How to Build a Security Operations Center: A Practitioner's Guide

Organizations under approximately 1,000 employees with limited security budgets should not build a 24/7 in-house SOC. The economics do not work: 24/7 coverage requires a minimum of five to six analysts across three shifts, and the fully loaded annual cost of that team exceeds $1.5 million before tooling, infrastructure, or management overhead. A Managed Detection and Response (MDR) service provides 24/7 analyst coverage, mature detection content, and tooling at $200,000 to $600,000 annually — better economics, faster time to coverage, and access to analyst expertise that takes years to develop internally.

Organizations with 1,000 to 5,000 employees and meaningful security budgets should consider a hybrid model: internal detection engineers and Tier 2/3 analysts who own the detection program, supplemented by an MDR provider for 24/7 Tier 1 alert triage and after-hours coverage. This model keeps detection strategy and critical incident response in-house while solving the staffing and coverage challenges that make pure in-house 24/7 SOCs difficult to operate.

Organizations with 5,000 or more employees, significant compliance obligations, or classified environments typically require a full in-house SOC. The scale justifies the investment, the compliance requirements may restrict what can be outsourced, and the internal threat surface is complex enough that deep institutional knowledge matters.

MDR providers to evaluate for the outsourced or hybrid model: CrowdStrike Falcon Complete, SentinelOne Vigilance, Palo Alto XMDR, Arctic Wolf, and Huntress. Evaluate them on analyst response SLA (time from alert to analyst action), detection coverage across ATT&CK, escalation procedures, and contractual data handling terms.

A functional SOC uses a tiered analyst model that routes work by complexity rather than treating every analyst as interchangeable.

Tier 1 analysts handle alert triage: reviewing incoming alerts, making true/false positive determinations against documented playbooks, and escalating confirmed incidents. Tier 1 is high-volume, lower-complexity work. The skill requirement is proficiency with the SIEM and EDR console, knowledge of the alert types they are triaging, and the judgment to recognize when an alert requires escalation. Tier 1 analysts typically have one to three years of security experience.

Tier 2 analysts handle incident response and investigation: investigating escalated alerts, performing deeper log analysis, coordinating containment actions, and producing incident documentation. Tier 2 requires deeper technical skills: log analysis, attacker TTP knowledge, and familiarity with forensic techniques. Tier 2 analysts typically have three to five years of experience.

Tier 3 analysts and detection engineers handle threat hunting, detection development, and complex incident response. This is the most senior function: building new detection rules, running ATT&CK-aligned hunts, reverse engineering malware, and handling the most complex incidents that Tier 2 escalates. These roles require five or more years of experience and specific technical depth.

A 24/7 SOC requires shift coverage. A common staffing model for in-house 24/7 operations: three shift teams of two to three Tier 1 analysts, a day-shift team of Tier 2 analysts with on-call rotation for after-hours escalations, and one to three Tier 3 analysts and detection engineers who work standard business hours. Total headcount for a minimally staffed 24/7 SOC: 10 to 15 analysts. Under-staffing Tier 1 creates an alert backlog; under-staffing Tier 3 means the detection content that Tier 1 uses becomes stale.

A SOC technology stack has four layers, each required for full operational capability. The most common failure mode is investing heavily in one layer (typically EDR) while underinvesting in another (typically SOAR), creating operational inefficiencies that limit detection throughput.

Layer 1 — Telemetry collection: EDR for endpoint telemetry, network detection (NDR or NSM) for network traffic analysis, identity provider logs, and cloud infrastructure logs (CloudTrail, Azure Monitor). The breadth and quality of telemetry determines the ceiling on what detections are possible.

Layer 2 — Detection and analytics: SIEM or data lake for correlation and rule-based detection, UEBA for behavioral analytics, and threat intelligence platform integration for IOC enrichment. The SIEM is the SOC's primary detection surface — detection engineering investment directly determines how many real threats surface as actionable alerts versus how much noise analysts process.

Layer 3 — Case management and workflow: ticketing system integration (ServiceNow, Jira, or a dedicated security case management tool) and documented playbooks for each alert type. Without structured case management, SOC work is invisible to leadership and impossible to measure.

Layer 4 — Orchestration and automation: SOAR platform for automating repetitive Tier 1 actions (IP enrichment, user lookup, asset context enrichment, automatic ticket creation) and automated response for high-confidence detections (account lock on credential stuffing detection, host isolation on confirmed ransomware behavior). SOAR investment pays back in Tier 1 analyst capacity — each automated triage action is analyst time returned to higher-value work.

A new SOC should resist the temptation to build detections for everything immediately. Detection coverage that is too broad produces false positives that overwhelm Tier 1 capacity and train analysts to distrust alerts — the opposite of what a SOC is designed to do.

Start with the twenty detections that cover the highest-risk attack patterns for your environment. For most enterprise environments, this set includes: impossible travel authentication (login from two locations faster than travel allows), off-hours admin account use, new local administrator account creation, PowerShell encoded command execution, process spawning from Microsoft Office applications (T1566 phishing execution pattern), LSASS memory access by non-system processes (credential dumping), lateral movement via PsExec or WMI from an unusual source, DNS requests to domains registered within the past 30 days with high entropy names (DGA C2), large outbound data transfers during off-hours, and ransomware behavioral patterns (mass file modification or deletion).

Document a playbook for each detection before enabling it. A detection without a playbook forces Tier 1 analysts to make investigation decisions without guidance, producing inconsistent response quality. The playbook defines: what the detection means, what Tier 1 should check to determine true/false positive, what the escalation criteria are, and what containment actions Tier 1 is authorized to take without escalation.

Measure false positive rates per detection from day one. Any detection with a false positive rate above 20% should be tuned or disabled — it is consuming analyst time without producing security value. Detection quality is more important than detection quantity.

A SOC is an operational capability, not an infrastructure deployment. The organizations that build effective SOCs invest as much in staffing model design, detection content quality, playbook development, and analyst development as they do in tooling. A Tier 3 detection engineer who writes twenty high-quality detection rules with documented playbooks produces more security value than a SIEM license that comes pre-loaded with five hundred noisy rules that no analyst trusts.