What is a Security Operations Center (SOC)?

What a SOC Actually Does

A SOC performs four core functions: continuous monitoring of security telemetry from across the organization's environment, detection of suspicious activity through correlation of signals from multiple sources, investigation of detected activity to determine whether it represents a genuine threat, and response to confirmed threats through containment, eradication, and recovery actions. These functions operate around the clock — threats do not respect business hours, and a SOC that does not operate 24x7 has detection gaps that adversaries can exploit.

Mature SOCs also perform proactive functions beyond reactive monitoring: threat hunting that searches for adversary activity not detected by automated tools, threat intelligence consumption that informs detection priorities, detection engineering that improves the SOC's ability to identify specific threats, and continuous tuning of detection rules to reduce false positives and improve signal-to-noise ratio. These proactive capabilities distinguish operational SOCs that meaningfully reduce risk from compliance SOCs that exist primarily to satisfy regulatory requirements.

Build vs. Buy: Internal SOC vs. MSSP/MDR

Building an internal SOC requires substantial investment in personnel, tooling, and operational processes. A 24/7 SOC requires at minimum 8-12 analysts to cover all shifts with redundancy, senior threat hunters and detection engineers, a SOC manager, and the supporting tooling (SIEM, EDR, SOAR, threat intelligence, case management) that can easily exceed $1M annually in licensing alone. For most mid-market organizations, the build option is not financially viable; the buy option — engaging an MSSP or MDR provider — delivers SOC capabilities at a fraction of the cost.

Security Operations Center Metrics

Mean Time to Detect (MTTD) measures how long between an attacker gaining access and the SOC generating an alert. Mean Time to Respond (MTTR) measures how long between an alert and a containment action. Mean Time to Remediate measures how long until affected systems are fully restored. These three metrics provide the most operationally meaningful picture of SOC capability.

Alert volume and false positive rate are operational health metrics. A SOC overwhelmed with alerts has an effective MTTD that is measured in days rather than minutes, because genuine alerts are buried in false positive noise. Mature SOCs track false positive rates by detection rule and systematically tune rules to maintain signal quality as the environment and threat landscape evolve.

SOC as a Service for PE Portfolio Companies

For PE-backed companies, the SOC question is almost always a build-versus-buy decision in favor of managed services. The math is straightforward: an MDR provider delivers 24/7 security operations with a team of experienced analysts for $100,000-$500,000 annually, depending on organization size and scope. Building equivalent capability internally costs $2-4 million annually. The economics favor MDR for all but the largest portfolio companies.

The critical question is not whether to use an MDR provider but which MDR provider, and whether their coverage actually addresses the threats facing the organization. MDR providers vary significantly in analyst quality, detection content depth, response capability, and scope. Validating MDR provider capability — not just reviewing their marketing materials — is the work that most organizations skip.

Real-World Example: Target 2013 — SOC That Didn't Act

The Target breach in 2013 is as much a story about SOC failure as about technical compromise. Target had deployed FireEye malware detection tooling that correctly identified the malware used in the attack and generated alerts. The alerts were reviewed by Target's security operations team in Bangalore, who escalated to the US security team. The US team did not act on the alerts. The malware continued to operate for weeks, exfiltrating 40 million payment card records. The lesson is critical: security monitoring without effective response processes produces no security outcome. The SOC's value is not in detecting threats — it is in detecting and responding to threats.