Building and running an in-house security operations centre (SOC) is one of the most expensive, difficult projects inside any cybersecurity programme. It needs analysts working three shifts, tools costing five or six figures per year, runbooks tuned over months, threat intelligence integration and a continuous improvement process you can't buy off the shelf. That's why, in 2026, most mid-sized companies in Spain go for SOC as a Service: contracting a specialised provider who already has all that set up and applies it to their systems.
This guide explains what a SOC as a Service actually is, the technical components it includes, the three outsourcing models that exist, the SLAs a serious provider commits to, the average market cost in Spain and the signals separating a professional SOC from a cosmetic service.
What SOC as a Service is
A SOC as a Service (also known as managed SOC, outsourced SOC, managed SOC or, depending on scope, MDR) is a service where a specialised provider puts at your disposal technology, processes and people dedicated to detecting, analysing and responding to security incidents continuously, normally 24x7. It isn't just monitoring: it includes alert triage, initial containment, escalation, communication with your team and iterative improvement of detections.
The question SOC as a Service answers is direct: if someone breaks in or something odd happens in my infrastructure, do we detect it in time and react before it causes damage? The in-house answer depends on having three things at once: technology that sees what's going on, people who can interpret what they see and processes that turn an alert into action.
In practice, a professional SOC as a Service includes:
- Log collection and normalisation from servers, endpoints, firewalls, identity (AD, Entra ID), applications, cloud (AWS, Azure, GCP) and network.
- Detection platform (SIEM, XDR or both) with correlation rules tuned for your environment, not generic recipes.
- L1/L2/L3 analysts who receive alerts, triage them, discard false positives and escalate real ones.
- Threat intelligence integrated with commercial and open source feeds, contextualising alerts with known TTPs from real actors.
- Response automation (SOAR) for repetitive actions: isolate a host, block an IP, disable an account, run a playbook.
- Communication procedures with your team within SLA-defined deadlines.
- Periodic reporting, executive and technical, plus post-incident reports.
- Continuous improvement of rules and detections based on what gets seen in your environment and in other environments from the same sector.
If what you're offered is "we send you SIEM alerts" without analysts to interpret them, that isn't a SOC, it's a monitoring service. The difference shows up when an alert arrives at 03:14 on a Sunday.
Technical components of a SOC
A modern SOC is built on five layers that have to work in a coordinated way. Each one answers a concrete function:
| Layer | Function | Typical technologies |
|---|---|---|
| Collection | Capture everything happening in your infrastructure | Beats, syslog, EDR agents, native cloud connectors |
| Detection | Identify suspicious patterns in what's collected | SIEM (Wazuh, Splunk, Sentinel, Elastic), XDR |
| Analysis and triage | Determine whether an alert is real and what impact it has | Analysts, threat intel, sandboxing |
| Response | Contain and mitigate before things escalate | SOAR, playbooks, EDR with automated response |
| Continuous improvement | Tune rules, eliminate noise, incorporate new threats | Threat hunting, purple team, incident retrospective |
The piece that most distinguishes a solid SOC from a mediocre one isn't the technology, it's the analysts and the runbooks. There are expensive SOCs with excellent tech that generate thousands of alerts per day and nobody looks at them seriously. And there are effective SOCs with a moderate stack that detect real threats because the analysts know the environment and the runbooks are tuned.
Each of these layers has its own technical guide on the blog: the general concept in what is a SOC, the detection layer in what is a SIEM (with Wazuh as the open source alternative), endpoint telemetry in what is EDR, proactive threat seeking in what is threat hunting and the managed response model in what is MDR.
In-house SOC vs SOC as a Service
The decision between building an in-house SOC or contracting a managed one isn't only financial. There are operational variables that weigh as much as cost:
| Factor | In-house SOC | SOC as a Service |
|---|---|---|
| Initial cost | High (licences, integration, hiring) | Low (monthly fee from day 1) |
| Recurring annual cost | €350,000 to €1,500,000 for 24x7 coverage with minimum staff | €60,000 to €400,000 depending on scope and volume |
| Time to operational | 12 to 24 months for reasonable maturity | 4 to 12 weeks of onboarding |
| 24x7 coverage | Requires at least 8 analysts on shifts | Included from day one |
| Business knowledge | Deep from the start | Grows during onboarding and improves over time |
| Threat intelligence | You have to buy feeds and hire talent | Included and shared between provider clients |
| Talent retention | Hard, SOC analysts rotate fast | It's the provider's problem |
| Scaling flexibility | Slow, requires hiring | Immediate, contract adjustment |
| Regulatory audit | All responsibility falls on you | Documented shared responsibility |
The typical tipping point in Spain: below 300 to 500 employees, an in-house SOC rarely pays off except in highly regulated sectors (financial, defence, critical infrastructure). Between 500 and 2,000 employees, the hybrid model (in-house SOC for working hours + SOC as a Service for 24x7) is common. Above 2,000, companies usually have an in-house SOC with specialised services outsourced (advanced threat intel, on-demand hunting).
If you sit in the band where the maths works, Secra's managed cybersecurity service covers the three models (fully outsourced, hybrid and co-managed) with 24x7 SOC on Secra's SIEM or the client's.
Outsourcing models: fully managed, hybrid and co-managed
Not every outsourcing arrangement is the same. There are three main models with different operational and contractual implications:
Model 1: Fully outsourced SOC
The provider operates 100% of the SOC. Your company delivers telemetry, receives escalated alerts and executes mitigation actions in your systems when instructed. The provider has its own SIEM/XDR, analysts, threat intel, SOAR and reporting. It's the simplest model to manage but requires high trust in the provider and a well-oiled communication process.
Ideal for companies that don't want (or can't afford) an in-house SOC team. Common in SMEs and mid-sized companies up to 500 employees.
Model 2: Hybrid SOC
Your company has an internal team covering working hours, and the provider covers nights, weekends and bank holidays. The SIEM is usually shared (it belongs to the provider or the client, depending on contract) and detection logic gets tuned jointly. Response runbooks are shared.
Ideal for mid-sized and large companies that want control over the critical window but don't want the operational complexity of 24x7.
Model 3: Co-managed SOC
The SIEM, tools and infrastructure belong to the client company. The provider contributes only specialised personnel (L2/L3 analysts, threat hunters) who work inside the client's tools. Lets you keep technical control and meet data sovereignty requirements, outsourcing only the talent that's hard to hire.
Ideal for large companies with an in-house SOC that need to reinforce specific areas (hunting, forensics, threat intel) without hiring.
Typical SLAs in a SOC as a Service
Service level agreements are the difference between a SOC with real commitment and a complaint mailbox. The SLAs a professional provider takes on:
| Metric | Definition | Typical range |
|---|---|---|
| MTTD (Mean Time to Detect) | Time between event happening and detection | 5 to 30 minutes for common threats |
| MTTA (Mean Time to Acknowledge) | Time between alert and analyst triage | 5 to 15 minutes for critical severity |
| MTTR (Mean Time to Respond) | Time between detection and initial containment | 15 to 60 minutes for critical severity |
| Coverage hours | SOC operating schedule | 8x5, 16x5 or 24x7 |
| False positives | Percentage of escalated alerts that turn out false | Under 20% in mature SOCs |
| Platform availability | SIEM/XDR uptime | 99.5% to 99.9% |
| Onboarding time | Until the SOC is operational on your environment | 4 to 12 weeks |
Always ask for monthly SLA compliance reporting in writing. Without measurable metrics, "we have a 24x7 SOC" doesn't mean much.
Market cost in Spain 2026
The ranges seen in the Spanish market vary a lot depending on environment size (events per second, endpoints, users, cloud accounts) and the chosen model. Indicative industry-wide figures, not a Secra proposal:
| Organisation size | Model | Annual cost range |
|---|---|---|
| SME up to 100 employees | Standard SOC as a Service 24x7 | €30,000 to €80,000 |
| Mid-sized 100 to 500 employees | SOC as a Service 24x7 + threat intel | €60,000 to €180,000 |
| Mid-large 500 to 2,000 | Hybrid or fully outsourced | €150,000 to €400,000 |
| Large +2,000 employees | Co-managed or reinforced in-house SOC | €300,000 to €1,500,000 |
The cost of an in-house 24x7 SOC with the minimum viable staff in Spain (8 analysts on shifts, supervisor, SIEM engineer, platform) runs around €400,000 to €800,000 annually in operating costs alone, not counting licences or initial investment.
When outsourcing your SOC makes sense
Scenarios where SOC as a Service has clear economic and operational rationale:
- You don't have a SOC and you need one because of NIS2, DORA or ENS. Building one from scratch takes over a year, and NIS2 requires reporting significant incidents within 24 hours (early alert) and 72 hours (incident notification). Outsourcing puts you operational in weeks and covers those deadlines from day 1.
- You have a SIEM but nobody seriously looks at the alerts. Very common syndrome: expensive licence, alerts piling up, false positives unfiltered. A SOC provider clears the noise and turns the SIEM into something useful.
- Your security team is saturated with operations and doesn't reach improvement. Outsourcing day-to-day operation lets your internal team focus on strategy, architecture and projects.
- You can't retain SOC analysts. SOC talent rotates a lot. If you've lost three analysts in two years, the maths changes.
- You need 24x7 coverage without hiring 8 people. Geometrically cheaper and operationally more stable.
And two where it doesn't make sense:
- Your business demands full data sovereignty and you don't accept telemetry leaving your infrastructure. Co-managed or in-house SOC fits here.
- You operate systems so specific that no provider understands them. Some very specific industrial OT or ICS environments require an in-house team or very specialised consulting.
If your case is clearly in the first group, the next decision is choosing model and provider. At Secra's managed cybersecurity we cover the three models described above with measurable SLAs and 24x7 coverage from onboarding.
How to choose a SOC as a Service provider
Five criteria separate a professional provider from one that sells a pretty dashboard:
- SLA metrics in writing and contract. MTTD, MTTA, MTTR, false positives. If they don't commit to numbers, they don't commit to anything.
- Identifiable technical team. Analysts with documentable experience, certifications (GCIH, GCFA, GCIA, OSCP, OSDA), public LinkedIn profiles. If you can't see the team, there's no team.
- Structured onboarding with clear phases: asset inventory, source integration, rule calibration, incident drill, go-live. Not "we activate it and that's it".
- Data sovereignty and regulatory compliance. Where your logs are stored, how long they're retained, who accesses them, whether they meet ENS, ISO 27001 or whichever scheme your sector demands. Ask for the documentation.
- Realistic demo, not marketing. Ask to see the client portal with a real sanitised case. Watching an escalated alert, a post-incident report, a reporting dashboard. If they only show slides, there's no product.
SOC, MDR, MSSP: clarifying terms
These three concepts overlap and get used with different criteria depending on the provider. Quick difference:
- SOC as a Service. Managed detection and response service on the client's infrastructure with SIEM/XDR, analysts and response processes. Emphasis on operating the centre.
- MDR (Managed Detection and Response). Specific focus on endpoint detection and response with EDR/XDR technology owned by the provider. Usually a SOC as a Service subset focused on advanced threats and automated response.
- MSSP (Managed Security Service Provider). Broader term that includes SOC but also firewall management, VPN, patching, antimalware, identity. It's a commercial umbrella, not a technical category.
For a Spanish organisation in 2026, SOC as a Service and MDR are the two key products. MSSP is relevant if you also want to outsource basic security operations.
Frequently asked questions
How long does a SOC as a Service take to be operational?
Between 4 and 12 weeks depending on environment size and the number of sources to integrate. A fast onboarding in an SME with cloud-native infrastructure and standard endpoints can close in a month. In a hybrid environment with legacy systems and custom applications, it stretches to 12 weeks.
Do I need to have my own SIEM before contracting?
Not necessarily. Some providers bring their own SIEM/XDR (fully managed model), and others work on the client's SIEM (co-managed). In the first model you don't need anything; in the second, you do.
Who keeps legal responsibility in case of an incident?
Ultimate responsibility for data security is always the data controller's (your company). The SOC provider has contractual responsibility defined in the SLA and contract. It's important the contract covers scenarios of provider failure, incident with intent or negligence and notification obligations.
Is it compatible with NIS2 and DORA?
Yes, and in fact it's the most common option for complying with these regulations' continuous monitoring and incident management requirements. The provider must be able to demonstrate its own regulatory compliance (ISO 27001, ENS, sector-specific certifications).
Is it better to contract SOC as a Service or MDR?
It depends on which assets are most critical. MDR focuses on endpoint detection and response with the provider's EDR/XDR technology, and is very effective against ransomware and advanced threats aimed at workstations and servers. SOC as a Service is broader: covers endpoints, network, cloud, identity and applications in a coordinated way. For companies that only need to reinforce the endpoint with fast response, MDR works. For companies with a distributed surface (cloud, identity, custom applications), SOC as a Service is the more complete option. Many providers combine both products in the same contract.
How does it affect incident response with authorities (INCIBE-CERT, AEPD)?
The SOC provider participates in detection, containment and initial investigation. Notification to authorities remains the client's responsibility, although many providers assist in drafting the communication and provide the technical records needed. Confirm in the contract that the provider commits to collaborating in forensic response.
What about sensitive data the analysts see?
SOC analysts have access to security telemetry, not business content. In serious contracts, reinforced confidentiality is signed and, where applicable, personal data protection agreements (DPAs) with specific clauses. Providers comply with ENS or ISO 27001 on their own infrastructure.
Can I change provider without losing history?
Depends on the model. In co-managed, the data is yours and you don't migrate anything. In fully outsourced, the contract must include a clause for returning data to the client at contract end, normally in standard formats (CSV, JSON, OCSF) so it can be re-imported into another platform.
Where to start
If your company is evaluating outsourcing the SOC, the reasonable order is:
- Inventory of telemetry sources. What needs to be monitored (servers, endpoints, cloud, identity, applications, network).
- Service scope definition. Detection, response, threat hunting, forensics, regulatory reporting.
- Coverage hours. 8x5, 16x5 or 24x7 depending on business criticality.
- Outsourcing model. Fully managed, hybrid or co-managed.
- Three comparable proposals. Same scope, same SLAs, same coverage. Without matching scope there's no useful comparison.
- 4 to 8 week pilot before signing the long contract. Lets you validate real operation, not just the commercial proposal.
At Secra we provide managed cybersecurity integrating SOC, SIEM and continuous monitoring, with use cases adapted to the company's regulatory profile (NIS2, DORA, ENS, ISO 27001). If you want to review which model fits your environment, get in touch and we'll assess before discussing a proposal.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.