How much does a SOC cost in 2026: price ranges, models and a complete buying guide

Direct answer

A SOC (Security Operations Center) in Brazil costs, on average, between R$ 180,000 and R$ 600,000 per month when built in-house — including a 24x7 team of 8 to 12 analysts, SIEM, EDR and SOAR licenses, and infrastructure. In the outsourced model (SOC as a service or MDR), subscriptions range from R$ 8,000 to R$ 120,000 monthly depending on company size, monitored assets and the level of response contracted.

In short

  • A 24x7 in-house SOC requires 8 to 12 analysts and costs between R$ 180,000 and R$ 600,000/month, adding up personnel, tools and infrastructure.
  • SOC as a service (MDR) starts at R$ 8,000/month for SMBs and can reach R$ 120,000/month for large organizations with broad scope.
  • The average cost of a single ransomware incident in Brazil exceeds R$ 3.5 million (downtime + remediation + regulatory fines), making the ROI of a SOC positive within a few weeks.
  • SIEM, EDR and SOAR account for 35 to 50% of the total cost of an in-house SOC; licenses range from R$ 15,000 to R$ 200,000/month depending on event volume (EPS) and endpoints.
  • Certifying and retaining SOC analysts is the biggest bottleneck in the in-house model: the sector's average turnover is 25% per year, driving up hidden costs.
  • The typical timeline to stand up a functional in-house SOC is 9 to 18 months; an MDR can be operational in 2 to 6 weeks.

What a SOC is and why the price varies so much

A Security Operations Center (SOC) is the structure responsible for monitoring, detecting, analyzing and responding to cyber threats in real time. It combines people (analysts in shifts), processes (playbooks and response SLAs) and technology (SIEM, EDR, SOAR, Threat Intelligence). This triad explains why there is no single price: each pillar carries a different weight depending on the model chosen.

In the in-house model, the company retains full control but bears all the fixed costs — salaries, benefits, training, licenses and infrastructure. In the outsourced model (also called MDR — Managed Detection and Response), the provider amortizes those costs across multiple clients, drastically reducing the initial investment. The choice between the two depends on maturity, sector regulation and risk appetite.

Cost of an in-house SOC: what goes into the bill

To operate 24 hours a day, 7 days a week, an in-house SOC needs at least 8 analysts (accounting for 8-hour shifts, time off and vacations). More mature organizations run with 10 to 12 professionals, including a SOC Manager and analysts at Level 1 (triage), Level 2 (investigation) and Level 3 (incident response and threat hunting). In 2026, market salaries for these roles in Brazil range from R$ 6,000 (junior L1 analyst) to R$ 25,000 monthly (senior L3 analyst / threat hunter), producing a payroll of R$ 80,000 to R$ 200,000 monthly — before employment charges, which add 70 to 80% on top of the CLT base.

Beyond the team, an in-house SOC needs tools. An enterprise SIEM (Microsoft Sentinel, Splunk, IBM QRadar) costs R$ 15,000 to R$ 120,000/month depending on the volume of logs ingested. EDR platforms (CrowdStrike, SentinelOne, Defender for Endpoint) add R$ 80 to R$ 250 per endpoint/year. SOAR solutions (Palo Alto XSOAR, Splunk SOAR) add R$ 10,000 to R$ 60,000/month. Threat Intelligence feeds (VirusTotal Enterprise, Recorded Future) cost R$ 15,000 to R$ 80,000/year. Network infrastructure, VPN, log storage and a physical NOC add another R$ 15,000 to R$ 60,000/month, depending on scale.

Threat Management · Free

Not sure where to start? Take Decripte's free assessment and find out in minutes which SOC model makes sense for the size and risk of your business.

No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.

SOC as a service and MDR: price ranges by company size

In the outsourced model, the price is almost always a monthly subscription based on the number of monitored endpoints, events per second (EPS) and response scope. The table below summarizes the typical ranges in the Brazilian market in 2026.

| Company size | Monitored endpoints | Monthly range (MDR/SOC as a Service) | Estimated in-house SOC/month | |---|---|---|---| | SMB (up to 100 endpoints) | up to 100 | R$ 8,000 – R$ 20,000 | Economically unviable | | Mid-sized (100–500 endpoints) | 100–500 | R$ 20,000 – R$ 55,000 | R$ 200,000 – R$ 350,000 | | Large company (500–2,000 endpoints) | 500–2,000 | R$ 55,000 – R$ 120,000 | R$ 300,000 – R$ 500,000 | | Corporate / Regulated (2,000+ endpoints) | 2,000+ | R$ 100,000 – R$ 200,000+ | R$ 450,000 – R$ 800,000+ | The outsourced SOC ranges include 24x7 monitoring, alert analysis, monthly reports and, in the more complete plans, active response with endpoint isolation and incident containment. Onboarding costs (log source integration, playbook tuning) are usually charged separately, between R$ 15,000 and R$ 80,000.

It's worth noting that regulated sectors — banks (Bacen Resolution 4.893), health plan operators (ANS) and companies with large volumes of personal data (LGPD with ROPDs) — frequently require additional contractual clauses on data location, notification SLAs and compliance reports, which raises the MDR price tag by 15 to 30%.

Factors that most affect the final price

Beyond company size, five variables significantly change the budget of any SOC. First: the volume of logs and EPS (events per second). Environments with many legacy systems, OT/ICS or multiple clouds generate exponentially larger log volumes, driving up the cost of any SIEM. Second: the level of response contracted. Passive monitoring (alerts and reports) costs less than active response with a containment SLA of under 1 hour.

Third: attack surface coverage. Including OT endpoints, cloud workloads, web applications, corporate email and identity (ITDR) expands the scope — and the cost. Fourth: log retention requirements. Regulations such as LGPD, PCI-DSS and ISO 27001 require retention of 12 to 36 months; each additional terabyte of storage adds cost. Fifth: integration with existing tools. Environments with heterogeneous tooling (a mix of Microsoft, Google Workspace, external SaaS, firewalls from multiple vendors) demand more integration hours and custom connectors.

Threat Management · Free

No card, no commitment — understand your real risk before you invest.

No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.

ROI and the cost of not having a SOC

Calculating the return on investment of a SOC starts with the numbers on the risk side. According to Brazilian market data and the Cost of a Data Breach report (IBM, 2024), the average cost of a serious security incident in Brazil exceeds R$ 3.5 million when adding operational downtime, forensic response, legal notifications, regulatory fines and reputational damage. Ransomware attacks against mid-sized companies have an average downtime cost ranging from R$ 50,000 to R$ 300,000 per day.

Two indicators are central to justifying the SOC internally: MTTD (Mean Time To Detect — the average time to detect an incident) and MTTR (Mean Time To Respond — the average time to contain it). Without a SOC, the average MTTD in Brazil exceeds 190 days; with a mature SOC, it drops to under 24 hours. Every day less of exposure directly reduces the cost of the incident. A SOC that costs R$ 40,000/month and prevents or limits a single R$ 1 million incident already pays for more than two years of operation.

Most common mistakes when hiring a SOC

The most frequent mistake is choosing the provider by lowest price without assessing the real response SLA. Contracts that promise '24x7 monitoring' but deliver only email alerts during business hours are not a SOC — they're a NOC. Require SLAs with contractual penalties for MTTD and MTTR, and verify whether the contract includes active response or only passive notification.

Other critical mistakes: not integrating all relevant log sources (leaving blind spots in the cloud, email and mobile endpoints); not defining a clear escalation process for critical incidents; hiring an MDR without running a prior assessment to understand the real attack surface; and neglecting the quarterly review of playbooks, which become obsolete on average within 6 months. In the in-house model, underestimating the cost of talent retention and the need for continuous training (certifications such as GCIA, GCIH, eCIR) is the main cause of failure.

Key terms

SOC (Security Operations Center)
The security operations center responsible for continuously monitoring, detecting, analyzing and responding to cyber threats, combining a specialized team, documented processes and integrated security tools.
MDR (Managed Detection and Response)
An outsourced SOC model in which a specialized provider offers 24x7 monitoring, threat analysis and active response as a monthly subscription service, eliminating the need to build internal infrastructure.
SIEM (Security Information and Event Management)
A platform that collects, correlates and analyzes logs and security events from multiple sources in real time, generating alerts and reports that underpin SOC operations.
MTTD / MTTR
Mean Time To Detect (the average time to detect an incident) and Mean Time To Respond (the average time to contain it). They are the main efficiency KPIs of a SOC; the lower they are, the lower the financial cost of incidents.

How to decide and hire well

  1. Step 1 — Map your attack surface: list all critical assets (endpoints, servers, cloud, OT, email), the volume of logs generated and the regulatory requirements of your sector before any conversation with a provider.
  2. Step 2 — Define the model: assess internally whether your company has the maturity, budget and talent-retention capacity for an in-house SOC or whether an MDR is a better fit — for most SMBs and mid-sized companies, the MDR offers better value.
  3. Step 3 — Set non-negotiable SLAs: require a maximum MTTD SLA (suggested: 1 hour for critical incidents) and a maximum MTTR (suggested: 4 hours for initial containment), with clear contractual penalties for non-compliance.
  4. Step 4 — Validate technical coverage: confirm the provider integrates all your log sources — not just Windows endpoints, but also cloud workloads (AWS/Azure/GCP), SaaS, firewalls and identity (Active Directory / Entra ID).
  5. Step 5 — Request a proof of concept (PoC): ask for at least 30 days of monitored PoC with real alert reports before signing a long-term contract; assess the quality of the analysis and the level of context provided.
  6. Step 6 — Evaluate the response model: understand whether the contract includes only detection and notification or also active response (endpoint isolation, credential revocation, network containment); the cost difference is significant, but so is the difference in real protection.
  7. Step 7 — Ensure continuous review: include in the contract or internal plan quarterly playbook reviews, monthly coverage reports and simulation tests (tabletop exercises or purple team) at least twice a year.

Frequently asked questions

Is it worth building an in-house SOC or hiring an outsourced service?

For most companies with fewer than 2,000 endpoints, an MDR (outsourced SOC) offers better value. Building an in-house SOC requires an initial investment of R$ 200,000 to R$ 600,000 monthly, a 9-to-18-month timeline to reach maturity, and a high risk of team turnover. An in-house SOC makes sense for large corporations with very specific regulatory requirements, ultra-sensitive data that cannot leave the environment, or that already have a high security maturity.

What is the minimum price of a SOC as a service in Brazil?

For SMBs with up to 100 endpoints and a basic scope (monitoring EDR + firewall + email), MDR services can be found from R$ 8,000 to R$ 12,000 monthly. Below that figure, be suspicious: it's probably just passive monitoring with no real response. The onboarding and initial integration cost is usually charged separately, ranging from R$ 10,000 to R$ 40,000.

How many analysts are needed for a 24x7 SOC?

To cover three 8-hour shifts, 7 days a week (including weekends and holidays), the operational minimum is 8 analysts. Factoring in absences, vacations and turnover, the ideal number is between 10 and 12 professionals for a Level 1 and 2 SOC. To include Level 3 (threat hunting and advanced response), add 2 to 4 senior specialists.

What should be in the SLA of a SOC contract?

The essential items are: a maximum MTTD per alert criticality (e.g., 15 min for critical, 1h for high, 4h for medium), a maximum MTTR for initial containment, minimum platform availability (usually 99.5% or higher), the frequency and format of reports, the escalation process for P1 incidents, log source coverage and each party's responsibilities in incident response.

Does a SOC protect against ransomware attacks?

An effective SOC significantly reduces the impact of ransomware by detecting anomalous behavior in the early phases of the attack (initial access, lateral movement, exfiltration) before the payload executes. Studies show that SOCs with an MTTD under 24 hours reduce the average cost of incidents by up to 40%. However, a SOC does not replace preventive controls such as patching, MFA and immutable backups.

Which certifications should I require from a SOC provider?

The main certifications that validate a provider's maturity are: ISO 27001 (information security management), SOC 2 Type II (externally audited security and availability controls) and, for the financial sector, compliance with BCB Resolution 4.893. Also make sure the analysts hold individual certifications such as CompTIA CySA+, GCIA (GIAC), GCIH or equivalents recognized by the market.

References

How Decripte solves this

From the free assessment to the managed service — pick the right entry point.

Not sure where to start? Take Decripte's free assessment and find out in minutes which SOC model makes sense for the size and risk of your business.

Start free with Threat Management and see what is already exposed. Move up to the managed plans when it makes sense — without building an in-house team.