Why Building an In-House Security Team Is Costing You More Than You Think

For most scaling organisations, a “proper” 24x7 Security Operations Centre (SOC) costs far more than the salary line suggests and still leaves gaps in coverage, skills and response speed. Outsourcing managed detection and response (MXDR) using Microsoft Security can deliver stronger outcomes at a predictable cost.  

Before we get into the numbers: If you’re a UK scaling business trying to figure out how to run security operations properly (especially 24x7x365), you’re in the right place.

The examples here assume you run a Microsoft estate (Microsoft 365, plus Azure for many organisations) and you want a realistic view of what it takes to deliver round-the-clock detection and response, not just business-hours alert checking.

What Turns an “In-house SOC” into a Budget Trap

1. 24x7x365 coverage is a staffing maths problem, not a motivation problem

Most leaders underestimate what “always on” really means. If you always want two analysts on shift, you typically need 6-8 full-time equivalents (FTE) once you account for shift patterns, annual leave, sickness, training and resilience.

And it’s not just analysts. You will also need at least some capability for:

• SOC leadership (governance, quality assurance, incident handling)
• Detection engineering (rules, tuning, log sources, ingestion)

Indicative fully burdened cost per FTE: £70k-£110k (salary, NI, benefits, overhead).

That takes you into a very real first-year staffing bill before you have even discussed tooling, process, reporting or incident response.

“If you want 24x7 security outcomes, you need to fund a 24x7x365 operating model. Most mid-market SOC builds fail because the maths never worked in the first place.”
Dominic List, CEO & Founder, CyberOne

2. “We Already Own Microsoft” Is Not a SOC Cost Saving

A common misunderstanding: “If we have Microsoft licences, we’ve already paid for the SOC.”

Not quite. Microsoft security tools are powerful, but a SOC is an operating model: people, process, engineering, tuning, threat intelligence and response. Even in the in-house scenario, you still need:

• Microsoft Sentinel - cloud-native SIEM and SOAR (centralises logs, correlates threats, automates response)

• Microsoft Defender XDR - unified threat detection and response across endpoints, identity, email and cloud

The data shows Sentinel ingestion and retention plus Defender XDR licensing are typically baseline costs you pay with or without an outsourced SOC, so they are not the “savings” people assume.

3. Tooling, Training & Operational Overhead Add Up Fast

Even if you exclude baseline Microsoft licensing, an internal SOC commonly adds incremental annual overhead across:

• Threat intelligence feeds

• Monitoring infrastructure, ticketing and dashboards

• Training, certifications and skills development

The referenced estimate puts incremental annual SOC tooling and overhead (excluding baseline Microsoft licensing) at roughly £45k-£100k.

4) Recruitment &Retention Risk Is a Cost, Even When It Is Not on the Invoice

Shift work drives churn. Every departure creates:

• Recruitment costs
• Onboarding time
• Knowledge loss
• Coverage gaps
• Service quality drops at exactly the wrong time

This is why “we’ll start with a small SOC and scale later” often becomes “we’ve built an expensive alert mailbox”.

5. Incident Response Is Still Not Solved

Even with a small internal SOC, most mid-market teams still need external help for deep forensics and incident response. The data here references:

• DFIR engagements (digital forensics and incident response) averaging £20k-£75k per incident delayed detection and containment typically 7-14 days in some internal scenarios business interruption and associated impacts often exceeding £150k-£300k for mid-market organisations

You do not need to be alarmist about breaches to be commercial: response capability is a line item, whether you plan for it or not.

Build Your Own SOC vs. Microsoft + CyberOne  

What This Means for Your Business

This is not a “people vs tools” debate. It is an operating model choice. When you try to build a SOC in-house, you typically get one of two outcomes:

• You spend enterprise money to get enterprise outcomes
• You spend a meaningful amount and still end up with partial coverage and slow response
• You keep Microsoft as the technology foundation
• You buy the operational capability as a service
• You measure success in outcomes (MTTD, containment, resilience, audit readiness), not headcount
• People (6-8 full-time roles to cover shifts): ~£475k-£990k per year
• Extra tools, training and running costs (on top of your core Microsoft licences): £45k-£100k per year
• A realistic incident response budget (for one moderate incident): ~£40k

A managed model flips the equation:

CyberOne’s positioning is performance-led security for the mid-market, with global 24x7x365 delivery, accreditations and SLA-backed outcomes.

What it Really Costs: a 200-User Example

To run a genuine 24x7x365 in-house Security Operations Centre (SOC), the costs are not just a couple of analyst salaries. In the first year, a typical model for a 200-user organisation looks like this:

Total First-Year Cost: ~£505k-£1.02m

Now compare that with a managed model.

CyberOne MXDR Premium is typically ~£10-£12 per user per month. For 200 users, that’s roughly £24k-£29k per year, plus a one-off onboarding fee.

The point isn’t that every organisation will land on exactly the same numbers. The point is the scale of the difference. Once you aim for proper  24x7x365 cover, mid-market in-house SOC economics get expensive fast.

For a practical view of what drives MXDR pricing and how to keep spending predictable, read MXDR costs and how to control them in The MXDR Buyer’s Guide.

Why Microsoft is the Clear Foundation for Modern Security Operations

Microsoft’s advantage is integration across identity, endpoints, email, cloud and data. In practice, that means:

• one security language across the estate
• shared signals and analytics for faster detection
• automation opportunities through a unified platform
• Always-on coverage with clear commitments: 24x7 global monitoring and response, backed by defined service levels (SLAs), so you know what “good” looks like and what to expect.
• Proven incident capability: alignment with NCSC and CREST standards, which matters when you need serious help during an incident, not just alert triage.
• Stronger outcomes from the Microsoft stack: CyberOne adds its own accelerators and automation, including a large managed detection ruleset (1,000+ rules referenced), so you get faster, cleaner detection without constant in-house tuning.
• Built for the mid-market: enterprise-grade security outcomes without the enterprise headcount and overhead that normally comes with running a full SOC yourself.

For most Microsoft-centric organisations, consolidating around Microsoft Security reduces operational complexity and makes measurement easier.

“Most organisations are already paying for a strong security foundation in Microsoft 365 and Azure. The smart move is turning that investment into measurable outcomes - joined-up signals, faster triage and consistent response, not more dashboards.”
Luke Elston, Microsoft Practice Director, CyberOne

Why CyberOne (Not just “Any SOC”)

Not all managed SOC services are the same. The difference is not the logo on the portal - it’s how well the service is running day to day.

CyberOne stands out because it combines:

Objections & Responses

Even when the numbers stack up, it’s normal for leaders to pause on managed security. The questions are usually less about the technology and more about control, trust and whether a third party will really understand your environment and priorities.

Here are the most common objections we hear and the straight answers that help teams make a confident decision.

Objection 1: “We Want Control. Outsourcing Feels Risky.”
Control should mean control of outcomes. With the right operating model, you keep decision rights and visibility while delegating 24x7x365 triage and response execution.

Objection 2: “Our Environment is Unique.”
Every environment is. The question is whether you want to fund a bespoke in-house team to maintain that uniqueness, or have specialists continuously tune detections, rules and response playbooks as part of the service.

Objection 3: “We Can Recruit One or Two Analysts and Start Small.”
One or two analysts is not a 24x7 SOC. It is a business-hours capability with gaps. That is fine if you accept the risk, but it should be an explicit decision, not an accidental one.

Objection 4: “We Already Pay for Microsoft, so Why Pay Again?”
Microsoft provides the platform. You are paying for the operating capability: coverage, tuning, investigation, containment and governance. The platform does not run itself.

Objection 5: “We Are Not Big Enough for a SOC.”
That is exactly the point. Most 200-user organisations are not big enough to run a true 24x7x365 SOC economically, but they still need the outcomes.

MXDR Readiness is a Journey, Not a Yes or No

MXDR works best when it builds a few solid foundations, but the good news is that most organisations are closer than they think. You might already have much of what’s needed through Microsoft 365 and your existing IT processes.

The key is knowing which gaps matter, which ones don’t and what to tighten up first so you get maximum value from day one. Treat readiness as a quick health check, not a hurdle - a short piece of work up front can reduce noise, speed up response and make the service far easier to run.

Want a simple way to sense-check this? Head to the "MXDR Readiness Checklist" in the MXDR Buyer’s Guide. It will help you confirm what’s in place, spot the priority improvements plan the next steps with confidence.