Why a managed SOC instead of an in-house one
Building an in-house round-the-clock SOC takes 5+ senior analysts, a SIEM, infrastructure and years of run-in: over a million euros a year, in a market where cyber talent is scarce and changes often. A managed SOC offers the same 24·7·365 coverage at a fraction of the cost, operational in weeks. The question is not 'in-house or outsourced' in the abstract: it is whether you can really guarantee quality and continuity 24·7 with your own resources.
The thesis
The choice between in-house and managed SOC is often framed as a matter of control. It is instead a matter of continuity and cost: very few companies can sustainably guarantee a quality 24·7·365 outpost with their own resources, in today’s cyber labour market.
The real cost of doing it yourself
A 24·7 SOC is not “a few tools and an analyst”. It is shifts, so 5-6 senior people; a SIEM to feed and govern; intelligence to build; and the constant risk of turnover, which leaves months of gaps. Over a million a year for coverage that, if undersized, still leaves holes precisely at night and on weekends.
What the managed option provides
24·7·365 coverage guaranteed from day one, proprietary intelligence included, response (in the MDR model), and a predictable subscription at a fraction of the in-house cost. Operational in weeks, not years. The value shows when the attack comes outside office hours, as in Operation Storming Tide.
When it really matters (and when less is enough)
An in-house SOC makes sense with large scale, a stable budget, mature talent or strict sovereignty constraints. For everyone else, the managed option or a hybrid model (in-house by day, managed 24·7) offers more coverage at less cost. Honestly: if you do not have a structured outpost today, starting in-house means paying for it dearly and late.
In-house SOC vs managed SOC
| In-house 24·7 SOC | Managed SOC (SOCaaS) | |
|---|---|---|
| Annual cost | Over EUR 1M | Subscription, ~30% of in-house cost |
| Time to start | Months/years | 2-4 weeks |
| 24·7·365 coverage | Hard (shifts, holidays, turnover) | Included and guaranteed |
| Threat intelligence | To be built | Proprietary, included |
In Operation Storming Tide the Fortgale SOC detected and contained a multi-stage intrusion outside office hours: it is the attackers' favourite moment, where 76% of attacks happen at night or on weekends. An in-house SOC that is not 24·7 is not there.
Read the analysis →Frequently asked.
Does an in-house SOC really cost that much?
A real round-the-clock outpost requires at least 5-6 analysts on shifts, plus SIEM, infrastructure, training and intelligence. Between salaries and licences it exceeds a million a year, before even considering turnover and the months of uncovered shifts when an analyst leaves.
Do I lose control by outsourcing the SOC?
No, if the model is right: transparent reporting, live dashboards, regular briefings and agreed procedures. A managed SOC is an extension of your team, not a black box. The risk decisions stay yours.
When does an in-house SOC make sense?
When you have the scale and budget to sustainably run 24·7 with senior talent, very strict sovereignty requirements, or an already mature team. For the vast majority of companies, though, the managed option offers better coverage at lower cost.
Can a hybrid model work?
Yes, and it is common: the in-house team covers office hours and governs risk, the managed SOC covers nights, weekends and holidays and brings intelligence and response. You pay for continuity where the in-house team does not reach.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale managed SOC.
Related resources: What is a SOC · What is a SIEM · What is MDR
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.