Suite 600
Toronto, ON, Canada

Request a discovery call.

Tell us about your environment, existing SIEM, and detection priorities. A senior advisor will respond within two business days.