According to the 2026 Kaseya State of the MSP Report, 61% of MSPs report that most or all of their clients turn to them for cybersecurity advice, making SOC capability a commercial necessity rather than a differentiator. Download the full report here.
Most organizations can’t afford to build a security operations center. The infrastructure, the tools, and especially the people, security analysts working round-the-clock shifts, with the expertise to interpret threat data and respond to active incidents, represent an investment that’s out of reach for all but the largest enterprises.
But the security monitoring capability a SOC provides isn’t out of reach. Managed SOC services, delivered by MDR providers, have made continuous security operations accessible to organizations of any size. Understanding what a SOC does and what it takes to build or access one is the starting point for making an informed decision about how to meet the security operations requirement.
Enterprise SOC Capability, Now Without Enterprise Staffing
Kaseya SIEM delivers cross-surface threat detection across 60+ data sources, automated response, and optional 24/7 managed SOC, powered by Kaseya Intelligence, built on 1B+ help desk tickets and 17M endpoints.
What Is a SOC?
A Security Operations center is the centralized function responsible for monitoring, detecting, investigating, and responding to cybersecurity threats across an organization’s IT environment. The term refers both to the team (security analysts and engineers) and the technology infrastructure they operate (SIEM, EDR, threat intelligence platforms, and response tooling).
The defining characteristic of a SOC is continuous operation: threats don’t respect business hours, and a SOC that only operates 9-to-5 leaves an unmonitored window that attackers exploit specifically because it exists. True SOC capability means 24/7/365 monitoring and response.
What a SOC Does
Continuous monitoring of security telemetry from across the environment: endpoint activity from EDR, network traffic, identity and authentication data, cloud platform logs, and application logs. The SOC aggregates this data and applies detection rules, machine learning, and analyst judgment to identify threats.
Alert triage and investigation. Modern environments generate enormous volumes of security alerts, far more than can be investigated individually. SOC analysts apply prioritization and context to determine which alerts represent genuine threats, investigating the relevant telemetry to understand the scope and nature of potential incidents.
Incident response. When a genuine threat is confirmed, the SOC coordinates the response: containing affected systems, eradicating the threat, and guiding recovery. In-house SOCs typically own the technical response directly; MDR-based SOC services typically act in partnership with the customer’s IT team.
Threat hunting. Proactive searching for indicators of compromise that didn’t generate automated alerts, looking for early-stage attack activity before it becomes an active incident.
Threat intelligence. Consuming, analyzing, and applying threat intelligence, information about current attack campaigns, actor TTPs, and indicator-of-compromise data, to improve detection and hunting.
Security reporting. Providing regular reporting on the security posture, threat volume, detection and response metrics, and any notable incidents or trends.
SOC Team Roles and Structure
Tier 1 analysts handle the first-line review of alerts, triaging the alert queue, determining initial severity, and escalating confirmed or suspected threats. Tier 1 is the highest-volume work in the SOC.
Tier 2 analysts conduct deeper investigations of escalated alerts, determining the full scope of potential incidents, analyzing forensic data, and advising on containment and remediation.
Tier 3 analysts / threat hunters focus on proactive threat hunting, complex incident investigation, and advanced adversary analysis. This tier typically includes the most experienced staff.
SOC manager / security engineering provides operational leadership, manages detection rule development and tooling, and handles coordination with IT operations and business stakeholders.
Building and staffing this structure is the primary barrier to in-house SOC creation. Experienced security analysts are scarce and expensive. Maintaining continuous coverage requires shift staffing that multiplies the headcount requirement. A fully staffed, 24/7 in-house SOC requires investment in the multi-million-dollar range, justified for large enterprises with complex environments and dedicated security budgets, but prohibitive for most organisations.
SOC Tools and Technology
The core technology stack for a SOC includes:
SIEM (Security Information and Event Management), aggregates log and telemetry data from across the environment, applies correlation rules to identify threat patterns, and provides the investigation interface for analysts.
EDR, the primary source of endpoint telemetry and the response capability for endpoint-level threats.
SOAR (Security Orchestration, Automation and Response), automates response workflows, enabling rapid execution of containment and remediation actions without manual intervention for known threat patterns.
Threat intelligence platform, aggregates and operationalizes threat intelligence from internal and external sources, feeding detection rules and analyst investigations.
Vulnerability management, integrates vulnerability data into the SOC context so that exploit activity against known vulnerabilities is prioritized appropriately.
In-House SOC vs Co-Managed vs Fully Managed
In-house SOC gives the most control but requires the full investment in people, tools, and process. Appropriate for large enterprises with sufficient budget and a sustained commitment to maintaining the capability.
Co-managed SOC (also called co-managed SIEM) provides MDR analyst coverage as an extension of the in-house team, typically used by organizations with some security staff but insufficient for 24/7 coverage or specialist threat hunting capability. The in-house team and the managed service provider share responsibilities, with the division defined by contract.
Fully managed SOC (MDR) provides the complete SOC capability as a service. The MDR provider owns the tooling, the analyst team, and the operational processes. The customer’s IT team is the escalation partner for confirmed incidents and owns remediation execution. This is the appropriate model for organizations that don’t have in-house security operations staff.
Kaseya’s MDR service, available in Kaseya 365 Pro, provides fully managed SOC capability operated by US-based security experts 24/7. It integrates with Datto EDR and the broader Kaseya 365 platform. Request a demo here.
SOC Metrics That Matter
Mean time to detect (MTTD), how long from initial compromise to detection. Shorter is better; long dwell times allow attackers to establish persistence, escalate privileges, and access valuable data before the incident is identified.
Mean time to respond (MTTR), how long from detection to containment. Speed of containment is the primary determinant of incident scope.
False positive rate, the proportion of alerts that are not genuine threats. High false positive rates waste analyst time and contribute to alert fatigue. A well-tuned SOC should have consistently declining false positive rates as detection rules are refined.
Escalation rate, what proportion of detections require analyst escalation vs automated handling. High escalation rates may indicate tuning opportunities or a threat volume problem.
Coverage breadth, what percentage of the environment’s telemetry sources are covered by SOC monitoring. Gaps in coverage are gaps in visibility.
Kaseya SIEM: Enterprise SOC Capability Without Enterprise Staffing
Running a SOC in-house has historically required dedicated security engineers, expensive tooling, and round-the-clock staffing, a barrier that put SOC capability out of reach for most SMBs and mid-market organisations.
Kaseya SIEM, now generally available, changes that calculus. Kaseya SIEM, now generally available, delivers enterprise-grade security operations without enterprise-grade staffing or cost. It unifies telemetry across endpoint, network, cloud, identity, and email, correlating signals from more than 60 data sources to detect and respond to threats across the full attack surface. Cross-surface correlation gives IT teams the full attack picture in a single interface, automated response contains threats in minutes without bouncing alerts to a human, and 400-day log retention covers compliance out of the box. For teams who prefer not to run an in-house SOC, a 24/7 managed security operations service, accelerated by Kaseya Intelligence, delivers the coverage of a dedicated SOC without the overhead of building one. Explore Kaseya SIEM.
For MSPs, Kaseya SIEM provides a scalable way to deliver SOC-grade security operations across multiple client environments from a single platform, without the headcount that a traditional SOC model demands.
Key Takeaways
- A SOC provides 24/7 continuous security monitoring, detection, investigation, and response, the operational security function that most organizations can’t afford to build in-house.
- Building an in-house SOC requires significant, sustained investment in people and tooling. Co-managed and fully managed MDR alternatives deliver equivalent capability at accessible cost.
- The key metrics, MTTD, MTTR, and false positive rate, measure the operational effectiveness of the SOC, not just its presence.
- For MSPs, access to managed SOC capabilities (through MDR) is both an internal security asset and a differentiating service offering for clients.
