SOC Cost Breakdown: The Real Math Behind Build vs Buy in 2026

Bright curved horizon of a planet glowing against the dark backdrop of space.

A minimum viable 24/7 in-house SOC costs roughly $1.5 million to $2.86 million annually once you account for fully loaded staffing, tooling, and overhead. For many mid-market organizations, buying coverage through MDR starts from a lower cost base than building a fully staffed internal operation.

You've been asked to present a budget justification for 24/7 security operations coverage. The CFO wants a number. The board wants assurance. And you're staring at a spreadsheet trying to figure out whether it's cheaper to hire 11 people and buy a SIEM or sign an MDR contract. The math should be simple. It never is.

The build vs. buy question in security operations has always been framed as a binary, but the actual cost structures have shifted enough over the past two years that most "TCO calculators" circulating in vendor content are either outdated or calibrated to favor one side. The numbers below draw from BLS wage data, public pricing pages, workforce research, and practitioner data.

TL;DR:

For most mid-market organizations, a minimum viable 24/7 in-house SOC consumes the majority of total security budget before any other function gets funded.
Buying coverage through MDR can represent a fraction of the staffing cost alone for an equivalent internal operation, but at the expense of what? Many organizations operate security functions without maintaining a fully staffed 24/7 SOC. The question is not whether a formal SOC exists, but whether the organization can sustain the investigation and response capacity its environment requires.
The buy side is evolving faster than the build side. AI-native MDR operates on a different labor model, escalation path, and pricing structure than legacy MDR, and buyers should evaluate the two separately.

The Real Staffing Math: What 24/7 Coverage Actually Costs

True 24/7 coverage is expensive because the staffing geometry is unforgiving. Three eight-hour shifts across 365 days, accounting for PTO, sick leave, and holidays, requires roughly four to five FTEs per seat. If you want at least two people per shift for escalation redundancy, you need eight to ten FTEs at the operations layer alone. Add a detection engineer or two, a security engineer for tool administration, and a SOC manager, and you're at nine to 14 FTEs for a functioning operation.

The May 2024 salary data from BLS employer surveys puts the median annual wage for information security analysts at $124,910. But base salary is not what you pay. The December 2025 BLS compensation report shows wages represent 70.1% of total compensation, with benefits accounting for 29.9%. That yields a multiplier of 1.43x on base salary to get fully loaded cost. For teams in higher-cost metros like New York, DC, or Boston, expect the multiplier to push closer to 1.45x.

Fully Loaded Cost by Team Composition

Using the 1.43x multiplier against market salary midpoints for each role, a mid-range 11-person SOC lands here:

Role	FTEs	Base Salary (Midpoint)	Fully Loaded @ 1.43x	Subtotal
Security operations Tier 1	5	$65,000	$92,950	$464,750
Security operations Tier 2	2	$90,000	$128,700	$257,400
Tier 3 / Detection Engineer	2	$130,000	$185,900	$371,800
Security Engineer	1	$127,730	$182,654	$182,654
SOC Manager	1	$150,000	$214,500	$214,500
Total (11 FTEs)				~$1,491,104

‍

Scaling that model up and down by seniority mix shows how wide the range gets:

Scenario	FTEs	Fully Loaded Annual Cost
Minimum viable (junior-heavy)	8	$915,000 to $1,030,000
Mid-range tiered team	11	~$1,491,000
Full-capability (senior-heavy)	14	$2,074,000 to $2,288,000

‍

And these numbers only cover personnel. Once you add tooling, overhead, and the hidden costs covered below, the real planning range pushes to $1.5 million to $2.86 million.

The Technology Stack: Your Second Largest Line Item

Staffing is the biggest cost, but budget models tend to undercount the technology stack.

Microsoft Sentinel publishes transparent per-GB pricing that varies by region, with commitment tiers starting at 100 GB/day that Microsoft says can save up to 52% over pay-as-you-go. At 100 GB/day on a commitment tier, expect $108,000 to $127,600 annually depending on region. At higher daily ingest volumes, annual SIEM cost climbs fast.

On the endpoint side, per-endpoint and per-user licensing can add another meaningful recurring cost layer, especially when coverage extends across endpoint, cloud, and identity. A mature SOC budget also includes SOAR, threat intelligence, vulnerability management, and NDR.

Total Technology Cost by Organization Size

Combining SIEM, endpoint, and adjacent tooling into annual estimates by headcount:

Organization Size	Technology Stack Annual Cost
500 to 1,000 employees (Microsoft path)	$128,000 to $341,000
1,000 to 2,500 employees (intermediate)	$677,000 to $1,373,000
2,500 to 5,000 employees (mature, Splunk path)	$1,597,000 to $4,112,000

‍

In-house SOC models that look manageable in a salary spreadsheet often break once real tooling is layered in.

The Hidden Costs That Break Budget Models

You can predict the line items above. The costs below show up after you've committed.

1. Turnover and the Two-Year Retention Cliff

A recent workforce study found 75% of security professionals likely to stay 12 months but only 66% likely to stay 24 months. That nine-point drop is a material retention cliff. For a ten-person SOC, plan on replacing three to four team members within every 24-month window.

Filling a SOC vacancy takes an average of seven months. Every unfilled month is a coverage gap or overtime burden on the remaining team.

2. Burnout as a Cost Driver

SOC teams burn out at high rates, and alert overload compounds staffing and retention problems. One practitioner survey reported 63% experiencing burnout, while separate industry research found nearly two-thirds of cybersecurity professionals say job stress is growing.

3. The Skills Shortage Premium

The 2025 breach cost report found that organizations with severe security staffing shortages experienced breach costs $1.57 million higher on average than those with low-level or no security staffing issues; the same report put the global average breach cost at $4.44 million. For boards evaluating security investment, the gap between staffed and understaffed breach costs is the clearest financial proxy for hiring risk.

What the Buy Side Actually Costs

MDR pricing is opaque, and the category now spans operating models with different cost structures. Legacy MDR is built around analyst-centric investigations, where scaling typically requires adding more people. AI-native MDR changes the role of human expertise. Instead of spending their time reviewing alerts and running investigations, experienced security experts build and maintain the infrastructure that enables agentic execution at scale. That includes developing context repositories, integrating new data sources, tuning detections, improving security posture, and continuously expanding the system's understanding of the environment.

As a result, investigations can scale through agentic execution rather than analyst throughput. More broadly, the market is moving toward managed agentic security services, where MDR becomes one component of a wider operating model for security operations.

MDR Pricing by Tier

Published pricing is rare, but the market clusters around three tiers based on service depth:

Tier	Per Endpoint/Month	Typical Inclusions
Entry MDR	$8 to $25	24/7 monitoring, alert triage, basic containment
Standard MDR	$15 to $35	Active containment, forensics, remediation guidance
Premium MDR	$50 to $100+	Dedicated expertise, custom engineering, advisory
AI-native MDR	Not per endpoint	Building an AI infrastructure, custom integrations and detections, active containment, advisory

‍

One procurement filter worth applying early: services that provide only alerting without provider-led investigation or response authority do not qualify as full MDR offerings. Bottom-tier offerings at the low end of the market often fail this test.

Annual Cost by Organization Size

Translating per-endpoint pricing into annual spend depends on environment scope and provider tier:

Environment	Annual MDR Cost	Source
Smaller endpoint-only deployments	Varies widely by scope and provider	Market pricing varies
Endpoint + cloud + identity deployments	Typically higher than endpoint-only pricing	Scope driven
10,000 endpoints	$400,000 to $1,000,000+	Market range

‍

MDR also requires internal oversight, and some teams weigh the tradeoff between external coverage and internal context. But the cost gap is wide enough at mid-market scale that the oversight investment rarely closes it.

The Side-by-Side: Build vs. Buy for a 1,000-Employee Organization

This is the comparison most buyers need. Building buys direct ownership of the operating model. Buying transfers investigation and response execution to a provider with a different staffing model, technology stack, and operational structure.

Cost Component	Build (In-House)	Buy (MDR)
Staffing (fully loaded)	$1,333,000 to $2,552,000	Included
Technology stack	$200,000 to $600,000	Typically bundled
Training and certifications	$50,000 to $150,000	Vendor-managed
Recruiting (initial + attrition)	$180,000 to $300,000 initial	N/A
Time to operational coverage	Months	Weeks, sometimes sooner
Annual total	$1,500,000 to $2,860,000	Often lower than a comparable in-house build in mid-market environments

‍

These numbers alone make the financial case look obvious, but they're incomplete. The in-house model gives you full control over detection logic, response authority, tool selection, and institutional knowledge. The MDR model provides continuous investigation and response capability without the hiring burden, though the quality of that capability varies significantly by provider and operating model. AI-native MDR goes even further and provides you the expertise to build an AI infrastructure to support the whole team and access to high quality security experts that can support your in-house team.

How AI Is Changing the Math

AI is restructuring the economics of managed services faster than it's reducing the cost of in-house operations.

The important shift is operational. In legacy MDR, more alerts usually means more human review, more queueing, and more escalation pressure on both provider and customer teams. In AI-native MDR, the provider can restructure the labor model by automating more triage and investigation work while keeping experienced practitioners focused on low-confidence decisions, incident response, and customer-specific context.

That distinction matters because providers can amortize AI investment across many customers, while in-house teams must purchase, configure, maintain, and tune these tools on their own, often without the engineering depth to extract full value. The broader market is also moving toward providers bundling security operations capabilities into managed services rather than selling them as standalone tooling line items. Buyers are comparing not just MDR contracts, but wider managed operating models that change how security work gets staffed and delivered.

Decision Criteria for Build vs. Buy

The cost data above frames the financial tradeoff. The decision itself depends on five organizational factors that determine whether building or buying makes more sense for your specific environment.

1. If your annual revenue is around the point where total security budget would be constrained, build becomes hard to justify

At the IANS Research benchmark of approximately 1.1% of revenue for total security budget, a $150 million revenue organization has a $1.65 million security budget. An in-house SOC at $1.5 million minimum would consume over 90% of that budget before any investment in other security functions.

2. If you cannot staff and retain eight or more security operations FTEs, outsource the coverage layer

True 24/7 coverage requires a staffing floor that many organizations do not sustain in practice. Operating below that floor means you're running shifts with single coverage, accepting gaps, or burning out the team you have. MDR addresses this structural constraint.

3. If your environment is majority cloud with significant identity and SaaS exposure, evaluate whether your MDR vendor can support your environment

Coverage depth varies by provider. Endpoint-only service economics can look attractive until the uncovered work lands back on your internal team. Cloud investigations require pulling endpoint, cloud, identity, SaaS, and business data and correlating it to discover the bigger picture.

4. If you have a mature in-house team doing meaningful detection engineering, keep that capability and outsource investigation and response

If your team spends most of its time on investigations instead of detection engineering and architecture, you might want to consider an AI SOC tool or a more limited MDR service. This will ensure your mature in-house team will be investing its time in proactive activities and not chasing alerts day in and day out.

5. If you're evaluating MDR, demand transparent investigation methodology and contractual response authority

A provider that offers monitoring and alerting without containment authority may leave your team holding the operational burden it was supposed to absorb.

Three questions cut through most MDR evaluation noise:

Alert fatigue: Does the provider reduce your team's workload or multiply it?
Black box vs. glass box: Can you see how decisions are made?
Coverage gaps: Does the service cover your actual environment, including cloud, identity, SaaS, and endpoints?

Those questions matter more than a pricing sheet because they tell you whether you're buying operational relief or a different place for alerts to queue up.

The Real Cost Question Behind Build vs. Buy

For most mid-market organizations, the build-vs-buy decision hinges on whether an internal SOC is financially and operationally sustainable. Once you price continuous coverage honestly, buying is often the more realistic path. Building starts to make more sense only when scale, maturity, and internal talent depth justify the added complexity.

In practice, that means many buyers are no longer choosing between in-house SOC and a single static MDR category. They are comparing legacy MDR, AI-native MDR, and managed operating models that change how providers staff and deliver security work. The cost comparison still anchors the decision, but the operating model behind the price tag determines whether you get actual coverage or a different flavor of the same problem.

Frequently Asked Questions About SOC Build vs. Buy

What Is the Break-Even Point Where In-House SOC Becomes Cheaper Than MDR?

For pure cost comparison at mid-market scale (1,000 to 5,000 employees), in-house often does not break even when you include fully loaded compensation, technology, turnover costs, and training. The calculation shifts at very large scale (10,000+ employees) where MDR costs approach $1 million annually and the per-FTE cost amortizes across a larger operation. Even then, the advantage depends on hiring and retaining the team against a tight labor market.

Should I Factor In Breach Cost Savings When Building the MDR Business Case?

The 2025 IBM breach report found that AI-driven faster containment was the primary driver of the first global cost decline in five years, while organizations with insufficiently staffed security teams continued to pay a measurable premium. Frame these as risk reduction rather than guaranteed savings: the question is whether your organization's probability-weighted exposure justifies the investment.

How Long Does It Take to Stand Up a Fully Operational In-House SOC?

Plan for six to 18 months from budget approval to operational coverage. The seven-month average fill time for a single SOC vacancy means hiring alone can consume most of that window, and you need eight to 14 hires. MDR providers typically deploy faster, which is why organizations needing immediate 24/7 coverage often start with MDR while building internal capability in parallel.

How Should I Evaluate MDR Vendors Beyond Price?

Price matters, but it should not be the only filter. You also need to evaluate response authority, investigation transparency, coverage across endpoint, cloud, identity, and SaaS, onboarding speed, and how much context the provider can incorporate into its investigations. A lower-cost service that only forwards alerts can be more expensive operationally than a higher-cost provider that absorbs investigation and response work. Legacy MDR and AI-native MDR also require separate evaluation criteria, since different labor models, transparency, and context depth mean a price comparison alone will hide the real tradeoff.

What Is the Practical Takeaway From All This Math?

The numbers point in one direction for most mid-market teams: building a 24/7 SOC costs more than the budget can absorb once you account for staffing, tooling, turnover, and time to operational readiness. Buying coverage gets you to 24/7 faster and at lower total cost, though you trade control for provider dependency. The decision comes down to whether your organization has the scale, talent depth, and budget headroom to sustain an internal operation, or whether those resources deliver more value elsewhere.