For most scaling organisations, a “proper” 24x7 Security Operations Centre (SOC) costs far more than the salary line suggests and still leaves gaps in coverage, skills and response speed. Outsourcing managed detection and response (MXDR) using Microsoft Security can deliver stronger outcomes at a predictable cost.
Before we get into the numbers: If you’re a UK scaling business trying to figure out how to run security operations properly (especially 24x7x365), you’re in the right place.
The examples here assume you run a Microsoft estate (Microsoft 365, plus Azure for many organisations) and you want a realistic view of what it takes to deliver round-the-clock detection and response, not just business-hours alert checking.
Most leaders underestimate what “always on” really means. If you always want two analysts on shift, you typically need 6-8 full-time equivalents (FTE) once you account for shift patterns, annual leave, sickness, training and resilience.
And it’s not just analysts. You will also need at least some capability for:
Indicative fully burdened cost per FTE: £70k-£110k (salary, NI, benefits, overhead).
That takes you into a very real first-year staffing bill before you have even discussed tooling, process, reporting or incident response.
“If you want 24x7 security outcomes, you need to fund a 24x7x365 operating model. Most mid-market SOC builds fail because the maths never worked in the first place.”
Dominic List, CEO & Founder, CyberOne
A common misunderstanding: “If we have Microsoft licences, we’ve already paid for the SOC.”
Not quite. Microsoft security tools are powerful, but a SOC is an operating model: people, process, engineering, tuning, threat intelligence and response. Even in the in-house scenario, you still need:
Microsoft Sentinel - cloud-native SIEM and SOAR (centralises logs, correlates threats, automates response)
Microsoft Defender XDR - unified threat detection and response across endpoints, identity, email and cloud
The data shows Sentinel ingestion and retention plus Defender XDR licensing are typically baseline costs you pay with or without an outsourced SOC, so they are not the “savings” people assume.
Even if you exclude baseline Microsoft licensing, an internal SOC commonly adds incremental annual overhead across:
Threat intelligence feeds
Monitoring infrastructure, ticketing and dashboards
Training, certifications and skills development
The referenced estimate puts incremental annual SOC tooling and overhead (excluding baseline Microsoft licensing) at roughly £45k-£100k.
Shift work drives churn. Every departure creates:
This is why “we’ll start with a small SOC and scale later” often becomes “we’ve built an expensive alert mailbox”.
Even with a small internal SOC, most mid-market teams still need external help for deep forensics and incident response. The data here references:
DFIR engagements (digital forensics and incident response) averaging £20k-£75k per incident delayed detection and containment typically 7-14 days in some internal scenarios business interruption and associated impacts often exceeding £150k-£300k for mid-market organisations
You do not need to be alarmist about breaches to be commercial: response capability is a line item, whether you plan for it or not.
|
Area |
Build Your Own SOC |
With Microsoft + CyberOne MXDR Premium |
|
24x7 Coverage |
Requires ~6-8 FTE to be resilient |
Included 24x7x365 monitoring and response |
|
Detection Engineering |
Specialist hire needed for rules and tuning |
Hyperion with 1,000+ managed rules plus ongoing tuning |
|
Response Speed |
Often hours to days, depending on coverage and maturity |
SLA-driven response, including P1 response in minutes |
|
Threat Intelligence |
Often basic or inconsistent |
Integrated threat intelligence and enrichment (Athena) |
|
Incident Response Depth |
Usually limited, external DFIR is still required |
Human-led investigation and containment 24x7x, backed by accredited responders |
This is not a “people vs tools” debate. It is an operating model choice. When you try to build a SOC in-house, you typically get one of two outcomes:
A managed model flips the equation:
CyberOne’s positioning is performance-led security for the mid-market, with global 24x7x365 delivery, accreditations and SLA-backed outcomes.
To run a genuine 24x7x365 in-house Security Operations Centre (SOC), the costs are not just a couple of analyst salaries. In the first year, a typical model for a 200-user organisation looks like this:
Total First-Year Cost: ~£505k-£1.02m
Now compare that with a managed model.
CyberOne MXDR Premium is typically ~£10-£12 per user per month. For 200 users, that’s roughly £24k-£29k per year, plus a one-off onboarding fee.
The point isn’t that every organisation will land on exactly the same numbers. The point is the scale of the difference. Once you aim for proper 24x7x365 cover, mid-market in-house SOC economics get expensive fast.
For a practical view of what drives MXDR pricing and how to keep spending predictable, read MXDR costs and how to control them in The MXDR Buyer’s Guide.
Microsoft’s advantage is integration across identity, endpoints, email, cloud and data. In practice, that means:
For most Microsoft-centric organisations, consolidating around Microsoft Security reduces operational complexity and makes measurement easier.
“Most organisations are already paying for a strong security foundation in Microsoft 365 and Azure. The smart move is turning that investment into measurable outcomes - joined-up signals, faster triage and consistent response, not more dashboards.”
Luke Elston, Microsoft Practice Director, CyberOne
Not all managed SOC services are the same. The difference is not the logo on the portal - it’s how well the service is running day to day.
CyberOne stands out because it combines:
Even when the numbers stack up, it’s normal for leaders to pause on managed security. The questions are usually less about the technology and more about control, trust and whether a third party will really understand your environment and priorities.
Here are the most common objections we hear and the straight answers that help teams make a confident decision.
Objection 1: “We Want Control. Outsourcing Feels Risky.”
Control should mean control of outcomes. With the right operating model, you keep decision rights and visibility while delegating 24x7x365 triage and response execution.
Objection 2: “Our Environment is Unique.”
Every environment is. The question is whether you want to fund a bespoke in-house team to maintain that uniqueness, or have specialists continuously tune detections, rules and response playbooks as part of the service.
Objection 3: “We Can Recruit One or Two Analysts and Start Small.”
One or two analysts is not a 24x7 SOC. It is a business-hours capability with gaps. That is fine if you accept the risk, but it should be an explicit decision, not an accidental one.
Objection 4: “We Already Pay for Microsoft, so Why Pay Again?”
Microsoft provides the platform. You are paying for the operating capability: coverage, tuning, investigation, containment and governance. The platform does not run itself.
Objection 5: “We Are Not Big Enough for a SOC.”
That is exactly the point. Most 200-user organisations are not big enough to run a true 24x7x365 SOC economically, but they still need the outcomes.
MXDR works best when it builds a few solid foundations, but the good news is that most organisations are closer than they think. You might already have much of what’s needed through Microsoft 365 and your existing IT processes.
The key is knowing which gaps matter, which ones don’t and what to tighten up first so you get maximum value from day one. Treat readiness as a quick health check, not a hurdle - a short piece of work up front can reduce noise, speed up response and make the service far easier to run.