A UK-headquartered insurer recently asked our team to review two competing proposals: a £1.8M three-year build for an in-house security operations centre, and a £720k MSSP contract with 24/7 monitoring. The CISO had three weeks to recommend a path to the board. By the end of week one, neither proposal survived contact with the actual requirements.
This is the SOC build vs buy decision most UK security leaders face — usually under pressure from the audit committee, an FCA supervisory letter, or a cyber insurance renewal demanding evidence of round-the-clock detection. The wrong choice locks an organisation into the wrong cost base for three to five years, and worse, into a detection capability that misses the threats it was bought to catch.
The marketing from MSSPs and SIEM vendors makes this look like a binary choice. It isn't. The real question is which functions belong in-house, which belong with a managed detection and response provider, and where the seams between them will break under incident pressure. Below are the seven factors our consultants weigh on every SOC engagement, drawn from production builds and post-incident reviews where the model failed.
1. Threat Profile and Detection Engineering Ownership
The first question is not cost. It's whether the threats facing the business are generic or specific. A retail group facing credential stuffing, card-not-present fraud, and bot traffic has a threat profile that most MSSPs handle competently with standard playbooks. A wealth manager facing targeted business email compromise, supply chain compromise via portfolio software vendors, and insider risk has a profile that generic MSSP detection content will miss almost entirely.
Detection engineering is where build vs buy gets decided. If the organisation needs custom detections tied to its own applications, custom data sources, or unusual cloud architectures, an MSSP working from a shared content library will produce noise and miss the real signal. Our team has reviewed MSSP detections for clients where fewer than a dozen rules were tuned to the customer's actual environment — the rest were generic Sigma rules firing on Windows event IDs that hadn't been relevant to the client's stack in years.
If you buy, demand to see the detection content library, ask how custom rules are written and tuned, and find out who owns the intellectual property when the contract ends. If detections walk out the door with the provider, you have a lock-in problem dressed as a service.
2. Regulatory and Contractual Logging Requirements
UK CISOs operating in regulated sectors need to map logging requirements before signing anything. The FCA's operational resilience rules under PS21/3 (which took full effect in March 2025) require firms to evidence detection and response capability for important business services. The NIS Regulations 2018 impose incident reporting duties on operators of essential services and relevant digital service providers, with the forthcoming Cyber Security and Resilience Bill (announced in the King's Speech July 2024, currently in Parliament) set to expand scope. For firms with EU customers or operations, NIS2 and DORA add further obligations — qualify these by jurisdiction, not blanket assumption.
Each of these regimes implies log retention, evidence preservation, and reportable timelines. An MSSP contract that ships logs to a multi-tenant platform in an undisclosed region creates UK GDPR transfer questions, evidence chain-of-custody questions, and forensic readiness questions. Build the data residency and retention requirements into the RFP before the commercial conversation, not after.
3. Time-to-Detect and Time-to-Respond SLAs (and What They Actually Mean)
Most MSSP SLAs measure time-to-acknowledge, not time-to-contain. A 15-minute acknowledgement SLA means an analyst will open the ticket within 15 minutes. It does not mean the threat is contained, the affected endpoint is isolated, or the credential is revoked. For ransomware, the gap between detection and containment is where the damage happens.
Ask for tier-2 and tier-3 response times, not just tier-1 acknowledgement. Ask what containment actions the MSSP can take autonomously — isolating an endpoint via EDR, disabling an Entra ID account, blocking an IP at the firewall — and which require customer approval. Then ask what happens at 2am on a bank holiday when the named approver is unreachable. The answer reveals whether you've bought monitoring or response.
4. True Cost of an In-House Build
The headline number for a SOC build is usually wrong. A 24/7 operation needs a minimum of six analysts to cover shifts with leave and sickness, plus a SOC manager, a detection engineer, and incident response capacity. At UK market rates for cleared, experienced staff, the people cost alone runs well into seven figures annually before tooling.
Then there's the SIEM. Licensing for Microsoft Sentinel, Splunk, or Google SecOps scales with ingest volume, and ingest volume always grows faster than forecast. EDR, SOAR, threat intelligence feeds, case management, and the data lake to retain logs cheaply for forensics add further line items. Our consultants have seen tooling budgets double in year two when the original architect underestimated cloud telemetry volumes.
Recruitment and retention is the silent killer. UK SOC analyst attrition is high, and the cost of training a tier-1 to tier-2 capability — only to lose them to a vendor or competitor — turns the staffing model into a leaky bucket. A hybrid model, where in-house staff handle context-rich tier-3 work and an MSSP or MDR provider covers tier-1 triage, often produces better economics and better detection outcomes than a pure build.
5. Cloud and SaaS Coverage Gaps
Most MSSPs grew up monitoring on-premise networks. Their coverage of cloud control planes, SaaS audit logs, identity provider telemetry, and Kubernetes runtime activity ranges from competent to non-existent. Before signing, audit the provider's actual detection coverage for AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs, Microsoft 365 Unified Audit Log, Okta, GitHub, and your critical SaaS estate.
Ask for example detections in each. If the answer is vague, the coverage is vague. This is precisely the gap our CloudAuditX platform was built to surface — giving security leaders a continuous view of cloud configuration and audit evidence independent of whoever is running the SOC.
6. Integration with Incident Response and Legal
The SOC is not the incident response function. When a confirmed breach happens, the SOC hands off to IR, legal, communications, and the executive team. If your MSSP runs the SOC but your IR retainer is with a different firm, the handoff is where evidence gets lost, timelines slip past the ICO's 72-hour notification window under UK GDPR Article 33, and regulatory exposure grows.
Document the runbook before the contract is signed. Who declares an incident? Who notifies the DPO? Who briefs the executive committee? Who preserves forensic images? Who talks to the ICO? If the MSSP's answer is "we'll escalate to your team," that's a handoff, and handoffs need rehearsal. Tabletop the runbook quarterly. A fractional vCISO engagement is often the cleanest way to own this orchestration without hiring a full-time head of security operations.
7. Exit Strategy and Data Portability
The last factor is the one nobody negotiates: how do you leave? MSSP contracts that don't specify data export formats, detection rule portability, historical log access post-termination, and transition support clauses create exit costs that dwarf the original contract value. Negotiate exit terms at signing. Insist on log export in open formats, documented detection logic, and a minimum 90-day transition window with active support.
A Pragmatic Decision Framework
For most UK mid-market organisations between 200 and 2,000 staff, a pure build is overkill and a pure buy leaves critical gaps. The model that works is hybrid: outsource 24/7 tier-1 monitoring to a focused MDR provider with strong cloud and identity coverage, retain detection engineering and tier-3 response in-house or with a specialist consultancy, and own the SIEM data so you can change provider without losing history.
Smaller organisations — under 200 staff — should buy MDR outright and invest the saved budget in identity hardening, EDR coverage, and a credible incident response retainer. Larger regulated firms with bespoke threat models should build the engineering function and buy the eyes-on-glass capacity. The hybrid economics almost always beat the extremes.
How Pyralink Helps
Our team has run SOC RFPs, negotiated MSSP contracts, and led post-incident reviews where the model failed. We help UK security leaders build the requirements specification, score vendor proposals against threat-specific criteria, and design the in-house and outsourced split that fits the organisation's risk, regulatory posture, and budget. Where ISO 27001 certification is in scope, we align the SOC design to Annex A controls so the audit evidence flows naturally from operations.
For continuous cloud audit evidence independent of your SOC provider, CloudAuditX gives you a control-plane view across AWS, Azure, and GCP. For deeper context on SOC operating models and detection engineering, browse our insights. Pyralink Innovation Ltd is led by Michael Adedeji (CISM, CISA, CC, MSc Data Science) and carries £5M professional indemnity insurance.