Building an internal Security Operations Center versus outsourcing to a Managed Security Service Provider is one of the most consequential decisions in enterprise security. This page presents factual, industry-sourced data to help you evaluate both options.
Cost figures reference publicly available data from the U.S. Bureau of Labor Statistics (BLS), MITRE, ISC2, and published vendor price lists, with sources cited inline; figures we model ourselves are labeled as our own estimates. This is general industry analysis, not specific to any single provider.
Industry-sourced figures
Security Analyst Pay (U.S. Median)
$129,180
BLS OEWS May 2025 national median wage for Information Security Analysts (15-1212) — BLS does not track SOC analyst as a distinct title. The 90th percentile reaches $199,850 for senior roles.
Minimum Staff for 24/7
~10 Analysts
Roughly 5 FTEs per 24/7 seat, two-seat minimum on shift, before management or specialist roles. MITRE, 11 Strategies of a World-Class Cybersecurity Operations Center (2022).
First-Year SOC Build Cost
$1.5M-$4M+
Staffing, SIEM licensing, EDR/XDR, facility, training. Our own estimate for a 24/7 in-house SOC, modeled from BLS salary data for a ~10-analyst team plus published SIEM/EDR licensing costs.
Factual differences across key dimensions
| Category | In-House SOC | MSSP |
|---|---|---|
| Staffing | ~10 analysts minimum for 24/7 coverage (roughly 5 FTEs per seat, two seats on shift; MITRE, 2022), plus management. Annual cost: roughly $1.3M+ in salaries alone at the BLS May 2025 median wage of $129,180 for Information Security Analysts (BLS OEWS 15-1212). | Shared analyst pool included in service contract. No recruiting, training, or retention burden on your organization. |
| SIEM & Tooling | SIEM licensing: $50K-$500K+/year depending on data volume and vendor (Splunk, Sentinel, QRadar). Plus EDR, SOAR, threat intel feeds. | Technology stack included in monthly fee. MSSP amortizes licensing costs across multiple clients. |
| Time to Operational | Hiring, technology deployment, playbook development, and detection tuning happen sequentially — each phase takes months, and the SOC isn't reliable until all of them are done. Timelines stretch further when competing for scarce analysts. | Weeks to months. Onboarding involves integrating your environment into an existing operational platform. |
| Expertise Breadth | Limited to what your team knows. Difficult to maintain deep expertise across all threat types, platforms, and compliance frameworks. | Analysts see threats across many client environments. Cross-pollination of threat intelligence and playbooks. |
| Flexibility & Scaling | Scaling requires hiring. Downsizing means layoffs. Difficult to adjust capacity for seasonal or project-based needs. | Scale coverage up or down with contract changes. Easier to adjust during M&A, growth, or budget constraints. |
| Institutional Knowledge | Deep understanding of your specific environment, business processes, and risk tolerance. This is the primary advantage. | Relies on documentation and onboarding. Less inherent knowledge of your business context and internal politics. |
| Control & Customization | Full control over priorities, tooling choices, and incident response procedures. Can tailor everything to your needs. | Operates within predefined service levels. Customization possible but limited by shared-service model. |
| Annual Operating Cost | $1.5M-$4M+ (staffing, technology, facilities, training, turnover costs). Our own estimate, modeled from BLS salary data for a 24/7 team plus published SIEM/EDR licensing costs. | A scoped annual subscription — typically a fraction of in-house cost, because analysts, tooling, and facilities are shared across clients rather than built and staffed from scratch. Pricing depends on environment size, data volume, and service level; see our pricing page for Fortress's actual rates. |
~10 analysts minimum for 24/7 coverage (roughly 5 FTEs per seat, two seats on shift; MITRE, 2022), plus management. Annual cost: roughly $1.3M+ in salaries alone at the BLS May 2025 median wage of $129,180 for Information Security Analysts (BLS OEWS 15-1212).
Shared analyst pool included in service contract. No recruiting, training, or retention burden on your organization.
SIEM licensing: $50K-$500K+/year depending on data volume and vendor (Splunk, Sentinel, QRadar). Plus EDR, SOAR, threat intel feeds.
Technology stack included in monthly fee. MSSP amortizes licensing costs across multiple clients.
Hiring, technology deployment, playbook development, and detection tuning happen sequentially — each phase takes months, and the SOC isn't reliable until all of them are done. Timelines stretch further when competing for scarce analysts.
Weeks to months. Onboarding involves integrating your environment into an existing operational platform.
Limited to what your team knows. Difficult to maintain deep expertise across all threat types, platforms, and compliance frameworks.
Analysts see threats across many client environments. Cross-pollination of threat intelligence and playbooks.
Scaling requires hiring. Downsizing means layoffs. Difficult to adjust capacity for seasonal or project-based needs.
Scale coverage up or down with contract changes. Easier to adjust during M&A, growth, or budget constraints.
Deep understanding of your specific environment, business processes, and risk tolerance. This is the primary advantage.
Relies on documentation and onboarding. Less inherent knowledge of your business context and internal politics.
Full control over priorities, tooling choices, and incident response procedures. Can tailor everything to your needs.
Operates within predefined service levels. Customization possible but limited by shared-service model.
$1.5M-$4M+ (staffing, technology, facilities, training, turnover costs). Our own estimate, modeled from BLS salary data for a 24/7 team plus published SIEM/EDR licensing costs.
A scoped annual subscription — typically a fraction of in-house cost, because analysts, tooling, and facilities are shared across clients rather than built and staffed from scratch. Pricing depends on environment size, data volume, and service level; see our pricing page for Fortress's actual rates.
Hybrid is increasingly common. Many organizations keep a small internal security team for governance and strategy while outsourcing 24/7 monitoring to an MSSP. This provides the institutional knowledge of an in-house team with the operational coverage of a managed service.
Organizations frequently underestimate the true cost of an in-house SOC by focusing only on analyst salaries. These additional costs are documented in vendor price lists and industry research.
SOC analysts stay in role roughly 26 months on average, and a typical 12-person SOC loses about three analysts a year (Ponemon Institute, Economics of the SOC). Gallup estimates replacing an employee costs one-half to two times their annual salary in recruiting, onboarding, and lost productivity.
SANS flagship courses list at $8,780 per seat (SANS Institute, 2026 course pricing), and a GIAC certification attempt adds $999 with $499 renewals (GIAC pricing). One course plus one certification puts a single analyst near $10K per year before travel.
SIEM licensing typically scales with data ingestion volume. Every new cloud workload, SaaS integration, and endpoint adds to the ingest bill, so spend compounds as your environment grows — often faster than headcount or budget.
A Ponemon Institute survey commissioned by Exabeam found security teams spend roughly 25% of their time chasing false positives. This is a direct productivity cost.
Night and weekend shifts typically command 5-15% shift differentials on top of base pay (SHRM/Culpepper pay practices data). Burnout on off-hours shifts accelerates turnover, creating a compounding cost problem.
A dedicated SOC facility means physical security, redundant power and connectivity, display walls, and 24/7-ready workspace — capital costs an in-house program carries alone, and that an MSSP amortizes across its entire client base.
A fully operational in-house SOC typically costs $1.5 million to $4 million or more in the first year — our own estimate, modeled from U.S. Bureau of Labor Statistics salary data and published SIEM/EDR licensing costs. This includes staffing (roughly 10 analysts for true 24/7 coverage at around the $129,180 BLS median wage for Information Security Analysts each, May 2025), SIEM licensing ($50,000-$500,000+ annually depending on data volume), EDR/XDR tooling, threat intelligence feeds, and facility costs. Ongoing annual costs remain substantial after year one: staffing alone for a 24/7 team of 10 or more typically exceeds $1 million per year before SIEM licensing, tooling renewals, and training.
To maintain true 24/7/365 coverage, each around-the-clock seat requires roughly five full-time analysts (4.8 FTEs) once shifts, weekends, vacation, and sick leave are accounted for, and MITRE's 11 Strategies of a World-Class Cybersecurity Operations Center (2022) recommends keeping a minimum of two analysts on shift at all times — putting the floor at roughly 10 analysts. Add a SOC manager, threat intelligence, and incident response leads, and a functional 24/7 SOC team typically requires 12 or more people.
An in-house SOC generally makes more sense when an organization has highly specialized security requirements (defense, intelligence, critical infrastructure), regulatory mandates requiring internal security operations, a security budget that can sustainably absorb the full multi-million-dollar annual cost of 24/7 operations, the ability to attract and retain talent, and a need for deep institutional knowledge. Large enterprises whose alert volume keeps a dedicated 24/7 team fully utilized are the most common candidates.
Yes, and this is increasingly common. Many organizations maintain a small internal security team for governance and strategy while outsourcing 24/7 monitoring and alert triage to an MSSP. This hybrid model reduces the staffing burden of round-the-clock coverage while keeping institutional knowledge and security strategy in-house.
We offer a complimentary infrastructure risk assessment that helps you understand your current security posture and what level of coverage your environment requires — whether that means an MSSP, an in-house team, or a hybrid approach.