Blog WatchGuard

Modern SOCs and MDR services IV: Deployment Models

Currently, it is possible to offer managed detection and response services from a SOC that are implemented in different ways. All implementation alternatives have their advantages and disadvantages, which must be carefully evaluated before deciding to adopt one or another deployment model. The most common deployment models include:

Internal SOC

Building a dedicated in-house security operations center is recommended for mature cybersecurity enterprises. Organizations that tend to develop internal SOCs have the budget to support an investment that includes 24/7 efforts. One of the essential advantages of building an internal SOC is maximum visibility and responsiveness across the network. A dedicated internal team will have the capability to monitor the environment, endpoints, users, and applications, providing a complete picture from a threat landscape perspective.

Some disadvantages include the struggle to recruit and retain talent and high upfront investment costs. This model typically takes a considerable amount of time to build and maintain at an adequate level.


The term SOCaaS (Security Operations Center as a Service) refers to a type of managed security service that is Cloud-based, built on a multi-tenant software-as-a-service (SaaS) platform, to deliver 24/7 SOC functions.

Selecting a SOCaaS is recommended for organizations that seek assistance from an outside firm to perform highly skilled monitoring, detection, and response tasks. Some organizations may be mature from a cybersecurity perspective. However, budget constraints and limited expertise may hinder the ability to build a fully functional, internal 24/7 modern SOC. Consequently, some organizations require better expertise to quickly manage monitoring, detection, and response (MDR) efforts and delegate them to a SOCaaS.

The advantages of this model make it the quickest, simplest, most scalable, and most cost-effective model to implement.

Hybrid SOCaaS

Soc models

A hybrid model brings out the best of both worlds; in-house staff complemented by third-party experts, offering a secure approach to detection and response. Most organizations at this level are large enough to build a small team of their own. However, they cannot build a fully functional internal 24/7 modern SOC. This solution is efficient because of its quick up-and-running time. Also, there is a lower alerts and indicators backlog due to the additional analysts who work through advanced technologies and processes.

Additionally, this model offers the best learning experience thanks to the support of the partner’s skilled security operations (SecOps) team.

Finally, this model offers the best learning path for an organization and cybersecurity team, as it provides knowledge transfer from partner experts.

Consider all modern SOC deployment models’ pros and cons before making any decision 

  • In-house SOC is costly and complex. Still, margins are high, and the differentiation can make it worthwhile. 
  • SOCaaS accelerates time-to-market but commoditizes the MDR Services. You wouldn’t be able to add your touch to differentiate from the others. Be sure all agree on who owns your customer information and when, how, and who could get in contact with them.  
  • Hybrid SOCaaS allows partners to gradually mature their security operations practices while maintaining the client relationship, but some investment in people, technology, training, and operations is still needed. 

You can find all the information needed to start the process of modernizing a security operations team in the e-book Modern SOCs and MDR services: what they are and why they matter.  

If you would like to learn more about modern security operations centers, don't miss our series of articles:  

Compartilhe isso: