Building a SOC in 2025

Cost Analysis for building a SOC in 2025 in the UK (Small, Mid-sized, Enterprise)

Building and operating a 24×7 Security Operations Centre (SOC) in-house is resource-intensive. It requires substantial technology investments, a team of skilled personnel, rigorous compliance measures, and ongoing infrastructure/operational support. Below is a detailed breakdown of expected costs in the UK for small, mid-sized, and enterprise businesses, including GBP and EUR estimates, with insights on optimising spending.

Technology Costs (SIEM, EDR/XDR, SOAR, Hosting, Integrations)

A SOC’s technology stack typically includes an SIEM for log management and correlation, endpoint detection/response (EDR) or extended detection/response (XDR) agents, SOAR for automation, cloud hosting or on-prem servers, and various integrations (firewalls, cloud services, etc.). Costs can vary widely depending on using open-source solutions versus commercial platforms:

• Open-Source Stack (e.g. Wazuh) – Wazuh offers a unified open-source SIEM/XDR platform with no licensing fees​. This makes it attractive for cost-conscious organisations, but in-house hosting and support still incur costs. You’ll need to provision servers (on-premise or cloud VMs) to run Wazuh and its Elastic stack (for log storage/search). For a small setup, this might mean a single cloud VM and storage (perhaps £5k–£15k (~€6k–€18k) per year in cloud costs). Larger deployments require multiple servers or cloud instances (scaling into the tens of thousands). Free software, implementation and maintenance demand IT effort or paid support. (Enterprise support for Wazuh is optional; otherwise, rely on community support​.) The upside is that there is no vendor lock-in and flexibility to integrate various data sources without per-byte fees​.
• Microsoft Stack (Azure Sentinel & Defender) – Microsoft’s ecosystem primarily provides cloud-native SIEM and XDR capabilities on a pay-as-you-go model. Azure Sentinel (Microsoft Sentinel) is a cloud SIEM charged by data ingestion volume. Pricing starts around $2–5 per GB of logs ingested​. In practice, annual Sentinel costs range from tens of thousands (for small businesses) up to millions (for large enterprises), depending on how much log data you send and retain​. For example, a company ingesting ~1000 GB/day of logs could spend well over $1M/year on Sentinel, whereas a small business with modest log volume might spend £20k–£50k (~€23k–€58k) per year. Microsoft Defender for Endpoint (EDR) is licensed per endpoint: around £4–£5 per device per month (≈£50–£60/year) for the full P2 version​. This is often included in Microsoft 365 E5 licenses, which can be a cost-saver if the business already uses E5. A small company with 100 endpoints might pay ~£5k/year for Defender, while an enterprise with 5,000 endpoints would budget ~£250k/year just for endpoint protection. The Microsoft stack benefits from native integration (Azure AD and Office 365 logs are ingested free into Sentinel​), but data overage and long retention (beyond 90 days) incur extra fees​.
• Commercial SIEM/EDR Solutions – Many mid-to-large SOCs use commercial tools like Splunk, QRadar, CrowdStrike, or Palo Alto Cortex XDR. These tend to be premium-priced:
  • SIEM Licensing: Traditional SIEMs often charge by daily ingest volume. For instance, Splunk pricing starts around $1,800 per year per 1 GB/day of data ingested​. If you ingest 10 GB/day, you’re looking at ~$18k/yr; at 100 GB/day, costs escalate toward ~$180k+, often with tiered discounts. One estimate found that a 500 GB/day Splunk deployment could cost $400k–$800k annually​. Similarly, an enterprise SIEM deployment can exceed £15 million a year for a large organisation, and even a more petite 100–1000 seat SIEM can run over £10k per month in operating costs​. These figures underscore how quickly costs grow with data volume.
  • Endpoint Security: Leading EDR/XDR platforms like CrowdStrike Falcon or Palo Alto Cortex XDR charge per endpoint/year. CrowdStrike, for example, starts around $60 per endpoint annually for small businesses (and about $100 for enterprises)​ – roughly £50–£80 in UK terms per device/year. Thus, 200 endpoints might be ~£10k–£16k/year. These solutions often boast advanced threat detection, but their licensing can significantly add to SOC budgets.
  • SOAR and Integrations: Automation platforms (Splunk Phantom, Palo Alto XSOAR, etc.) may be bundled with SIEM or sold separately. Costs vary: some charge by number of playbooks or events per minute. A mid-market SOAR might cost £20k–£50k (~€23k–€58k) annually, though some vendors include basic automation in the SIEM price. Open-source alternatives (Shuffle, StackStorm, etc.) can reduce licensing costs but require engineering effort to implement. Don’t forget integration efforts: connecting cloud logs, threat intelligence feeds, and on-prem systems might require professional services or internal developer time. This one-time integration/setup cost for a new SOC could be several thousand pounds (or more if the environment is complex).
• Cloud Hosting vs On-Prem Hardware: Wherever your tools run, there’s a cost. Cloud infrastructure is OPEX: e.g. an Azure VM for a SIEM collector or Wazuh server might be £100–£300/month each, plus storage costs for logs (Azure Log Analytics or S3 storage, etc.). A 1000-person company might ingest ~155 GB of logs daily and spend about £10k/month on cloud processing/storage for that data​. Smaller firms with 10–20 GB/day could see cloud costs around £1k–£2k/month for log storage and analysis. Conversely, on-premises hardware is a CAPEX cost: a decent logging server cluster and storage could easily be £50k+ upfront for a mid-size environment, plus power/cooling and refresh every few years. Many SMEs avoid that capital expense by leveraging cloud-hosted SIEM/SOAR solutions. Network costs (bandwidth for log shipping) are usually minor unless you move substantial data volumes or need dedicated links.

Cost-Saving Tech Strategies

Small businesses often lean toward open-source or lower-cost cloud services to avoid hefty licenses. For instance, using Wazuh (free) with cloud storage capped for critical logs can slash SIEM licensing expenses​. Also, carefully tuning which logs you collect is crucial – not every log source is equally valuable. Reducing log volume (e.g. filtering noisy events) directly cuts SIEM costs​. Commitment-tier pricing (in Azure Sentinel or Splunk volume licenses) can lower per-GB rates if your volume is predictable​. Finally, leveraging existing platforms – e.g. if you already have Microsoft 365 E5, use the included Defender XDR – can avoid paying twice for similar capabilities.

Staffing Costs (Analysts, Responders, Hunters, OffSec, Management)

People are often the most significant SOC expense. A proper 24×7×365 operation requires multiple shifts of analysts and additional specialists for depth. Below are typical UK salary ranges (per year) for key SOC roles, with GBP and EUR (approx.):

• Level 1–2 SOC Analysts: These frontline defenders monitor alerts and handle routine incidents. In the UK, junior analysts (Tier 1) earn around £25k–£35k (€29k–€41k) at entry level, while more experienced Tier 2 analysts earn about £ thirty-odd (often £30k–£50k range)​. The average SOC analyst base pay is reported to be around £33k–£47k, depending on the source. In practice, many SOC analysts fall roughly in the £30k–£45k (~€35k–€52k) range. Small businesses might hire relatively junior analysts in the £25–30k bracket to save costs, whereas enterprise SOCs often have senior analysts (Tier 3) making £60k–£80k (€70k–€94k) for their expertise​.
• Incident Responders (CSIRT members): These specialists investigate and contain serious incidents. In the UK, an Incident Response Analyst or Responder typically earns around £45k–£60k (~€53k–€70k) for mid-level experience​. Median salaries hover at £50k​. Senior incident responders or IR team leads can reach £65k–£80k (€76k–€94k) in larger organisations, especially in London. Smaller companies might not have a dedicated full-time responder; often, a senior analyst doubles in that role.
• Threat Hunters: Proactively hunting threats requires seasoned analysts with expertise in threat intel and anomaly detection. Threat hunter roles in the UK average about £45k–£70k (~€53k–€82k), depending on experience​. Some senior threat hunters (or “Threat Intelligence Analysts”) command salaries in the £70k+ range if they bring highly specialised skills (malware analysis, etc.). Many mid-sized firms might incorporate hunting duties into senior analyst roles rather than separate positions to save costs.
• Offensive Security Specialists (Penetration Testers/Red Team): Internal “red team” staff who simulate attacks or test defenses usually earn £40k–£65k (€47k–€76k) mid-career, with senior ethical hackers reaching £80k–£90k (€94k–€105k) at the high end​. Junior pentesters can start around £25k–£30k (~€29k–€35k)​. Small businesses typically do not employ a full-time offensive specialist due to cost – they might contract external pen-testers periodically instead. However, enterprises often maintain an in-house red team (2–5 people) to continuously probe their defences.
• SOC Management: Oversight roles include SOC Manager, Security Operations Lead, or even a Cybersecurity Director over the SOC. A dedicated SOC Manager in the UK commands roughly £60k–£100k (~€70k–€117k) annually​, with some variation by region and company size. (Recruiting firm data shows SOC Manager salaries are commonly in the £80k–£100k range for London and large enterprises​.) Above that, a Head of Security Operations or Director might earn £120k+ in large corporates​. In a small business, a separate SOC Manager may not exist – often, the IT Manager or CISO doubles as SOC lead. In a mid-sized firm, you might have a SOC Team Lead or Manager around £60k–£80k. Enterprises will have one or more managers (e.g. shift leads under a head of SOC).

24×7 Coverage Staffing: To genuinely staff 24/7/365, you need enough analysts to cover night shifts and weekends and allow for time off. The mathematical minimum is five analysts for one person per shift across 24/7​ (4.2 to cover shifts, rounded up, plus allowance for holidays/illness). In reality, most operations use a rotation of 6–8 analysts to reduce burnout. This means even a “small” 24/7 SOC cannot be run by just one or two people – you must budget for multiple salaries. For example, if each analyst is ~£40k, five cost ~£200k. Indeed, one estimate pegs a minimal 24/7 in-house team at around £300,000 per year in salary costs for a small business (covering ~5 analysts of mixed experience)​.

Staffing by Business Size

• Small Business SOC: likely 2–5 people total. E.g. 2–3 junior analysts covering business hours, with on-call arrangements after hours (or outsourcing overnight monitoring). They might share incident response duties. A small company’s SOC staff budget might be £150k–£300k (~€175k–€350k) annually. If 24/7 is required, expect at least the high end of that range (multiple shifts).
• Mid-Sized SOC: perhaps 5–15 people. For instance, eight analysts (2 per shift for 24/7), 1–2 senior incident responders, one threat hunter, and one manager. This could sum to ~10 FTEs. Using mid-range salaries (analysts ~£40k, seniors ~£60k, manager £80k), staffing cost would be on the order of £500k–£800k (~€585k–€940k) per year.
• Enterprise SOC: often 20+ team members. A full roster might include 12–15 analysts across three shifts, a dedicated incident response team (3–5 people), 2–3 threat hunters, a couple of threat intel analysts, a 2–5 person red team, and management (SOC manager plus senior security leadership). This could be ~20–３０+ people. If we average ~£65k per person (mix of mid-level and senior roles), that’s ~£1.3M for 20 people, and it could easily reach £2M+ (~€2.3M+) annually with a larger headcount. In practice, large financial institutions spend millions on SOC staff. (Note: Many UK enterprises struggling to hire may augment with contractors or managed services for 24/7 coverage.)

Training & Turnover

Salary isn’t the only cost; training is essential to keeping skills current—budget several thousand pounds per analyst annually for training, certifications, and conferences. Also, consider the retention challenge—SOC work can be high-stress (alert fatigue, night shifts). Replacing an experienced analyst has recruitment costs and ramp-up time. These soft costs mean investing in your team (career progression, avoiding burnout) can save money long-term.

Compliance Considerations (ISO 27001, GDPR, DORA)

Adhering to security and data protection compliance frameworks is critical to SOC operations, especially in the UK and EU regulatory environment. Compliance efforts come with their costs for certification, audits, and governance:

• ISO/IEC 27001 (Information Security Management) – Achieving ISO 27001 certification for your SOC (or overall IT) is a common goal to demonstrate security maturity. Certification involves:
  • Developing an Information Security Management System (policies, procedures, risk assessments) – often done with the help of a consultant or significant internal effort.
  • Initial certification audit by an accredited body and annual surveillance audits to maintain certification.

Cost: For small to medium-sized companies, an ISO 27001 certification audit can cost up to £25,000 (one-time for the audit process)​. This is just the audit; additionally, consultants may charge £400–£1,000 per day​ to help prepare for certification, which could total another £5k–£15k for a small firm, depending on the scope. A typical UK small business might spend £8k–£15k to get certified​. Larger organisations (multiple sites, complex scope) face higher audit fees – £50,000+ is not uncommon for a big enterprise’s ISO 27001 audit​. On top of that, maintaining certification has ongoing costs: surveillance audits (usually smaller annual audits) and time spent updating documentation. You might budget £5k–£10k per year for ISO maintenance in an SME (including internal compliance officer time) and more like £20k+ annually in a large enterprise (with dedicated compliance staff). Despite the cost, ISO 27001 compliance can streamline security processes and is often required to do business with specific clients, so many view it as a necessary investment.

• GDPR (General Data Protection Regulation) – While not a security standard per se, GDPR imposes strict requirements on protecting personal data. A SOC must incorporate GDPR considerations (e.g. processes for breach notification within 72 hours, data handling procedures for logs containing personal data, etc.). Costs for GDPR compliance are often rolled into overall security/privacy budgets. For a small business, this might involve legal consultations, policy updates, and perhaps appointing a part-time Data Protection Officer (or at least training an existing employee for that role). Many businesses spent tens of thousands in initial compliance efforts when GDPR took effect. Ongoing costs include data protection training for staff, privacy impact assessments, and possibly privacy management software. Large enterprises globally report spending over $1 million annually on maintaining GDPR compliance​. One study found that GDPR compliance costs typically ranged from $1.7 million (£1.3M) per year for SMEs to $70 million (£54M) for large enterprises​. A mid-sized UK business likely won’t hit those extremes. Still, it could efficiently allocate £50k–£200k+ per year for a privacy program (including at least one full-time compliance/privacy officer, tools for managing data subject requests, periodic audits, etc.). The cost of non-compliance is also high – fines can be up to 4% of global turnover or €20 million (whichever is higher), so investing in GDPR measures is a prudent cost-avoidance strategy. Actionable insight: for smaller companies, leveraging free guidance (e.g. ICO templates) and perhaps sharing a Data Protection Officer resource across companies can control costs, whereas enterprises often integrate GDPR compliance into their broader governance risk and compliance (GRC) framework for efficiency.
• DORA (Digital Operational Resilience Act) – DORA is an EU regulation (effective Jan 2025) focusing on cybersecurity and operational resilience for financial sector organisations and their critical ICT service providers. UK-based businesses that operate in EU financial markets or serve EU financial institutions will fall under DORA. Compliance entails robust incident reporting, risk management, testing (like threat-led penetration tests), and ensuring third-party providers (like cloud/SaaS used in the SOC) also meet resilience standards. Cost impact: DORA compliance is expected to be significant for those in its scope. Recent research found ~47% of UK and EU financial organisations have spent over €1 million to meet DORA requirements​. Much of this cost is in strengthening systems, conducting gap assessments, and increasing staff for compliance oversight. A bank or extensive fintech might need to hire additional risk and compliance roles for DORA and engage auditors or firms to run operational resilience testing – easily hundreds of thousands per year in new expenditures. Smaller financial firms will have lower absolute costs but still need to allocate a budget for policy updates, external audit/certification of their resilience, and possibly upgrades to technology to log and report incidents as DORA mandates. If your business is not in the financial sector, DORA may not apply directly. Still, its principles (improving cyber resilience) are good practice and may become more common in industry regulations. Ensure to factor in any sector-specific compliance too: e.g. PCI-DSS for payment data (if applicable) or NIS2 directive if critical infrastructure – each carries its own cost for audits, tools, and processes.

In summary, compliance costs for an SOC include one-time setup costs (gap analyses, initial certifications) and ongoing costs (audits, staff time, and toolsets for compliance). For a small business, you might spend on the order of £5k–£20k (~€6k–€23k) in a year on various compliance activities (perhaps an ISO 27001 audit and some GDPR consultancy). A mid-sized company could see £20k–£50k (~€23k–€58k) yearly in compliance overhead (multiple audits, a compliance officer’s salary fraction, training, etc.). Enterprises often have whole compliance departments – easily six to seven-figure annual budgets ensuring continuous adherence to ISO, GDPR, DORA and more​. While these costs don’t directly improve security operations, they are crucial for avoiding legal penalties and building customer trust.

Infrastructure and Operational Costs (Facilities, Utilities, Training, Maintenance)

Beyond tools and people, running a SOC has practical operational expenses:

• Physical Space: If you maintain a dedicated SOC room or office, consider rent and facilities costs. A small company may not need a separate space – analysts could sit with IT or work remotely – incurring minimal additional cost. However, a mid-sized company or enterprise often provisions a secure SOC facility (an access-controlled room with monitors covering security dashboards 24/7). The cost of office space in the UK varies by location; in London, a desk can cost several hundred pounds a month. A confined SOC room for a 5-person team might be 300 sq. ft. At £50–£70 per sq ft/year (estimates), that’s ~£15k–£21k yearly in rent. Add furniture and large display screens for monitoring (one-time setup, perhaps £5k–£10k). For an enterprise SOC with 24/7 staff on-site, you might also invest in ergonomic seating (for long shifts) and maybe soundproofing or backup power (UPS/generator) for that room. Physical security (badge readers, CCTV) may also be needed to meet compliance, adding a few thousand. Cost-saving tip: Some companies opt for a “virtual SOC” with analysts working remotely or on-call, saving on dedicated office space. This shifts cost to ensure secure remote access and collaboration tools, which is relatively minor compared to renting space.
• Utilities and Equipment: Running a SOC 24/7 means PCs, monitors, and lights are on around the clock. Power consumption for a handful of workstations and screens is not massive (perhaps a few hundred watts each). The annual electricity cost for 5 PCs and monitors might be a few hundred pounds. More significant is if you host servers on-site for your SIEM – powering and cooling a server rack can be a few thousand pounds per year. If the SOC relies on cloud services, utilities are mostly just the office electronics. Internet connectivity should be robust (maybe a redundant connection for reliability). Many enterprises will allocate a portion of their IT networking cost to the SOC to ensure it stays online. For estimation, small and mid orgs might count utilities as £1k–£5k (~€1.2k–€5.8k) in the SOC budget (often rolled into general overhead). Enterprises with more significant data centers or a 24/7 building presence could attribute £10k+ in power/HVAC for the SOC and equipment.
• IT Infrastructure Maintenance: Beyond initial tech purchase, budget for ongoing maintenance and subscriptions:
  • Software Maintenance: Annual support renewals for commercial software (~15-20% of license cost typically) – e.g. if you spent £200k on a SIEM license, maintenance might be £40k/year (often includes updates and vendor support). Open-source tools avoid license fees, but you might purchase support contracts or managed services (e.g. an ELK support subscription or a managed rules feed) for reliability.
  • Hardware Refresh: Servers, storage, and networking gear supporting the SOC (if on-prem) need replacement every 3-5 years. Amortise this cost into an annual figure. For example, £60k of hardware with a 4-year lifespan is £15k/year depreciation. Similarly, if analysts have specialised high-performance machines, those might be refreshed every 3 years (a £1.5k laptop amortises to £500/year each).
  • Routine Ops: This includes keeping SIEM indexes healthy (archiving old logs to cheaper storage), applying patches and updates to SOC tools, and general admin tasks. Often, this is covered by the SOC engineering staff (or DevOps/IT), but if not, you might contract for managed services. For instance, a managed Elastic Stack support could be £10k–£20k/year if using Wazuh/ELK stack via a third party.

Small businesses might spend only a few thousand per year on maintenance (essentially cloud subscriptions and some outsourced IT support). Mid-sized firms should expect perhaps £20k–£50k (~€23k–€58k) in various maintenance contracts or equipment depreciation. Large enterprises can see £100k+ annually in maintenance and infrastructure upkeep, especially if running significant on-prem infrastructure for the SOC.

• Training & Certification: SOC staff need continuous training for skills development and compliance requirements (e.g., ISO 27001 mandates competence, GDPR requires awareness training). Industry certifications (CISSP, GIAC, etc.) and technical courses are pricey: a single SANS training course can cost ~£5k. Allocate a training budget per employee (perhaps £2k–£5k each per year for mid-sized and large organisations​). Small businesses with tighter budgets may rely on cheaper training options (online platforms, vendor-free resources) – maybe £500–£1k per person per year. Still, neglecting training can lead to skill gaps. As threats evolve, this is a necessary operational cost. For compliance, such as DORA (financial sector), specific operational resilience training might also be needed.
• Incidental and Overhead: Don’t forget things like on-call pay (if you have an on-call rotation for off-hours, you might pay a stipend to analysts for carrying the pager), overtime or shift differentials (24/7 staffing might warrant a higher pay rate for night shifts), and employee wellness (to mitigate burnout from 24/7 work, some companies provide extra PTO or counseling – indirectly a cost). Also factor in the cost of incident response drills (time spent by staff in simulations) and external services like subscriptions to threat intelligence feeds or the UK’s CiSP network – some of which may have fees.

In summary, infrastructure/operational costs for a SOC can range from relatively minor for a small business (maybe £10k–£20k a year all-in for extra office, equipment, and training) to very significant in large enterprises (easily £200k+ when you include facility, hardware, support contracts, and training programs). One analysis noted that when building an in-house SOC, you must budget not just for tools and salaries but also the office space to house the team – which can push the price tag towards $3 million per year for a full-featured in-house SOC when all these factors add up​. This emphasises how a “fully loaded” SOC is expensive and why many SMBs look to outsource some of these costs.

Cost Comparison Across Business Sizes

Bringing together the above elements, here is a structured comparison of expected SOC costs for a small, mid-sized, and enterprise-sized business. All figures are rough estimates assuming a 24×7 in-house SOC operation in the UK.

Small Business SOC (~50–100 employees)

• Technology: Open-source or low-cost tools are preferred to minimise spending. For example, Wazuh can be used for SIEM/XDR (free) on a cloud VM, plus maybe a basic EDR for endpoints. Estimated tech costs ~£20k–£50k (≈€23k–€58k) per year. This includes cloud hosting for logs, one or two security tool subscriptions if needed (e.g. endpoint AV/EDR), and incidentals. Choosing open-source saves licensing fees​but still costs hosting and admin effort.
• Staffing: Minimal staff – perhaps 2–5 people covering the SOC functions. If aiming for true 24/7 coverage, at least five analysts are needed​, which likely puts you at the higher end of the range. Salary cost roughly £200k–£300k (≈€234k–€350k) annually. In reality, many small firms won’t hire five full-timers just for SOC due to budget – instead, they might have one or two dedicated security analysts (£40k–£50k each) and augment with an on-call rota or an external MSSP for off-hours. If fully outsourcing 24/7 monitoring, note that entry-level managed SOC services can start around £15k/year for basic coverage​, a fraction of the in-house cost (though with potentially limited scope).
• Compliance: Likely pursuing ISO 27001 certification to build customer trust and GDPR compliance if handling personal data. Budget perhaps ~£10k (≈€12k) in the first year (for an ISO audit and prep) and a few thousand annually after. GDPR compliance might be handled by existing staff at a minimal extra cost (perhaps with some legal consultation). Assume £5k–£15k total (~€6k–€18k) for compliance-related expenses in a year, including any small audits or policy tools.
• Infrastructure/Ops: Small businesses often leverage existing office space and IT infrastructure. You might not need a dedicated SOC room – a couple of desks in the IT area suffice (negligible extra rent). Equipment costs might include an additional monitor for each analyst and a large screen for a central alert dashboard (£2k total). The training budget might be modest (e.g. £1-2k per person). All in, operational overhead could be £5k–£15k (~€6k–€18k) per year for a small in-house SOC (mostly training, minor cloud fees, and device upkeep). If the team is remote, investment in secure laptops and home office stipends might replace office costs.

Total Estimated Annual Cost (Small Biz): Approximately £250k–£400k (≈€293k–€468k) per year for a 24×7 capable in-house SOC. The lower end assumes a lean team (or partly outsourced) with open-source tools; the upper end assumes hiring ~5 staff and more robust tooling. For many small organisations, this cost is prohibitive, which is why alternatives like SOC-as-a-service are attractive. Outsourcing can deliver 24/7 monitoring at a far lower price point (tens of thousands per year)​, albeit with trade-offs in control and customisation.

Cost-Saving Tips for Small SOCs: Use open-source tech, outsource what you can (even if just after-hours monitoring), and focus on monitoring the most critical systems to keep log volumes (and costs) manageable.

Mid-Sized Business SOC (~250–1000 employees)

• Technology: Likely a mix of open-source and commercial solutions. A mid-sized company has more logs and devices to manage so that they might use a cloud SIEM like Azure Sentinel or a mid-tier SIEM appliance with a manageable ingest volume. Tech spending might include SIEM subscription fees, endpoint security for a few hundred endpoints, and perhaps a threat intel feed or SOAR tool. Estimated £100k–£200k (≈€117k–€234k) per year in technology costs. For instance, ingesting 50 GB/day into Azure Sentinel could run around £5k/month (£60k/year)​, EDR for 500 endpoints at ~£50 each is £25k, and additional tools (SOAR, cloud security monitoring, etc.) could add tens of thousands. With smart choices (e.g. using Microsoft E5 security features already licensed or limiting log retention to 90 days to avoid extra fees), a mid-sized firm can stay toward the lower end. They could hit the higher end or beyond if they opt for a pricier SIEM like Splunk with high volumes.
• Staffing: A moderate team with some specialisation. Perhaps 5–10 analysts plus 1–3 senior/principal security staff. For 24/7, you might run two people per shift on weekdays and one per shift on nights/weekends, for example. Assume eight analysts (mix of junior at £35k and senior at £ Fifty-something), plus one incident responder (£55k) and one SOC manager (~£80k). That totals around £8*£40k + £55k + £80k = £455k. Adding benefits and training, it rounds to £500k–£600k. If the company is closer to the 1000-employee size, they might have an even larger team (10–15 people) pushing staffing costs to £700k+. So, a typical mid-sized SOC staffing cost range is £500k–£800k (≈€585k–€940k). To optimise, some mid-sized organisations use a follow-the-sun model (handing off monitoring to teams in other timezones within their company, if global) or outsource Level-1 monitoring to an MSSP, retaining a smaller in-house incident team. This hybrid approach can reduce the needed headcount.
• Compliance: By this size, ISO 27001 certification is usually in place or pursued, and rigorous GDPR processes are established. Also, additional frameworks (DORA, PCI, etc.) come into play if operating in finance or other regulated sectors. A mid-sized business could spend ~£20k/year on external audits and certifications (covering ISO audits, perhaps SOC 2 reports if they do those, etc.). They might have a dedicated compliance or security governance role on the payroll (say £50k) that partly counts toward the SOC’s cost. GDPR compliance might involve a part-time DPO or legal counsel retainer. All combined, £50k+ (≈€58k) annually is a reasonable ballpark for compliance overhead at this scale (not counting any fines or breach costs, of course). If DORA applies (for a mid-sized fintech, for example), compliance costs could spike for that specific requirement (one-off spending on upgrades plus ongoing testing/audit fees).
• Infrastructure/Ops: A mid-sized SOC might establish a small Security Operations room in the office for a handful of people per shift. Suppose they allocate an enclosed space for six workstations – the cost might be folded into the office lease, but let’s estimate £10k–£20k (≈€12k–€23k) yearly value for that space and utilities. Add maybe £10k for initial setup (workstations, large wall display, etc.) amortised over a few years. Cloud infrastructure and support contracts: perhaps ~£20k/year (if using some managed services or support for SIEM). Training budget: 10 staff at £3k each = £30k. Summing up, operational and infrastructure costs might be around £40k–£70k (≈€47k–€82k) per year for a mid-sized SOC. This covers the office needs, training, and upkeep of systems. Notably, if they self-host a lot of logging infrastructure, that figure could rise (due to hardware maintenance). Conversely, heavy use of cloud SOC platforms shifts cost into the “technology” category rather than infra.

Total Estimated Annual Cost (Mid-Sized): On the order of £700k–£1.0M (≈€820k–€1.17M) per year. This assumes a reasonably well-equipped SOC with 10 staff and a mix of tools. It could be lower (£500–600k) if the company limits scope or outsources parts, or higher (>£1M) if the environment is very complex (lots of logs, higher salaries in London, etc.). It’s a significant investment, but mid-sized organisations face serious cyber threats and often decide that an in-house SOC is worth the cost compared to the potential impact of incidents. Potential Savings for Mid-Sized SOCs: To control costs, mid-sized firms often use a co-managed SOC model – keeping a lean internal team and using an external provider for 24/7 monitoring or surge support. This can reduce the required headcount (thus salary expense) while still providing around-the-clock eyes on glass. Optimising log ingestion (filtering out redundant data) and choosing multi-function platforms (e.g., a single license that covers SIEM + SOAR) can prevent budget creep due to tool sprawl.

Enterprise SOC (1000+ employees, large-scale operations)

• Technology: Enterprises tend to invest in best-of-breed tools for comprehensive coverage, and the scale of data and systems is much larger. Expect a high-capacity SIEM (Splunk, IBM QRadar, or a large Azure Sentinel deployment) plus dedicated platforms for endpoint, network detection (NDR), cloud security, threat intel, case management, etc. For example, an enterprise might ingest hundreds of GB of logs daily. At ~155 GB/day, Azure Sentinel was estimated to be around £10k/month​; many large enterprises go far beyond that volume. It’s not unusual for a big company to spend £500k–£1M+ annually on SIEM/SOC software and cloud costs. Add to that enterprise EDR licensing for tens of thousands of endpoints (10,000 endpoints * ~£50 each = £500k) and other tools (a SOAR platform license, maybe £100k; threat intel subscription, say £30k; brand monitoring, etc.). It’s easy to see technology expenses reaching £1M–£2M (≈€1.17M–€2.34M) per year for a large, fully equipped SOC. It’s even higher in some cases – enterprise SIEM deployments can exceed eight figures (£10M+) yearly for the largest, most data-intensive firms​. The key drivers are data volume, user count, and the number of separate security solutions. Enterprises often negotiate agreements with vendors to bundle costs, but tech is a significant line item.
• Staffing: A large enterprise SOC features multiple teams and tiers. Having 20–50+ full-time staff dedicated to security operations and incident response across various roles wouldn’t be unusual. As an illustrative breakdown: 15–20 analysts (spread over three shifts, covering Tier 1/Tier two monitoring), 5–10 senior analysts/incident responders (Tier 3 and specialised responders for malware, forensics, etc.), 3–5 threat hunters, 3–5 in a threat intel cell, 3–5 red team members, and management (one or two SOC managers and perhaps a senior director over Cyber Defense). Let’s say 30 people average ~£60k = £1.8M, and another 5 very senior folks averaging £90k = £450k, totaling ~£2.25M in salaries. Add benefits and training, and you’re looking at £2.5M–£3M (≈€2.9M–€3.5M) annual personnel cost. This aligns with analyses that a competent 24×7 SOC will cost at least “a few million dollars” at the low end for a big organisation​. The numbers can go higher for a global enterprise SOC if teams are distributed globally or if there are separate SOC units for regions/business units. However, many enterprises also distribute SOC functions – for example, level-1 monitoring might be done by an offshore team or a lower-cost center, with higher-tier work in the UK. Such strategies can optimise cost while maintaining quality. Still, the skill shortage in cyber means top talent comes at a premium for enterprises, and retention is critical to avoid constantly retraining new hires.
• Compliance: Large businesses, especially in regulated industries, have significant compliance expenses. They will maintain ISO 27001 (and likely other certifications like ISO 22301 for business continuity, etc.), undergo regular audits (internal and external), and have dedicated compliance teams. GDPR compliance at this scale might involve a whole data privacy department – recall that surveys found big firms spending up to $70M (~£54M) for GDPR (though that likely includes infrastructure costs to meet data requirements)​. For the SOC specifically, compliance might include yearly certification reviews, continual policy management, and possibly external assessors for frameworks like SOC 2, NIST, or DORA regulation audits. It’s not unreasonable for an enterprise to spend £0.5M–£1M+ on security compliance and governance annually when you factor in personnel and audit fees. For example, DORA (if applicable) might require running advanced scenario tests – contracting a “red team simulation” across the enterprise could cost six figures alone. While these costs don’t all fall directly under the SOC budget, they are related overheads that enable the SOC to function within legal requirements.
• Infrastructure/Ops: Enterprises often build a dedicated Security Operations Center facility – sometimes multiple. Think of a war-room-style setup with giant screens that map global threats, etc. The fit-out costs for such a facility (secure access, large displays, workstations, conferencING systems) can be substantial, though it’s a one-time or infrequent expense. Running that facility 24/7 incurs ongoing costs: physical security guards or monitoring, utilities for a space that never sleeps, and equipment refreshers (those video walls have lifespans). Estimating an annual cost, the facility might easily consume £100k+ in rent/utilities if it’s a sizable space in a city. Add maybe £50k/year for equipment depreciation/maintenance (replacing hardware, batteries for UPS, etc.). Training is an oversized line item: at this scale, you might spend £100k–£200k per year on training and certifications for the team (ensuring all analysts stay current, paying for advanced courses for senior staff, etc.). Additionally, enterprises often subscribe to multiple threat intelligence feeds and services (could be £20k–£100k yearly for premium intel or law enforcement liaison services). Another operational cost can be cyber insurance – while not part of SOC operations per se, a robust SOC might reduce premiums. Large firms paying high premiums (millions) for cyber insurance should consider how improving SOC capability might save money there, albeit indirectly.

Total Estimated Annual Cost (Enterprise): Several million pounds per year. A mid-level enterprise might spend £2M–£5M (≈€2.34M–€5.85M) annually on its SOC when all factors are included. Extremely large enterprises or those aiming for “state-of-the-art” capabilities can spend well beyond this – as one report put it, an advanced SOC’s cost is unlimited at the high end​ if you keep scaling tools and staff. For most, however, the budget is finite and needs justification. It often helps to compare this cost to the potential impact of major incidents (a single large breach can cost tens of millions in damages, fines, and reputation). Enterprises also achieve economies of scale: e.g., the cost per endpoint or log volume can be lower with volume discounts, and internal compliance processes can simultaneously cover multiple regulations.

Cost Optimization for Enterprises: Large organisations can seek efficiency by consolidating tools (eliminate redundant software doing similar functions), using automation (SOAR runbooks) to reduce manual work, and possibly integrating the SOC with IT operations to share resources for monitoring and incident management. Another strategy is building tiered locations, e.g., having a primary SOC in the UK and a secondary in a lower-cost location for overnight shifts or less critical monitoring. This can stretch the budget further. Also, continuously measuring the SOC’s value, such as metrics like mean time to detect/respond, incidents handled, etc., helps ensure the sizeable investment provides risk reduction commensurate with cost.

Currency Conversion (GBP & EUR)

All figures above have been given in Great British Pounds (GBP) with approximate Euro (EUR) equivalents. We used a conversion of around £1 = €1.17–1.18 (as of early 2025) for estimation. For example, £100k is about €117k. The exact exchange rate will vary (recent rates have hovered in the €1.18 per £1 range​), so Euro figures are provided for reference. Businesses operating in the Eurozone should budget in EUR. They may need to account for currency fluctuations if their costs (like a UK-based MSSP service or UK salaries) are in GBP.

Actionable Insights & Summary: Establishing a 24/7 SOC in the UK is significant. Small businesses must carefully weigh in-house costs against outsourcing – an in-house SOC even at ~£300k/year may be hard to justify for a company with only a few hundred employees. In contrast, a managed SOC service could offer an economical alternative​. Mid-sized companies can achieve a balance by leveraging cloud services and possibly co-sourcing the SOC, keeping costs around the high hundreds of thousands annually for a robust security posture. Enterprises dealing with advanced threats and strict compliance will invest millions to run a full-scale SOC. However, they should still strive for efficiency and cost control (integrating automation, careful log management to avoid “over-collecting” data​, and scaling staff wisely). No matter the size, cost-saving strategies include: utilising open-source technologies where feasible (to cut license fees)​, leveraging existing IT investments (e.g. Microsoft security suite if already paying for it), optimising the scope of monitoring (focus on high-risk assets to reduce noise), and maintaining compliance proactively to avoid expensive remediation or fines later.

By analysing each cost category – technology, people, compliance, and operations – businesses can create a realistic budget for an SOC and identify where to invest versus where to save. The result is a tailored 24×7 SOC model that fits the organisation’s size and risk profile, delivering security value within financial constraints.

Get a custom quote for your SOC needs now.