In-house SOC vs SOC as a service: which is more worth it?
Direct answer
For most small and mid-sized Brazilian companies, SOC as a service (SOCaaS/MDR) is more worth it: you pay a range of R$ 8,000 to R$ 60,000 per month and get mature 24x7 coverage already in place, whereas an in-house 24x7x365 SOC requires a minimum team of 8 to 12 people and realistically costs R$ 2.5 million to R$ 6 million a year in payroll alone — not counting SIEM, EDR, tools and the 12 to 24 months of ramp-up. An in-house SOC only starts to make financial sense above around 2,000–3,000 monitored assets, with a strong regulatory requirement (such as the Central Bank's cybersecurity resolutions, updated by CMN 5.274/2025) or data so sensitive it justifies keeping the operation in house. The honest decision is not 'which is cheaper' but 'at what scale does the fixed cost of an in-house team pay off against the service — and how much risk are you willing to carry while it matures'.
In short
- ›Real 24x7x365 coverage requires at least 8 to 12 professionals — the industry rule of thumb is 4.5 to 5 full-time people to keep ONE single seat staffed all year (vacations, sick leave, time off, 3 shifts). This is the fact that breaks the math of an in-house SOC for most companies.
- ›The total cost of an in-house SOC in Brazil realistically runs between R$ 2.5M and R$ 6M/year (payroll + SIEM + EDR + threat intel + training), and it takes 12 to 24 months to mature to the point of detecting well.
- ›SOC as a service (SOCaaS/MDR) delivers mature 24x7 detection and response for a monthly range of R$ 8,000 to R$ 60,000, depending on size, number of assets and scope (detection only vs. managed response). As an anchor, MDR per endpoint runs around R$ 60 to R$ 85 per asset/month in the market.
- ›Turnover is the biggest hidden risk of an in-house SOC: SOC analysts have high churn and the knowledge leaves with the person; in the service model, continuity is the provider's contractual responsibility.
- ›MDR is not the same as SIEM or antivirus: it's human-managed detection and response over EDR/network/cloud telemetry, with analysts who actually contain the threat, not just generate an alert.
- ›There is no single honest price — it depends on assets, log retention, response scope and SLA. Be wary of anyone who nails down a fixed figure without understanding your environment.
What a SOC really is — and why 24x7 is the heart of the decision
SOC stands for Security Operations Center. In practice, it's the function (not necessarily a room) responsible for three things: continuously monitoring the company's security signals, detecting malicious activity and responding before it becomes a serious incident. Everything else — SIEM, EDR, playbooks, threat intelligence — are tools and inputs in service of those three tasks. When someone asks 'how much does a SOC cost,' the real question is 'how much does it cost to keep detection and response working every day, all the time.'
And here is the detail that defines the entire economics of the decision: threats don't keep business hours. A large share of ransomware attacks is launched in the middle of the night, on weekends and on the eve of holidays, precisely because that's when the IT team is out. Front-line data from Mandiant (the M-Trends report) shows that, in ransomware cases, the time between compromise and destructive action is short — the median dwell time in ransomware intrusions was around 6 days, and more than half of those cases were discovered in a week or less, indicating that the attacker moves fast. If your detection only works from 9 a.m. to 6 p.m. on business days, you are blind for about two-thirds of the hours in the year. That's why '24x7' is not a marketing luxury: it's the minimum requirement for the SOC to fulfill the function it exists for.
The problem is that 24x7x365 coverage is expensive to produce with your own people, and that's the root of this entire guide's comparison. A year has 8,760 hours. In Brazil, one person works around 1,760 to 1,900 productive hours per year after subtracting vacations, holidays, time off and the legal workday. The math is relentless: to keep at least one person on duty every hour of the year, with minimal shift overlap and margin for absences, you need far more people than intuition suggests. It's this calculation that separates those who can have an in-house SOC from those who should contract it as a service.
It's worth separating two concepts that are often confused. A SOC is the detection and response operation; SIEM (Security Information and Event Management) is the tool that collects and correlates logs; EDR (Endpoint Detection and Response) is the sensor and response agent on the endpoint. Buying a SIEM or an EDR is not having a SOC — it's having the instrument without the musician. Most of the expensive failures we see in the market come precisely from this: the company invests hundreds of thousands of reais in licenses and discovers, a year later, that no one was watching the alerts at 3 a.m.
The real cost of an in-house SOC in Brazil: why it needs 8 to 12 people
Let's do the headcount math honestly, because that's where almost every in-house SOC plan stumbles. To cover 24 hours a day, you need three shifts. If you want each shift to have at least two analysts on duty — and the prudent minimum is two, because one person alone cannot investigate an incident and keep monitoring at the same time, nor can they fall sick — you're already at six simultaneous seats. But a simultaneous seat is not a person: each chair must be filled 365 days a year, including the weeks when the incumbent is on vacation, on sick leave or on compensatory time off. The industry rule of thumb, cited by SOC operators such as Expel and others, is that covering a single 24x7x365 seat consumes 4.5 to 5 full-time people (and more than 4 even in the unrealistic scenario of zero vacations and zero absences). For two simultaneous seats per shift across three shifts, the tally of front-line analysts already exceeds eight, and that's before any specialized role.
Add to that what a SOC needs to be more than an alarm desk: at least one senior analyst or shift lead (Level 2/3) for deep investigations and threat hunting, a detection engineer to write and tune the SIEM rules, and a SOC coordinator or manager for processes, metrics and the relationship with the business. We arrive, realistically, at a minimum team of 8 to 12 people for an in-house 24x7 SOC that actually works. Smaller teams exist, but they operate on an on-call basis at night, which means degraded coverage precisely during the hours when attacks happen — you save on payroll and pay dearly in response time.
Now the numbers, with an important note of honesty: there is a huge difference between the low-cost 'alarm-desk SOC analyst' (whose median public salary in Brazil is around R$ 3,000 to R$ 5,000 and who delivers shallow triage) and the qualified professional you actually need to detect well. For a SOC that works, the realistic market ranges in 2026 are: a capable L1/L2 analyst costs somewhere between R$ 6,000 and R$ 12,000 monthly; a senior analyst or detection engineer, between R$ 12,000 and R$ 22,000; a SOC coordinator, from R$ 16,000 to R$ 30,000 — varying quite a bit by region, real seniority and the scarcity of the profile. On top of the gross salary come charges, benefits and provisions (13th salary, vacations, FGTS, INSS, meal voucher, health plan) that, under the CLT regime, typically add 60% to 100% over the base salary. Multiplying a team of 10 people in a realistic mix by these factors, the annual payroll of an in-house SOC easily lands between R$ 2.5 million and R$ 4.5 million a year — in people alone.
And people are only one part. On top of payroll come the tools: a SIEM platform (licensed by the volume of data ingested — the famous cost per GB/day that grows with the company), EDR for each endpoint, threat intelligence feeds, SOAR for automation, cloud log analysis tools, and the infrastructure to retain logs for as long as the LGPD and your policy require. This adds, conservatively, R$ 400,000 to R$ 1.5 million a year depending on the size of the environment. Training and certifications (without which the team becomes obsolete and demotivated) and the constant replacement due to turnover round out the bill. That's why the honest total range for a mature in-house SOC in Brazil is R$ 2.5 million to R$ 6 million a year — and it still takes 12 to 24 months to mature to the point of detecting well, because rule tuning, false-positive reduction and playbook building cannot be bought, they are built over time.
Want mature 24x7 coverage without assembling a team of 12 people? Start with Decripte's managed 24x7 SOC or talk to us about MDR — we first assess your environment and only then propose a range and scope, with no guessed numbers.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
SOC as a service (SOCaaS) and MDR: what you buy and how much it costs
SOC as a service inverts the cost logic. Instead of building and maintaining the 24x7 operation in house, you contract a provider that already has the team, the tools, the processes and — crucially — the scale. That provider operates a SOC shared among several clients, which dilutes the fixed cost of the night shift and of specialization across many companies. It's the same logic as why it makes more sense to contract an energy plan than to build your own power plant: the expensive infrastructure sits with whoever uses it at scale.
Within this umbrella there are two models worth distinguishing, because the confusion between them is the main cause of frustration in contracting. SOCaaS in the strict sense usually means 'alert monitoring and triage as a service' — the provider operates the SIEM and notifies you when something looks wrong, but the response (contain, isolate, eradicate) often stays with you. MDR (Managed Detection and Response) goes further: the provider not only detects but acts — isolates the compromised endpoint, blocks the account, contains the threat in minutes, usually with a contractual SLA. For most companies that don't have an internal arm to respond at night, MDR is what actually solves the problem, because an alert without a response in the right hands is of little use at 3 a.m.
The price ranges of the service model in Brazil, honestly, depend on three main variables: the number of monitored assets (endpoints, servers, identities, cloud accounts), the volume of logs/telemetry ingested and retained, and the depth of scope (detection only vs. managed response with containment). A useful market anchor is the price per endpoint: transparent MDR runs on the order of US$ 11 to US$ 15 per endpoint/month globally, which is roughly R$ 60 to R$ 85 per asset/month in Brazil. From there, as a reference by size: a small company (up to ~100–200 endpoints) usually finds MDR/SOCaaS in the R$ 8,000 to R$ 20,000 per month range; a mid-sized company (200 to 1,000 assets) between R$ 20,000 and R$ 45,000 monthly; and larger operations or those with heavy retention and compliance requirements, from R$ 45,000 to R$ 80,000 or more. Billing models vary between price per endpoint/asset, per data volume, or a fixed package by size — and each model has traps we detail below.
The decisive economic point is the comparison of orders of magnitude. A robust SOCaaS/MDR for a mid-sized company, at R$ 30,000/month, costs R$ 360,000 a year and delivers mature 24x7 coverage from month one. The equivalent in-house SOC would cost 7 to 15 times more and take over a year to reach the same level of detection. For the overwhelming majority of Brazilian companies below the size of a large corporation or bank, that difference is not marginal — it's the difference between having and not having real operational security. To size the risk being avoided: the IBM Cost of a Data Breach 2025 report points to an average cost of a data breach in Brazil of R$ 7.19 million, and shows that the use of threat intelligence and AI governance is among the factors that most reduce that cost — exactly the kind of capability a mature service delivers immediately. That's also why entry paths exist, such as our managed 24x7 SOC and the MDR track, designed for companies that need real coverage without assembling an entire team.
Comparison table: in-house SOC vs SOC as a service
The table below summarizes the comparison across the dimensions that really weigh in the buying decision — cost, time to operational, quality of coverage and the structural risks of each model. Use it as a starting point, but read the caveats: no row is absolute, and the goal is to show the trade-off, not to declare a universal winner. In short: the in-house SOC costs R$ 2.5M to R$ 6M/year and takes 12 to 24 months to mature; SOC as a service costs R$ 8,000 to R$ 60,000/month (R$ 96,000 to R$ 720,000/year) and goes operational in weeks, with mature 24x7 coverage on day one.
The cost axis deserves a clarification. The in-house SOC has a predominantly fixed cost (payroll you pay whether or not anything is happening), while the service has a more predictable and scalable cost (you adjust the contract as you grow). At very large scale — above around 2,000 to 3,000 assets — the fixed cost of an in-house team can dilute and become competitive; below that, the service almost always wins on cost per unit of protection. Hence the importance of the break-even point we discuss in the next section.
Note especially the 'time to maturity' and 'turnover risk' rows. They tend to be ignored in the naive comparison that only looks at the service's monthly fee vs. the salary of two analysts — and they are exactly where an under-sized in-house SOC breaks. A SOC that takes 18 months to detect well is a SOC that left you exposed for 18 months, and that carries a risk cost that doesn't appear on the HR spreadsheet. In the service model, the team's maturity and continuity are the provider's contractual problem, not yours.
No card, no commitment — understand your real risk before you invest.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
When an in-house SOC really makes sense — and when it's expensive vanity
It would be dishonest to say an in-house SOC is never worth it. It makes sense, and is sometimes the right choice, in specific situations. The first is scale: above something like 2,000 to 3,000 monitored assets, with high and growing event volume, the fixed cost of an in-house team begins to dilute and compete on equal footing with what the service would charge for that volume. Large banks, telecom carriers, big techs and public agencies with critical infrastructure generally have an in-house SOC for this reason — and even so, many operate in a hybrid model, with the service covering the night shift or peaks.
The second situation is a regulatory or data-sovereignty requirement. In the financial sector, the Central Bank imposes cybersecurity requirements through CMN Resolution 4.893/2021 (financial institutions) and BCB Resolution 85/2021 (payment institutions) — recently reinforced by CMN Resolution 5.274/2025 and BCB Resolution 538/2025, which add new technical and governance controls, with a compliance deadline of March 1, 2026. These rules do not require internalizing the SOC, but they demand governance, an incident response plan and clear accountability over the contracting of third parties, which some institutions prefer to address by keeping part of the operation in house. Importantly: the LGPD does not prohibit outsourcing the SOC. In that arrangement, the provider acts as a processor, carrying out the processing of personal data on behalf of the controller (art. 5, VII), and both are liable under the terms of the law — which makes the contract and its security and liability clauses a central part of the decision.
The third is maturity and long-term strategy: technology companies that see security as a competitive differentiator, or that want to develop internal detection engineering capability as an asset, may invest in their own SOC as part of the business thesis. In those cases, the SOC is not just a cost center, it's a strategic capability.
Outside of those situations, building an in-house SOC is usually expensive vanity — and we say this as consultants who would rather spare you the headache than sell you hardware. The failure pattern is well known: the company hires two or three analysts, buys an expensive SIEM, announces internally that 'now we have a SOC,' and six months later discovers that no one covers the night shift, that the analysts are exhausted and resigning, that the alerts have turned into noise no one investigates, and that the first serious incident happened at 2 a.m. on a Saturday with no one to respond. The money for a SOC was spent and the illusion of one was bought. If you don't have the scale, a sustainable R$ 3M+/year budget and the patience for 18 months of ramp-up, the service delivers more security for less — and that's the honest recommendation, not the comfortable one.
How to contract SOC as a service without getting it wrong: what to ask the provider
Deciding on the service model is half the journey; the other half is contracting well, because the SOCaaS/MDR market has excellent providers and also a lot of 'PowerPoint SOC' that sells alerts without response. The first question, and the most important, is about the response scope: does the contract include active containment (isolate an endpoint, block an account, kill a session) or just notification? If it's only notification, you still need an internal team to act — and the service solves less than it seems. Demand clarity on what the provider does with its own hands versus what it hands back to you.
Second, SLA with numbers, not adjectives. 'Fast response' means nothing. Ask for the average time and the contractual maximum time for detection, notification and containment, and what happens if the SLA is breached (credit, penalty, termination). Ask explicitly about the provider's real MTTD (Mean Time To Detect) and MTTR (Mean Time To Respond) — and be wary of anyone who doesn't measure or won't share those numbers. A SOC that doesn't know its own MTTD is not measuring its own effectiveness.
Third, data ownership and portability. Where are your logs stored, how long are they retained, and what happens to them if you switch providers? Log retention is a compliance requirement (LGPD and, in the financial sector, the Central Bank's resolutions) and it's also what lets you investigate an incident discovered months later. Ensure in the contract that the data is yours, that you can export it, and that retention meets your legal obligations — not the provider's lowest-cost ones.
Fourth, operational transparency and real coverage. Ask: are the analysts covering the night shift the provider's own or from an outsourced SOC in another time zone? Is there shift overlap or just on-call? How many clients does each analyst monitor simultaneously (an oversubscription ratio that, too high, turns into noise)? What telemetry comes in (EDR, network, identity, cloud, SaaS) — because an MDR that only looks at endpoints is blind to an attack that lives in the cloud or in identity. And ask for references from clients of your size and sector, plus a sample report: the quality of the incident report reveals the quality of the operation. Finally, align the billing model to your growth: per endpoint is predictable but punishes those who grow in assets; per data volume punishes those who generate a lot of logs (the cloud, for example); a fixed package is simple but may bury margin. There is no universally right model — there is the one that makes sense for your environment, which is why contracting starts with an assessment of the environment, not with a price table. If your scenario includes responding to an incident already underway, that's a separate front: see our incident response service, which acts in the crisis, distinct from the continuous monitoring of the SOC/MDR.
Key terms
- SOC (Security Operations Center)
- The security operations center; the function (not necessarily a physical room) that continuously monitors, detects malicious activity and responds to incidents. It can be in-house, as a service (SOCaaS) or hybrid.
- SOCaaS (SOC as a Service)
- SOC as a service: outsourcing the 24x7 monitoring and alert-triage operation to a provider that operates the SIEM and the team at shared scale. In the strict sense, it usually delivers detection/alerting — active response may or may not be included.
- MDR (Managed Detection and Response)
- Managed detection and response: a service in which the provider not only detects but contains the threat with its own hands (isolates the endpoint, blocks the account, kills the session), usually with a contractual SLA, over telemetry from EDR, network, identity and cloud.
- SIEM (Security Information and Event Management)
- A tool that collects, normalizes and correlates logs from multiple sources to generate alerts. It's an instrument of the SOC, not the SOC itself; usually licensed by the volume of data ingested (cost per GB/day).
- EDR (Endpoint Detection and Response)
- An agent and sensor installed on each endpoint (laptop, server) that detects malicious behavior and enables response on the device itself, such as isolating the machine from the network.
- Dwell time
- The time an attacker stays in the environment between the initial compromise and detection. According to Mandiant's M-Trends, the median in ransomware intrusions was around 6 days — a short window that makes 24x7 coverage decisive.
- MTTD / MTTR
- Mean Time To Detect and Mean Time To Respond: the average times to detect and to respond to a threat. They are the central contractual metrics for assessing and holding accountable the effectiveness of a SOC/MDR.
- FTE per seat (24x7)
- The number of full-time professionals needed to keep a single duty seat filled all year round. The industry rule is 4.5 to 5 FTEs per seat, accounting for 3 shifts, vacations, time off and sick leave.
How to decide and hire well
- Determine the real size of your environment: number of endpoints, servers, identities and cloud accounts to monitor. This is the main determinant of price, in any model.
- Calculate the honest cost of an in-house SOC: apply the 4.5-to-5-FTE-per-seat 24x7 rule, build a minimum team of 8 to 12 people, multiply by payroll with charges (60–100% over salary) and add SIEM, EDR, threat intel and log retention. Arrive at the total annual cost, not just the salary.
- Compare with the service range for your size (R$ 8,000 to R$ 60,000/month) and calculate the break-even point: below ~2,000–3,000 assets, the service almost always wins on cost and on time to being protected.
- Include the cost of risk in the calculation: 12 to 24 months of ramp-up for an in-house SOC are months of exposure; weigh that against the average cost of a breach in Brazil (R$ 7.19M, IBM 2025).
- Check the regulatory requirements of your sector before deciding: the Central Bank's resolutions (CMN 4.893/2021 and 5.274/2025, BCB 85/2021 and 538/2025) and the LGPD define obligations on governance, incident response and liability in outsourcing.
- When comparing service providers, require the response scope in writing (containment vs. alert only), an SLA with numbers (MTTD, MTTR, containment time) and a penalty for non-compliance.
- Confirm log ownership and retention, covered telemetry (EDR, network, identity, cloud) and the clients-per-analyst ratio; ask for references of your size and a sample incident report.
- Align the billing model (per endpoint, per data volume or package) to your growth vector and be wary of any fixed price given without an assessment of your environment.
Frequently asked questions
How much does a SOC as a service (SOCaaS/MDR) cost in Brazil?
There is no single figure: it depends on the number of assets, log volume and retention, and scope (detection only vs. managed response). As a market reference, small companies (up to ~100–200 endpoints) usually find MDR/SOCaaS between R$ 8,000 and R$ 20,000/month; mid-sized ones (200 to 1,000 assets) between R$ 20,000 and R$ 45,000; and larger operations or those with heavy compliance, from R$ 45,000 to R$ 80,000 or more. Per endpoint, it runs around R$ 60 to R$ 85 per asset/month. Be wary of a fixed price given without an assessment of your environment.
How much does it cost to build an in-house 24x7 SOC in Brazil?
Realistically, between R$ 2.5 million and R$ 6 million a year for a mature operation. The payroll of a minimum team of 8 to 12 people, with charges, already runs between R$ 2.5M and R$ 4.5M/year; on top come SIEM, EDR, threat intel, SOAR and log retention (R$ 400,000 to R$ 1.5M/year), plus training and replacement due to turnover. And it still takes 12 to 24 months to mature to the point of detecting well.
Why does an in-house 24x7 SOC need so many people?
Because covering 24 hours a day, 365 days a year, requires three shifts, and the industry rule is 4.5 to 5 full-time professionals to keep ONE single seat staffed all year (vacations, time off, sick leave, shift overlap). With at least two analysts per shift plus specialized roles (senior, detection engineer, coordinator), you reach the minimum of 8 to 12 people.
What is the difference between SOCaaS and MDR?
SOCaaS in the strict sense is alert monitoring and triage as a service — the provider notifies you, but the response (contain, isolate, eradicate) may stay with you. MDR goes further: the provider detects AND acts, isolating the endpoint, blocking the account and containing the threat, usually with an SLA. For those without an internal arm to respond at night, MDR is what actually solves the problem.
Is MDR the same thing as SIEM or antivirus?
No. SIEM is the tool that collects and correlates logs; antivirus/EDR is the sensor on the endpoint. MDR is the human-managed detection and response service over that telemetry — analysts who investigate and contain the threat. Buying SIEM or EDR without an operation is having the instrument without the musician: no one is watching the alerts at 3 a.m.
Does outsourcing the SOC violate the LGPD?
No. The LGPD permits outsourcing; the provider acts as a processor, carrying out the processing of personal data on behalf of the controller, and both are liable under the terms of the law. What the law requires is governance and a clear contract on security, retention and liability. In the event of an incident involving personal data, the ANPD's simple fine can reach 2% of revenue in Brazil, capped at R$ 50 million per infraction (art. 52).
When is it worth having an in-house SOC instead of contracting the service?
When there is scale (above ~2,000–3,000 monitored assets, the team's fixed cost dilutes), a regulatory or data-sovereignty requirement that demands keeping the operation in house, or a long-term strategy that treats detection engineering as an asset. Below that, the service almost always delivers more security for less, and faster.
What should I ask a SOC-as-a-service provider before signing?
Whether the scope includes active containment or only notification; an SLA with numbers (MTTD, MTTR, containment time) and a penalty for non-compliance; where your logs are stored and for how long they are retained and whether you can export them; which telemetry is covered (EDR, network, identity, cloud); how many clients each analyst monitors; and references of your size with a sample incident report.
References
- ›IBM Cost of a Data Breach 2025 — average breach cost in Brazil at R$ 7.19 million — https://brasil.newsroom.ibm.com/2025-07-30-Relatorio-da-IBM-Custo-medio-de-uma-violacao-de-dados-no-Brasil-atinge-R-7,19-milhoes
- ›Mandiant M-Trends 2025 — dwell time and detection times (Google Cloud) — https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025
- ›LGPD, Law No. 13.709/2018, art. 52 — ANPD administrative sanctions (Planalto) — https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
- ›Central Bank — CMN Resolution 5.274/2025, updating CMN Res. 4.893/2021 (deadline 03/01/2026) — https://www.normasbrasil.com.br/norma/?id=488277
- ›Expel — cost and staffing of a 24x7 SOC (the FTEs-per-seat rule) — https://expel.com/cyberspeak/cost-to-build-and-operate-a-24x7-soc/
How Decripte solves this
From the free assessment to the managed service — pick the right entry point.
Want mature 24x7 coverage without assembling a team of 12 people? Start with Decripte's managed 24x7 SOC or talk to us about MDR — we first assess your environment and only then propose a range and scope, with no guessed numbers.
Start free with Threat Management and see what is already exposed. Move up to the managed plans when it makes sense — without building an in-house team.
