Comparison / 2026

MDR vs building a SOC: full cost comparison

Three options compared with real numbers: outsource via MDR, hire SOC-as-a-Service, or build in-house. Salary data, year-one infrastructure costs, breakeven analysis, and a decision framework that respects what each option actually delivers.

Three options

What each option means

Option A

MDR

Outsource detection, triage, and response to a vendor with their own SOC. Pay per endpoint. Vendor owns staffing.

Option B

SOC-as-a-Service

Outsource SIEM operations and alert monitoring. You retain more tooling decisions and incident response responsibility than MDR.

Option C

In-house SOC

Build it yourself. Hire analysts, buy tooling, build runbooks. Largest capability and largest cost.

Cost build

What each option actually costs at 500 endpoints

Cost element	MDR	SOC-as-a-Service	In-house SOC
Year-1 setup	$5K-25K	$50K-150K	$1M-2M
Staffing / yr	$140K (1 oversight FTE)	$280K (2 internal FTE)	$700K-900K
Tooling / yr	Included	$60K-180K	$200K-400K
Service / yr	$90K-300K	$60K-600K	N/A
Year-1 total	$235K-465K	$450K-1.21M	$1.9M-3.3M
Year 2+ total	$230K-440K	$400K-1.06M	$900K-1.3M

In-house deep dive

What it really takes to build a SOC from scratch

The biggest underestimate first-time SOC builders make is on year-one infrastructure investment. The spend isn't optional and isn't optional later either if you skip it now.

SIEM platform. Splunk Enterprise, Microsoft Sentinel, Elastic, or LogScale. License costs scale with daily ingest volume. Plan $200K-$500K initial setup at 500 endpoints, $300K-$1M at 5,000.
SOAR / case management. XSOAR, Tines, Splunk Phantom. Adds $50K-$150K/yr.
Network telemetry capture. Network taps, Zeek deployment, NetFlow collection. $100K-$300K initial.
Threat intelligence feeds. Recorded Future, Mandiant, CrowdStrike Intel. $50K-$200K/yr.
Secure facility. Physical SOC space with restricted access, separate network, secure storage for evidence. $200K-$1M depending on whether you build new or retrofit.
Hiring premium. Senior security analysts command $30K-$60K above market base in 2026. Recruitment fees of 20-25% of first-year salary are standard.
Training and certification. SANS courses, GIAC certifications, conference attendance. Budget $10K-$20K per analyst per year.

Breakeven analysis

At what scale does in-house win

The crossover point depends on three variables: endpoint count, regulatory load, and how much custom detection you genuinely need.

100-1,000 endpoints

MDR wins decisively

Per-endpoint MDR economics dominate. In-house overhead can't be amortised.

1,000-5,000 endpoints

MDR usually wins

In-house feasible but rarely cheaper. Hybrid model worth considering.

5,000-10,000+ endpoints

Decision flips

In-house economics start to compete. Often hybrid with MDR for cloud or after-hours.

Hybrid model

In-house team plus MDR overlay

For organisations that want named internal accountability but can't justify full 24/7 staffing, the hybrid model is increasingly common.

Typical structure:

2-3 internal analysts covering business hours (8am-6pm in primary timezone)
MDR provider covering nights, weekends, and holidays
Clear handoff protocol at shift boundaries
Joint case management between internal team and provider

Cost lands at $400K-$700K per year for 500-1,500 endpoints, which is more than full MDR but cheaper than full in-house. The benefit is internal analysts who know your environment intimately, with MDR-grade coverage outside business hours.

When hybrid is the right answer

Regulated organisations that need internal SOC presence for audit and compliance reasons but can't economically staff 24/7. Mid-market organisations growing into the 1,000-5,000 endpoint band. Companies with custom internal applications that benefit from analysts who know them deeply.

Decision framework

How to choose

Choose MDR when

Endpoint count under 5,000
You need 24/7 coverage you can't staff
Cyber insurance requires managed monitoring
Time to value matters (12-18 months to mature in-house SOC)
Your custom detection needs are limited

Choose in-house SOC when

Endpoint count above 10,000
Regulated industry with sovereignty mandate
Government, defence, or critical infrastructure
Custom proprietary applications need dedicated detection
You have leadership commitment to multi-year SOC programme

Compare

MDR vs EDR

Software vs managed.

Tool

Cost calculator

Model your MDR spend.

Tool

ROI calculator

Versus breach cost.

FAQ

MDR vs SOC questions

Is MDR cheaper than building an in-house SOC?

For organisations under 5,000 endpoints, almost always yes. MDR for 500 endpoints typically lands at $90K-$300K per year. An in-house SOC requires year-one investment of $1.8M-$3.3M and ongoing run rate of $800K-$1.3M per year. Above 5,000 endpoints the calculation gets closer; above 10,000 it can flip.

How many people do you need for a 24/7 SOC?

Minimum 5-6 analysts plus a SOC manager. The maths: 24 hours of cover means three shifts per day. Each shift needs at least one analyst. Add holiday cover, illness, and skill mix between tier-1 triage and tier-2 incident response, and you arrive at 5-6 as the minimum credible team size.

What does SOC-as-a-Service cost?

Typically $5,000 to $50,000 per month depending on scope. SOC-as-a-Service is closer to outsourcing your SIEM operations than buying MDR. The provider runs your SIEM, monitors alerts, and provides analyst coverage but you usually retain more responsibility for tooling decisions and incident response than in MDR.

When does an in-house SOC make financial sense?

Above roughly 5,000-10,000 endpoints, in regulated industries with strict data sovereignty requirements, in government and defence contexts, and when you need detection rules tuned to highly custom proprietary applications that no MDR provider would invest in supporting. Below that, MDR economics dominate.

Can I run a hybrid model: in-house team plus MDR for after-hours?

Yes, and many organisations do. The pattern is in-house analysts during business hours plus MDR for nights and weekends. Cost is typically $300K-$500K for the smaller in-house team plus $80K-$200K for the MDR overlay, totalling $380K-$700K per year. This is more expensive than full MDR but cheaper than full in-house and gives you the relationship benefit of named internal analysts.

Disclaimer

MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor. Pricing data is compiled from public sources, partner channels, Vendr transaction data, and verified buyer reports. Always request a direct quote for your environment.