What is a Security Operations Center (SOC)?

The SOC Model: How Security Operations Centers Work

Tier Structure

SOCs typically operate with tiered analyst structures. Tier 1 analysts handle initial alert triage — reviewing incoming alerts, filtering false positives, and escalating genuine threats to higher tiers. Tier 2 analysts conduct deeper investigation of escalated events, performing forensic analysis and containment actions. Tier 3 analysts handle complex investigations, threat hunting, and advanced incident response. The tier structure optimizes analyst time by ensuring that routine triage consumes the most junior — and least expensive — analyst capacity while complex investigation is handled by senior analysts.

What SOCs Monitor

Mature SOCs monitor across the full technology stack: network traffic and firewall logs, endpoint detection and response alerts, identity and access management events, cloud platform logs, email security events, vulnerability scan results, and threat intelligence feeds. The SIEM platform aggregates these data sources and surfaces correlated alerts for analyst review. The quality of SIEM detection content — the rules and behavioral models that identify threats — directly determines what the SOC can detect.

Build vs. Buy: Internal SOC vs. MSSP/MDR

Building an internal SOC requires substantial investment in personnel, tooling, and operational processes. A 24/7 SOC requires at minimum five to seven analysts per tier to maintain continuous coverage with reasonable working schedules, plus engineering staff for tooling and a management structure for the organization. For mid-market organizations, the fully loaded cost of an internal 24/7 SOC exceeds $2 million annually before tooling costs. MDR providers offer equivalent coverage at a fraction of the cost by amortizing analyst capacity across many customers.

Security Operations Center Metrics

Mean Time to Detect (MTTD) measures how long between an attacker gaining access and the SOC generating an alert. Mean Time to Respond (MTTR) measures how long between an alert and a containment action. Mean Time to Remediate measures how long until affected systems are fully restored. These three metrics provide the most operationally meaningful picture of SOC capability.

Alert volume and false positive rate are operational health metrics. A SOC overwhelmed with alerts has an effective MTTD that is measured in days rather than minutes, because genuine alerts are buried in false positive noise. Mature SOCs track false positive rates by detection rule and systematically tune rules to maintain signal quality as the environment and threat landscape evolve.

SOC as a Service for PE Portfolio Companies

For PE-backed companies, the SOC question is almost always a build-versus-buy decision in favor of managed services. The math is straightforward: an MDR provider delivers 24/7 security operations with a team of experienced analysts for $100,000-$500,000 annually, depending on organization size and scope. Building equivalent capability internally costs $2-4 million annually. The economics favor MDR for all but the largest portfolio companies.

The critical question is not whether to use an MDR provider but which MDR provider, and whether their coverage actually addresses the threats facing the organization. MDR providers vary significantly in analyst quality, detection content depth, response capability, and scope. Validating MDR provider capability — not just reviewing their marketing materials — is the work that most organizations skip.

Real-World Example: Target 2013 — SOC That Didn't Act

The Target breach in 2013 is as much a story about SOC failure as about technical compromise. Target had deployed FireEye malware detection tooling that correctly identified the malware used in the attack and generated alerts. The alerts were reviewed by Target's security operations team in Bangalore, who escalated to the US security team. The US team did not act on the alerts. The malware continued to operate for weeks, exfiltrating 40 million payment card records. The lesson is critical: security monitoring without effective response processes produces no security outcome. The SOC's value is not in detecting threats — it is in detecting and responding to threats.