Outsourced SOC: 24/7 cover, without the 12 analysts.
An outsourced SOC, or SOC-as-a-Service, is a 24/7 security operations centre delivered by a third-party UK team. They monitor your environment, triage alerts, hunt for threats, and contain active incidents, without you needing to recruit, staff, and retain a SOC of your own. Precursor's outsourced SOC starts from £900 per month and goes live in under 10 days of signature.
A 24/7 SOC needs three shifts and 8 to 12 analysts. The honest cost is £600,000 to £1,200,000 per year, fully loaded. Outsourcing gives you the same coverage at 8 to 15 percent of that. Same analysts, same shifts, same containment, shared across clients. From £900/month, active in under 10 days.
What is an outsourced SOC?
24/7 SOC cover from a CREST-accredited UK team, without recruiting, staffing, and retaining a 12-analyst rota of your own.
An outsourced SOC, or SOC-as-a-Service, is a 24/7 security operations centre delivered by a third-party UK team. They monitor your environment, triage alerts, hunt for threats against the MITRE ATT&CK Enterprise matrix, and contain active incidents, without you needing to recruit, staff, and retain a SOC of your own.
The maths nobody puts on a website.
A 24/7 SOC needs three shifts. Each shift needs at least two analysts, plus an L2 escalation tier and an L3 lead for serious incidents. Plus holiday cover, sick cover, attrition cover, and the SOC manager who runs the whole thing.
The honest staffing maths for a UK in-house SOC is 8 to 12 analysts. The honest cost is £600,000 to £1,200,000 per year, fully loaded. Per the (ISC)² Cybersecurity Workforce Study, the UK already has a 73,000-analyst gap, which is why the in-house route compounds in difficulty year on year.
Outsourcing a SOC gives you the same coverage at 8 to 15 percent of that cost. Not because outsourced analysts are cheaper, but because you share them with other clients and you do not pay for the empty desks at 3am on a Sunday in August. NCSC's own SOC building guidance spells out the staffing rota explicitly, and it is an honest read of what an in-house build actually requires.
| What you need | In-house UK SOC | Outsourced SOC |
|---|---|---|
| 24/7 analyst coverage | 8 to 12 analysts across three shifts | Included |
| SIEM platform & tuning | £60k to £200k/year licensing plus 1 FTE engineer | Included or BYO |
| Threat intelligence feeds | £40k to £100k/year | Included |
| Annual training and CREST exams | £80k to £150k/year | Provider's responsibility |
| SOC management overhead | 1 SOC manager (£90k+) plus an L3 lead | Included |
| Time to operational | 9 to 18 months (hire, build, tune, accredit) | Under 10 days |
| Annual cost (300 endpoints, 3 cloud tenants) | £600,000 to £1,200,000 | £40,000 to £100,000 |
| Cost to scale to 1,500 endpoints | +2 to 4 analysts (£200k+) | Tiered uplift, no new hires |
The decision is rarely "should we outsource?" It is "what does our SOC look like for the budget we actually have?"
What an outsourced SOC actually covers.
The capabilities scope is the same whether you build or buy. The difference is who runs it.
When outsourced SOC engagements break down.
Outsourcing the SOC is the right answer for most UK mid-market firms. It is not the right answer for everyone, and it does not fix every problem. The five common ways an outsourced SOC engagement fails:
- 01
The provider sends alerts instead of resolving them.
Some providers bill themselves as MDR but operate as MSSP, forwarding triaged alerts to your team and waiting. If the SLA is "alerts within 15 minutes" but no commitment on containment, you have an alert subscription, not a SOC.
- 02
The provider skips the tuning window.
A SOC that flips straight to live monitoring on day one has not tuned anything to your environment. Generic rules produce generic alerts, which produce alert fatigue, which produces missed incidents in month four. Onboarding speed only matters if the tuning phase is genuinely part of it, not skipped to hit a faster go-live date.
- 03
The named technical lead disappears after signature.
You meet a CREST-certified L3 in the sales meeting and a junior analyst on the first incident. Ask in writing who runs your account day one to year two.
- 04
The provider does not know your business.
A SOC that does not understand your sector's regulatory cycle, change windows, or top-three crown-jewel systems will treat your environment as a queue of tickets.
- 05
You haven't invested in the basics.
An outsourced SOC will detect a domain admin compromise. It will not stop it from being possible in the first place. Without identity hygiene, patching, and EDR coverage, the SOC is reading the smoke alarm in a building with no fire doors.
The right test is the third meeting. By then, a serious provider will have asked you about your top-three systems, your last three incidents, and what your auditor actually checks. If they have only talked about their platform, walk away.
What good UK outsourced SOC looks like.
Six things to require, in writing, before signing.
UK SOC, UK analysts.
Not a UK sales office wrapping an offshore delivery floor. Ask where the L1 analysts who triage your alerts at 3am physically sit. Ask for floor photos.
CREST SOC accreditation, not just CREST membership.
CREST membership is a directory listing. CREST SOC accreditation is a third-party audit of the operations centre's processes, staff, and controls.
Named technical lead and L3 escalation contact.
First names, surnames, certifications, written into the contract. The same names twelve months later.
Containment SLAs, not alert SLAs.
A 15-minute alert SLA is meaningless. A 60-minute mean-time-to-contain on Critical incidents is a commitment.
Vendor-agnostic integration.
If the provider only supports their own EDR, you are buying lock-in, not a SOC. Bring-your-own EDR options should be standard.
Transparent pricing, written tiers.
"POA" on a website is a confidence problem. A serious provider publishes starting prices and tier structures.
How Precursor's outsourced SOC is different.
Most outsourced SOC providers are defensive-only. We test the same environments we defend. The closed loop matters more than it sounds.
Closed-loop, not just defensive
Our pen testers find what a real attacker would. Our SOC writes the detection for that exact attack path. Most providers cannot write detection rules from scratch because they have never executed the attack.
UK SOC, Newcastle floor
Our analysts are based in Newcastle and Leeds. UK employees, BPSS-cleared as standard, with no offshoring and no follow-the-sun handover. You can visit. Many clients do.
Pricing in writing, from £900/month
Three tiers, published in the proposal. Onboarding cost, monthly cost, what's included, what's not. No surprise overage charges.
Under 10 days to active
Discovery, log source connection, baseline tuning, detection rule deployment. Active monitoring from day 10 onwards. Most providers take three to six months.
Outsourced SOC pricing.
Three tiers. Real numbers. The proposal contains the same numbers, plus the line items for your specific environment.
| Tier | Essential | Standard | Enterprise |
|---|---|---|---|
| From | £900/month | Scoped to requirements | Scoped to requirements |
| 24/7 monitoring | Yes | Yes | Yes |
| Managed EDR | Single platform | Multi-platform | Multi-platform plus identity |
| Threat hunting hours | Quarterly review | Monthly hunt | Continuous, named hunter |
| Initial human investigation | Within 10 minutes | Within 10 minutes | Within 10 minutes |
| Incident response | Best-effort | Retained, named L3 | Retained, named team |
| Monthly executive readout | Email summary | 30-min board video | Onsite or video |
How outsourcing works in practice.
Four steps from contract to active monitoring. The whole thing takes under 10 days for most environments. Larger or more regulated estates may extend the tuning window before going live.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Discovery and scope
We map your environment: log sources, EDR coverage, identity provider, cloud tenants, crown-jewel systems, regulatory cycle. We agree what gets ingested and what does not.
Connector deployment
Log forwarding from your SIEM or directly from sources. EDR agents deployed if not already in place. Initial detection rules loaded.
Baseline and tuning
We run the SOC in shadow mode. Tune rules to your environment, suppress noise, validate playbook coverage. You see the dashboard, we tune the false positives.
Active monitoring
Live triage, hunt, and respond. First monthly readout at day 30. First quarterly threat hunt review at day 90.
Related services
Adjacent capabilities in the Precursor defensive stack.
Managed Detection and Response
Endpoint and cloud workload focused. The MDR subset of a full outsourced SOC.
Managed SOC service
The full SOC capability spec, tech stack, integrations, and SOC tour.
Microsoft 365 Security Monitoring
Exchange Online, SharePoint, Teams, OneDrive monitoring as part of a managed SOC.
Bring Your Own EDR
Keep your existing EDR licence; we add the 24/7 SOC layer on top.
Talk to a SOC analyst, not a sales team.
Tell us your environment, your last incident, and your worst regulatory deadline. We will scope the right tier, in writing, within five working days. If outsourcing is not the right answer, we will say so.
Outsourced SOC: common questions.
Pricing, onboarding, accreditations, and how outsourced SOC compares to MDR and MSSP.
Precursor's outsourced SOC starts from £900 per month for the Essential tier on a single endpoint platform. Standard and Enterprise tiers are scoped to requirements based on endpoint count, log volume, and depth of threat hunting and incident response cover. Standard adds multi-platform EDR, monthly threat hunting, and a named L3 incident response lead. Enterprise adds continuous threat hunting, identity threat detection, and a named hunter. We provide fixed monthly pricing in writing after a 30-minute scoping call.
An MSSP typically forwards alerts to your team. An outsourced SOC triages, investigates, and contains threats actively, then reports what was done. The right test is the SLA: a provider that commits to mean-time-to-contain (not just mean-time-to-alert) is operating as a SOC, not an MSSP.
Effectively yes. SOC-as-a-Service (SOCaaS) is the cloud-delivered subscription model of an outsourced SOC. Outsourced SOC is the broader term and includes hybrid models where some functions are run in-house and some by the provider.
Standard onboarding takes under 10 days from contract signature to active monitoring. Days 1 to 2 are discovery and scoping. Days 3 to 5 are connector deployment. Days 6 to 9 are baseline and tuning in shadow mode. From day 10 onwards is live triage and response. Larger or more regulated environments may extend the tuning window before going live.
Yes. Vendor-agnostic outsourced SOC is the norm in the UK mid-market. Precursor manages CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black, and Elastic Security. The bring-your-own-EDR model preserves your existing licence and adds the 24/7 monitoring layer.
No, if the provider is competent. You get a customer portal showing live ticket status, all alerts triaged, all incidents resolved, and a monthly executive readout. The risk is providers that hide their workings behind a trust-us front door. Always require dashboard access in the contract.
Critical alerts receive human analyst investigation within 10 minutes of firing. The named L3 incident response lead is paged for any Critical or High severity. You receive a phone call within the first hour for incidents that require your team's involvement, plus written incident updates as the investigation progresses. Specific containment timelines are agreed in writing during scoping based on your environment and tier.
Precursor's SOC is based in Newcastle and Leeds. Analysts are UK employees, BPSS-cleared as standard. We do not use a follow-the-sun model with offshore analysts. All data remains within UK data residency requirements.
Managed Detection and Response is endpoint and cloud workload focused, with EDR as the primary telemetry source. An outsourced SOC is broader, ingesting SIEM logs, network telemetry, identity events, and SaaS audit logs alongside endpoint. MDR is a subset of what a full SOC delivers.
CREST SOC accreditation is the UK gold standard, audited against operational, technical, and staffing controls. CHECK accreditation matters for clients with public sector requirements. ISO 27001:2022 is the minimum information security baseline. Cyber Essentials Plus shows the provider runs its own operations to the standards it sells.