MSSP vs MDR vs In-House SOC: How to Choose the Right Model

The terms MSSP and MDR are used loosely, often interchangeably by vendors trying to claim both markets. Here are precise definitions:

MSSP (Managed Security Service Provider): An MSSP manages security tools and generates alerts on your behalf. The classic MSSP model: they operate your SIEM, monitor alerts, and send you tickets when something looks concerning. The investigation and response are your responsibility. MSSPs typically use shared analyst pools and rule-based alert triage. Detection fidelity is often lower because analysts are processing high volumes with limited contextual knowledge of each customer's environment. Historical origin in network monitoring and device management (firewall management, log collection).

MDR (Managed Detection and Response): MDR providers own detection and response. They deploy their own EDR/XDR technology stack on your endpoints, ingest your logs into their threat detection platform, and provide analysts who investigate alerts to a verdict — not just forward tickets. Most MDR providers have defined response authority: they can isolate a compromised endpoint or block a domain with your pre-authorization, without waiting for your approval on each action. MDR emerged from the recognition that alert forwarding without investigation was not solving the security problem.

In-House SOC: Your own team, your own tools, 24/7 monitoring. Maximum control over detection logic, response procedures, and institutional knowledge accumulation. Highest cost. Requires continuous hiring, training, and tool maintenance. The only model where you own the complete investigation context.

The blurry middle: Many organizations run hybrid models: an in-house team that handles business hours with MDR providing after-hours coverage; an MDR overlay on an in-house SIEM; or an MSSP providing device management while in-house analysts handle detection. The hybrid model is increasingly common and often the best practical answer.

The critical distinction on alert triage: An MSSP that sends you 200 tickets per week is not reducing your analyst workload — it is offloading the alert noise with minimal added value. The question is not whether alerts are being monitored; it is whether someone competent is investigating them to a verdict. Most MSSP contracts explicitly define their role as alerting, not investigation. MDR contracts define their role as investigation to verdict and response.

In-house SOC cost components:

• Analyst salaries: A SOC analyst in the US earns $70K-$110K fully loaded. Senior analysts and SOC managers: $110K-$180K. 24/7 coverage with appropriate overlap requires 5-7 FTEs minimum.
• SIEM/SOAR platform: $150K-$500K/year at mid-market scale depending on log volume and platform choice
• EDR platform: $15-$40 per endpoint per year across thousands of endpoints
• Threat intelligence feeds: $50K-$200K/year for commercial feeds
• Training and certifications: $15K-$30K per analyst per year to maintain skill currency
• Management overhead: SOC manager, program management, tool administration

Realistic in-house 24/7 SOC total: $1M-$2M/year for an organization with 500-2000 employees, not including IR retainer or tooling capital expenditure.

MDR cost ranges:

• Entry-level MDR (SMB, coverage of 100-500 endpoints): $50K-$150K/year
• Mid-market MDR (500-2000 endpoints, full IR retainer): $150K-$400K/year
• Enterprise MDR with threat hunting: $400K-$800K/year

MSSP cost ranges:

• Device management and log monitoring: $50K-$200K/year depending on scope
• Often less expensive than MDR but provides proportionally less value

The build vs. buy decision point: For organizations below 2000 employees, the economics of 24/7 in-house SOC rarely pencil out vs. MDR. The staffing cost alone exceeds MDR pricing, without accounting for tool costs or the challenge of retaining experienced analysts in a competitive market. Above 2000-5000 employees with significant compliance requirements, dedicated threat intelligence requirements, or industry-specific detection needs, in-house begins to be justifiable.

The single most important question to ask any provider: what can you do without calling us first?

MSSP response authority: Typically none. They send you an alert. You decide what to do. This is appropriate if you have internal analysts who will act quickly — but it means the time-to-response clock does not start until your team picks up the ticket.

MDR response authority: Most MDR providers offer tiered response playbooks with pre-authorization:

• Tier 1 (automatic): Block known-malicious domains/IPs at DNS or firewall level, update EDR block list for confirmed malware hashes
• Tier 2 (with standing pre-authorization): Isolate a compromised endpoint from the network, disable a compromised user account in the identity provider, terminate a malicious process
• Tier 3 (requires your approval per incident): Broader containment actions, firewall rule changes, credential resets for privileged accounts

Define response playbooks with pre-authorization during onboarding — MDR providers that cannot provide clear documentation of what they will do autonomously vs. what requires your approval are not operationally mature.

The isolation tradeoff: Endpoint isolation (cutting a system off from the network) is the highest-value automated response action — it contains ransomware spread and lateral movement immediately. However, it can also disrupt legitimate business processes if triggered incorrectly. Evaluate MDR providers' false positive rates on isolation actions, not just their MTTR claims.

MDR providers — established:

Arctic Wolf: Strong mid-market presence, concierge security delivery model where a named team learns your environment. Security Operations Warranty (financial guarantee) on covered incidents is a differentiator. Best for: mid-market organizations that want relationship-based delivery.

Expel: Transparent operations — customers can see exactly what analysts did and why in a near-real-time SOC dashboard. Strong engineering culture, good API access for integration with in-house tools. Best for: technically sophisticated buyers who want visibility into provider operations.

Red Canary: Originated from EDR-based detection. Strong CrowdStrike and SentinelOne integration. High-confidence alert-to-threat confirmation ratio — they only alert on confirmed threats, not suspicious activity. Best for: organizations prioritizing alert fidelity over volume.

Huntress: Specifically designed for SMB and the MSP channel. Strong ransomware and persistent foothold detection. More accessible pricing. Best for: SMBs or MSPs serving SMBs.

Criticalstart: Zero Trust Analytics Platform with bidirectional alert transparency. Best for: organizations with compliance reporting requirements (SOC 2, HIPAA) who need detailed audit trails.

MSSP providers — established:

Secureworks: One of the largest MSSPs with a significant MDR transition underway (Taegis platform). Long-standing enterprise relationships. Best for: enterprise organizations with long-term MSSP relationships looking to modernize.

Trustwave: Strong PCI-DSS compliance heritage. SpiderLabs threat intelligence integrated into managed services. Best for: retail and financial services with compliance-centric security programs.

AT&T Cybersecurity (LevelBlue): Large scale, strong log management, good for organizations with MSSP requirements driven by compliance rather than threat response.

Profile A: Startup or early-stage company (under 200 employees, seed to Series B) Recommendation: MDR at SMB tier (Huntress, Arctic Wolf SMB, or similar) Rationale: No budget or headcount for in-house SOC. Compliance requirements (SOC 2, ISO 27001) require demonstrable monitoring capability. MDR provides 24/7 coverage at a cost accessible to growth-stage companies ($30K-$80K/year). Focus MDR selection on endpoint coverage and identity threat detection.

Profile B: Mid-market company (200-2000 employees, post-IPO or regulated industry) Recommendation: MDR with IR retainer, hybrid with in-house security engineering Rationale: Budget exists for MDR at full scale. Compliance requirements (HIPAA, PCI, SOC 2 Type II) require demonstrable detection and response capability. An in-house security engineer builds detection content and manages the MDR relationship while the MDR provides 24/7 analyst coverage. Cost: $150K-$400K/year for MDR plus 1-2 FTEs in-house.

Profile C: Large enterprise (2000+ employees, complex multi-cloud, high regulatory requirements) Recommendation: In-house SOC for core detection + MDR overlay for 24/7 coverage and threat hunting Rationale: Enough log volume and environmental complexity that in-house detection engineering pays off. MDR overlay provides after-hours coverage and access to threat hunting expertise without building a full 24/7 staff. Compliance reporting and audit requirements benefit from in-house control over the detection process.

Profile D: Organization with specific compliance requirements (FedRAMP, CMMC, ITAR) Recommendation: In-house SOC with cleared personnel, or specialized MDR with federal compliance capabilities Rationale: FedRAMP and CMMC requirements for data handling, personnel clearances, and documentation may not be satisfiable by commercial MDR providers. MSSP/MDR options with FedRAMP-authorized platforms exist but are fewer and more expensive.

Profile E: Organization that has experienced a significant breach Recommendation: MDR with full IR retainer + short-term in-house SOC build Rationale: Post-breach, the board and insurance require demonstrable improvement in detection capability. MDR provides immediate 24/7 coverage while the organization builds internal capability. Many organizations that start with MDR post-breach maintain it as a permanent overlay.

SLAs that actually matter:

• Mean time to detect (MTTD): Time from attacker activity to detection. Ask for their median, not their best case.
• Mean time to respond (MTTR): Time from detection to first containment action. Get the definition of 'respond' in writing — does it mean notifying you or actually taking action?
• Mean time to escalate: For events requiring your approval, how quickly do they escalate? Escalations during business hours only or 24/7?
• False positive rate: What percentage of escalated incidents turn out to be benign? High false positive rates erode trust and cause alert fatigue.

Questions to ask MDR vendors:

1. What is your technology stack and do I have to use it? (Most MDR providers require their own EDR)
2. What response actions can you take without my approval and what requires pre-authorization?
3. How do I verify what your analysts actually did on any given investigation?
4. What happens to my data when the contract ends?
5. Is the IR retainer truly pre-paid hours or is it a credit toward your rates?
6. What are the notification SLAs for confirmed incidents at different severity levels?
7. How does your pricing change as my endpoint count grows?

Contract red flags:

• No performance SLAs in the contract (only aspirational language in marketing materials)
• Vague definition of 'incident' that allows the provider to exclude significant events from SLA calculations
• Auto-renewal clauses with penalty for early exit
• Data portability restrictions that make switching providers painful
• IR retainer hours that expire unused and cannot roll over