Most organisations need 24/7 security monitoring and response capability — the regulatory expectation has settled there, the threat landscape demands it, and customers increasingly require it. Few organisations can afford to build that capability fully in-house, and few would be wise to. The security operations buying decision — in-house SOC, traditional managed security service provider (MSSP), or managed detection and response (MDR) — defines the programme for years. The three models produce different outcomes for different organisations, and the vendor pitch is rarely the right basis for the decision.
In-House SOC
An in-house SOC is the highest-control, highest-cost option. The organisation operates its own security operations function — analysts, engineers, tooling, processes. The capability sits within the organisation, the analysts know the business deeply, response is unconstrained by vendor SLAs. The cost is substantial — 24/7 coverage requires at least 8-12 analysts plus management, plus tooling, plus the supporting infrastructure. For organisations with material security budgets and complex environments, the control is worth the cost. For smaller organisations, the per-incident cost makes the model uneconomical relative to alternatives.
Traditional MSSP
Traditional MSSPs provide outsourced security operations — alert monitoring, basic triage, ticket handoff to the customer for response. The economics work because the MSSP operates the SOC across many customers, spreading fixed costs. The model holds up for organisations that have internal capacity to handle ticket follow-through and need cost-effective monitoring. The model struggles when the customer expects response rather than just monitoring — the MSSP analyst rarely has the context to make response decisions, and the handoff to the customer adds latency that material incidents do not afford.
Managed Detection and Response (MDR)
MDR sits between MSSP and in-house — provider-operated monitoring with active response capability. The MDR provider handles initial response (containment, threat hunting, investigation) rather than just monitoring and ticketing. The economics are higher than MSSP and lower than in-house. The capability is calibrated for organisations that need 24/7 response but cannot justify in-house, and the model has captured significant market share over the past five years for exactly that reason.
A pattern in security operations buying: the organisation chooses MSSP because it is the cheapest option, the MSSP delivers technically adequate monitoring, customer-side response capacity is insufficient to handle the ticket volume, and material incidents are missed because tickets sat unaddressed. The cost saving from MSSP is real; the cost of missed response is also real. Many of these organisations would have been better served by MDR or by a hybrid where critical environments get MDR coverage and lower-priority environments stay with MSSP.
Hybrid Models
Pure choices among the three are increasingly rare. Many organisations operate hybrid models — in-house SOC for the highest-priority environments, MDR for critical-but-not-core systems, MSSP for long-tail monitoring. The hybrid is more complex to manage but matches the cost-to-capability profile across the estate. Organisations operating hybrid models report consistently better outcomes than organisations forcing a single model across all environments, and the operational complexity is manageable with explicit ownership boundaries.
How to Decide
Map the organisation's security operations needs against capability requirements (24/7 monitoring, response capability, threat hunting, deep investigation, regulatory reporting, integration with engineering). Match capability needs to operating model — needs that exceed MSSP capability should be on MDR or in-house; needs that fit MSSP capability can stay there. Cost-model the alternatives over a realistic horizon (3-5 years); in-house economics improve at scale while MSSP/MDR scale with volume. Consider exit dependency — long-term commitments to provider-specific tooling are harder to leave than independently-deployed monitoring.
Practical Components of the Decision
- Defined security operations requirements with capability and SLA expectations
- Cost modelling across at least three years per option, including switching costs
- Provider capability assessment beyond marketing material — request evidence
- Reference conversations with current provider customers in similar industries
- Exit planning before signing — contractual terms, data portability, tooling independence
- Hybrid analysis — most organisations land at hybrid even when starting with a single-model preference
Why the Decision Carries For Years
Security operations buying decisions are difficult to reverse. The tooling, the contracts, the institutional knowledge of the provider, the integration with the rest of the security programme — all of these accumulate cost to change. Organisations that get the decision approximately right at the start spend years compounding the value of the choice. Organisations that get it wrong spend years working around the constraints, eventually switching at meaningful cost. Investing in the decision quality up front pays back disproportionately.