Explainer · 6 min · For Owners

The short version

A Security Operations Center (SOC) is the team — humans plus tooling — that monitors security signals from your endpoints, identity, network, and applications around the clock, triages them, and takes response action when something real is happening. It's the human layer that turns "the EDR sent an alert at 2 AM" into "the endpoint is isolated, the client has been called, the incident is contained."

Tools without a SOC produce alerts. Alerts without a SOC produce inbox fatigue. SOC with tools produces decisions.

What a SOC actually does

  1. Monitors — collects signals from EDR, identity (Microsoft Entra), email security, network firewalls, DNS filtering, cloud apps. Modern SOCs use a SIEM (security information and event management platform) to correlate across sources.
  2. Triages — for each alert: is this a real threat, a benign anomaly, or a misconfiguration? The triage decision is the SOC's primary product.
  3. Responds — for real threats: isolate the endpoint, kill the process, disable the compromised account, block the network connection. Many actions are automated; the humans confirm and add context.
  4. Notifies — the client gets a call within minutes for real incidents, with a written incident summary by the next business hour.
  5. Tunes — the SOC suppresses false positives over time (the law firm's late-night PowerShell from one specific user shouldn't be a 2 AM page every night), so signal quality improves.
  6. Hunts — periodically pulls threads on the data even when no alert fired, looking for patterns that automated detection missed.

Why EDR without a SOC isn't enough

EDR is excellent at detection. It is not, by itself, a decision-maker. A typical EDR deployment on a 25-person business generates dozens of alerts per week. Some are real. Most aren't. None of them are useful if they go to an email distribution list that nobody reads at 10 PM.

The phishing-compromised mailbox creates a Microsoft Entra sign-in alert at 11 PM on a Sunday. With a SOC, that alert is acknowledged within 5 minutes, the account is locked within 15, and the client gets a call within 30 — before the attacker has time to set up forwarding rules and start phishing the AP staff. Without a SOC, the alert sits until Monday morning.

The three SOC models

In-house SOC

You hire SOC analysts as full-time employees. Realistic for enterprises with hundreds of endpoints; impractical for a small business. A 24/7 SOC needs at minimum three analysts in rotation, fully loaded at $80,000–$150,000 each, plus tooling. Six-figure annual cost minimum.

Managed SOC (MDR)

You contract with a managed detection and response provider that operates the SOC on your behalf. The MDR provider has the tooling, the analysts, and the playbooks. Their cost is amortized across all their clients, which makes it affordable for a small business. This is the common model and the right answer for most small businesses.

SOC-as-part-of-MSP

Your MSP either operates an in-house SOC for clients or partners with an MDR provider, and the SOC service is bundled into the managed-IT plan. The integration with the rest of IT is tighter (the SOC and help desk are on the same ticketing system), and the per-device pricing tends to be cleaner. This is the Micro-IT model.

What to look for in a managed SOC

  1. 24/7/365 coverage, not "business hours plus on-call."
  2. Defined SLAs — alert acknowledgement, triage, response, all in minutes. Written.
  3. Documented response runbook — isolate the endpoint, kill the process, notify the client. What's automated, what requires authorization.
  4. Direct client communication — you talk to a human, not a ticket portal, when something's burning.
  5. Forensic retention — enough log data to reconstruct an incident weeks later when the insurance adjuster asks.
  6. Threat-hunting — not just reactive; periodically pulls threads on the data.
  7. Integration with the rest of the security stack — identity, email, network, not just endpoint.

What it costs

Standalone managed SOC services for a small business typically run $10–$30 per endpoint per month, depending on the tool stack and the scope of coverage (endpoint-only, or full security telemetry including identity, email, and network).

Most modern managed-IT plans bundle the SOC into the per-device endpoint price. At Micro-IT, the 24/7 SOC is included in Managed Endpoint at $79/device/month at no separate charge — covering EDR alert monitoring, identity-event monitoring, and the response runbook.

Reference points: in-house SOC analyst salary $80,000–$150,000 per year per person, three minimum for 24/7 coverage; the math doesn't work for a small business.

How a Micro-IT plan covers SOC

Every Managed Endpoint device is monitored by a 24/7 SOC with documented response runbook — isolate the endpoint inside 90 seconds of detection, call the client within 15 minutes, restore from clean backups if needed. Identity events (Microsoft Entra sign-ins) are fed into the same SOC queue. The full eleven-vendor, seven-layer stack is on the security page.

Frequently asked questions

What is a SOC?
A Security Operations Center (SOC) is the team — humans plus tooling — that monitors security alerts from endpoints, networks, identity systems, and applications around the clock, triages them, and takes response action on the ones that matter. It's the human layer that turns EDR alerts into decisions.
Does my small business actually need a SOC?
If you have EDR deployed, you effectively already need one — somebody has to triage the alerts. The choice for a small business is between an in-house SOC (impractical), no SOC (alerts no one reads), or a managed SOC (the common answer, usually included in modern managed-IT plans).
What's the difference between a SOC and an IT help desk?
The help desk handles user-facing tickets — password resets, printer issues, application support. The SOC handles security signals — EDR alerts, suspicious sign-ins, network anomalies, unusual file behavior. They're often staffed by the same MSP but with different roles, different escalation paths, and different SLAs (SOC SLAs are measured in minutes; help-desk SLAs in business hours).
How fast does a SOC respond to an alert?
Modern managed SOCs target alert acknowledgement within 5 minutes, initial triage within 15, and response action (isolate the endpoint, kill the process, notify the client) within 30. For an active ransomware-staging alert, those windows compress further — a competent SOC isolates the endpoint inside 90 seconds of detection.
How much does a managed SOC cost a small business?
Standalone managed SOC services for a small business typically run $10–$30 per endpoint per month, depending on the tool stack and coverage. Most modern managed-IT plans bundle the SOC into the per-device endpoint price — at Micro-IT, the 24/7 SOC is included in Managed Endpoint at no separate charge. Hiring an in-house SOC analyst costs $80,000–$150,000 per year for one person, and you need at least three for 24/7 coverage.

Related reading