In-house SOC or outsourced MDR: which one actually makes sense?

You have a firewall. You have endpoint protection. Maybe someone set up a SIEM two years ago and nobody has touched it since. Sound familiar?

At some point, every growing business in Belgium and Europe hits the same wall. The tools are there. Nobody is watching them. And when something goes wrong, the response is a scramble.

So you start looking at options. Build a SOC internally? Outsource to an MDR provider? Both promise to fix the problem. They get there very differently, and the cost gap is enormous.

What a SOC actually requires

A Security Operations Center is a team that monitors your environment for threats and responds when they find something. Running one around the clock means three full shifts, weekend coverage, shift managers, and backup analysts for sick leave and holidays. In practice, you need twelve to thirteen people to keep a SOC operational 24/7/365. You need a SIEM, EDR tooling, threat intelligence feeds, playbooks, and someone keeping all of it tuned.

In Belgium, where cybersecurity talent is scarce and everyone is hiring from the same pool, a team that size costs €800,000 to €1,500,000 a year in salaries. Add SIEM licensing, EDR, training, and infrastructure and you are looking at €1.2 million to €2 million all in.

That is a lot of money for a capability that takes six to twelve months to stand up, assuming you can actually hire the people.

What MDR is (and is not)

MDR is outsourced security operations with teeth. The difference from an old school MSSP is the “response” part. An MSSP watches your alerts and calls you when something looks wrong. An MDR provider watches your alerts, investigates, and when something is confirmed malicious, they contain it. Endpoint isolation, blocking connections, preserving evidence, guiding remediation. They handle it.

A solid MDR engagement covers 24/7 monitoring by actual analysts, SIEM management, detection deployment and tuning, threat intelligence, regular threat hunting, and incident response. MDR is not limited to endpoints either. If you already have network detection and response (NDR), cloud security tooling, or identity monitoring in place, an MDR provider can deploy on top of what you already have. You get a security operations team built around your existing infrastructure, without the hiring nightmare.

The real comparison

Cost. An internal SOC runs €1.2 million to €2 million per year when you account for twelve to thirteen staff, tooling, and infrastructure. MDR ranges from roughly €5,000 to €30,000 per month depending on scope and the number of endpoints. For most mid-sized businesses, MDR is a fraction of the in-house cost.

Speed. Building a SOC takes six to twelve months. MDR onboarding is significantly faster than building a SOC, though the exact timeline depends on the product stack and how many telemetry layers you want baselined. Depending on the product stack and number of telemetry layers being baselined, onboarding typically takes six to ten weeks. At TSO, onboarding covers sensor deployment, log ingestion, environment baselining, and detection tuning before we turn on full monitoring.

Expertise. Your internal SOC is capped at whoever you can hire. Alert fatigue is a real problem: analysts seeing thousands of events a day burn out or start filtering too aggressively. An MDR provider sees patterns across dozens of client environments, across industries. Their detection logic improves with every engagement because their reputation depends on catching what automated tools miss.

Telemetry coverage

Modern attacks do not stay on one endpoint. You need visibility into:

• Endpoints: process execution, file changes, registry modifications, network connections (collected by EDR agents)
• Network: NetFlow, DNS queries, proxy logs, IDS alerts. This is where you spot lateral movement and command and control traffic.
• Identity: Active Directory, Entra ID, SSO logs. Credential abuse, impossible travel, privilege escalation.
• Cloud: Microsoft 365, Google Workspace, AWS CloudTrail, Azure Activity Log.
• Email: phishing attempts, business email compromise, suspicious attachments.

Correlating across all of these is what separates detection that works from detection that generates tickets. An MDR provider handles the integration. Building that coverage internally is a serious project.

Scaling. An internal SOC scales by hiring. MDR scales by configuration. New office, new cloud tenant, new log source: operational change versus recruiting decision.

When an in-house SOC does make sense

Not everyone should outsource. A few situations where building your own SOC is reasonable:

• Your regulator requires internal security operations (some sectors, some jurisdictions)
• Your tech stack is so specialized that only your own people understand it well enough to monitor
• You are large enough to fund it, staff it, and offer career paths that retain people
• You already have a mature security team and want to bring monitoring closer to operations

For the rest, and that is the majority of mid-sized businesses, the math points to MDR or a hybrid model.

The hybrid option: co-managed SOC

It is not strictly a choice between building everything yourself or handing it all to an external provider. There is a middle ground that works well for organisations with some internal security capability but not enough to run 24/7 operations alone.

In a co-managed or hybrid SOC model, your internal team keeps strategic control: they own detection rules, handle Tier 3 investigations, and make remediation decisions. The external MDR provider handles the around the clock monitoring, Tier 1 and Tier 2 triage, log management, and threat hunting. Both sides work from the same tooling and share visibility into the same alerts and investigations.

This model makes sense when you already have a small security team that knows your environment well but cannot realistically cover nights, weekends, and holidays. It also works when your organisation has regulatory or operational reasons to keep incident response decisions internal while still needing external detection capability.

At TSO, co-managed engagements follow the same onboarding and telemetry coverage as our fully managed MDR service. The difference is in how we split responsibilities with your team. We adapt to your operating model rather than forcing a one-size-fits-all approach.

NIS2 and DORA: why compliance is pushing businesses toward SOC and MDR

Two EU regulations are making security operations a legal requirement for a growing number of organisations, not just a best practice.

NIS2 (Network and Information Security Directive 2) applies to essential and important entities across sectors including energy, healthcare, transport, digital infrastructure, and public administration. It requires continuous security monitoring, risk management, and incident reporting within 24 hours of detection. If your organisation falls under NIS2 scope, you need the detection and response capability to spot incidents fast enough to meet that reporting window. A SOC or MDR service is the most practical way to achieve that.

DORA (Digital Operational Resilience Act) targets financial entities and their ICT service providers. It has been fully in force since January 2025 and requires operational resilience testing, ICT risk management, and incident reporting. In Belgium specifically, financial sector entities fall under DORA rather than the national NIS2 law, with oversight from the National Bank of Belgium.

Both frameworks demand capabilities that map directly to what a SOC or MDR provider delivers: 24/7 threat detection, structured incident response, evidence preservation for regulatory reporting, and documented security processes. Trying to satisfy NIS2 or DORA requirements without dedicated security operations is a compliance gap waiting to become a finding.

For organisations subject to both frameworks, or unsure which applies, a well-structured MDR engagement covers the operational security requirements of both NIS2 and DORA while leaving your team free to focus on the governance and reporting side.

What to look for in an MDR provider

Ask these questions when you are evaluating options:

Do they actually respond, or just detect? Some providers call themselves MDR and then escalate everything to your team. That is an MSSP in a nicer wrapper. The “R” is what you are paying for.

Can they explain how they hunt? If a provider cannot walk you through their detection engineering process or tell you what frameworks they use, they are probably running default vendor rules and hoping for the best.

What do they monitor, and can they work with what you already have? Endpoint only is not enough. You want correlation across endpoints, network, identity, cloud, and email. A good MDR provider should also be able to layer onto your existing tooling. If you already run NDR or have cloud security in place, they should integrate with it rather than ripping it out.

Do they understand your industry? Threats relevant to a Belgian logistics company look different from threats hitting a Dutch financial institution. Generic threat intelligence is barely better than none.

How does onboarding work? The first month should be about learning your environment and tuning detection to reduce noise. If they start sending you every raw alert on day one, that is a bad sign.

How TSO does MDR

We built our MDR service on the same offensive expertise behind our penetration testing and red team work. The people defending your environment know how attackers actually operate because they do the same thing for a living on the offensive side.

What that looks like in practice:

We run 24/7 monitoring with human analysts, not a ticketing queue. We deploy EDR across your infrastructure and tune the detection logic to your specific environment because generic rules generate noise, not actionable alerts. We manage your SIEM: log aggregation, correlation rules, ongoing optimization. We run monthly threat hunts based on MITRE ATT&CK techniques and intelligence relevant to your sector. When we find something real, we respond. Containment, investigation, evidence preservation, and remediation guidance are all part of the engagement, not a separate line item. And we run quarterly reviews to make sure the program is evolving with your business.

Onboarding typically runs six to ten weeks depending on the number of telemetry layers and the complexity of your environment: sensor deployment, log source integration, baselining, and detection tuning. After that, full monitoring kicks in.

We cover endpoint, network, identity, cloud, and email telemetry. Everything flows into a single detection pipeline where correlation happens across sources.

Common questions

What is the best SOC service for a mid-sized business?

For most mid-sized businesses, outsourced MDR delivers better outcomes than an internal SOC at a lower price point. The talent shortage in Belgium and Europe makes 24/7 SOC staffing impractical unless you have a very large budget.

What is the best MDR service?

It depends on your needs, but here is what matters: human analysts working 24/7, actual response capability (not just alerting), telemetry across endpoints, network, identity, and cloud, regular threat hunting, and transparent reporting. At TSO we cover all of this, with the added angle that our analysts do offensive security work too, which makes them better at spotting attacker behavior.

Should I build a SOC or outsource?

Unless you can commit upwards of €1.5 million per year and realistically hire and retain twelve or more security professionals across shifts, outsourcing is the practical choice.

MDR vs MSSP: what is the difference?

An MSSP monitors and escalates. An MDR provider monitors, investigates, and responds. When an MDR provider confirms a threat, they contain it. An MSSP sends you a ticket.

What telemetry does MDR cover?

Endpoint (via EDR), network (NetFlow, DNS, proxy logs), identity (Active Directory, Entra ID, SSO), cloud (M365, AWS, Azure), and email. Correlating across all of those sources is what makes detection work.

How long does onboarding take?

Typically six to ten weeks at TSO, depending on how many telemetry layers need baselining and the complexity of your environment. The process covers sensor deployment, log integration, environment baselining, and detection tuning. Then full 24/7 monitoring starts.

What is a co-managed or hybrid SOC?

A co-managed SOC splits responsibilities between your internal team and an external MDR provider. Your team keeps strategic control, detection rule ownership, and Tier 3 investigations. The provider handles 24/7 monitoring, Tier 1 and 2 triage, and threat hunting. It is a good fit for organisations that have some security staff but cannot cover around the clock operations alone.

Does MDR help with NIS2 or DORA compliance?

Yes. Both NIS2 and DORA require continuous security monitoring, incident detection, and structured incident reporting. NIS2 mandates a 24-hour initial notification window after detecting a significant incident. DORA requires operational resilience testing and ICT risk management for financial entities. An MDR service provides the 24/7 detection, incident response, and evidence preservation needed to meet these requirements. It does not replace your governance and reporting obligations, but it covers the operational security side.

Does MDR replace my IT team?

No. MDR handles threat detection and response. Your IT team still runs your infrastructure and supports your users. MDR adds specialized security operations on top.

What certifications should an MDR provider’s team have?

On the offensive side, look for OSCP, OSCE, CRTO, and CRTL. These certifications mean the team understands how attackers operate, which directly improves detection quality.

On the defensive side, SANS GIAC certifications are the industry standard for SOC and blue team work. The ones that matter most for MDR operations:

• GCIH (GIAC Certified Incident Handler) — hands on investigation and containment using attacker techniques and IR frameworks. The core cert for anyone doing SOC triage and incident response.
• GCIA (GIAC Certified Intrusion Analyst) — network traffic analysis, IDS configuration and monitoring, protocol forensics. Critical for analysts working with network telemetry.
• GCFA (GIAC Certified Forensic Analyst) — advanced digital forensics, memory forensics, threat hunting, and APT investigation. For the deeper investigations when a breach is confirmed.
• GMON (GIAC Continuous Monitoring) — building, tuning, and operating detection across SIEM, endpoint, and network. Essentially the “defensible architecture” certification.

Outside SANS, the Blue Team Level certifications from Security Blue Team are worth looking for:

• BTL1 (Blue Team Level 1) — practical defensive cert covering phishing analysis, threat intelligence, SIEM investigation, digital forensics, and incident response. The exam is a 24-hour hands on incident simulation, not multiple choice.
• BTL2 (Blue Team Level 2) — advanced defensive skills in vulnerability management, malware analysis, adversary emulation, and threat hunting. The exam requires a 72-hour practical assessment with a written report.

A provider whose analysts hold a mix of offensive and defensive certifications is better positioned to catch real threats. Attack experience tells you what to look for. Defensive training tells you how to find it at scale.

Where to go from here

Ask yourself three questions. Do we have 24/7 monitoring right now? Could we detect an attacker moving laterally through our network? Do we have a plan for containing an active breach?

If you answered no to any of those, you have a gap. MDR is the fastest way to close it for most organizations.

Get in touch with Tailored Security Operations at info@tailoredsecops.eu or call +32 487 73 83 07 and we will walk through what coverage looks like for your environment.