← Back to Calculator

Building an In-House SOC

Building a Security Operations Center requires investment in people, processes, and technology. Here is a realistic cost breakdown across staffing tiers, tooling, and the build-out timeline.

SOC Staffing Tiers and Costs

Tier 1 - Alert Triage Analyst

$75,000 - $95,000

Monitors alerts, performs initial triage, escalates confirmed incidents. Entry-level to 2 years experience.

8x5: 1-2 FTE24x7: 4-6 FTE

Tier 2 - Incident Responder

$95,000 - $130,000

Investigates escalated incidents, performs containment, coordinates remediation. 3-6 years experience.

8x5: 1 FTE24x7: 2-3 FTE

Tier 3 - Senior Analyst / Threat Hunter

$130,000 - $160,000

Proactive threat hunting, advanced forensics, intelligence production. 6+ years experience.

8x5: 1 FTE24x7: 1-2 FTE

SOC Manager

$140,000 - $180,000

Team leadership, metrics, vendor relationships, program development. Management experience required.

8x5: 1 FTE24x7: 1 FTE

SOC Tooling Stack

SIEM (e.g. Sentinel, Splunk)
$80,000 - $500,000+/year
SOAR Platform
$50,000 - $200,000/year
EDR / XDR
$20 - $50/endpoint/year
Vulnerability Management
$15,000 - $100,000/year
Threat Intelligence Feeds(optional)
$10,000 - $80,000/year
Network Detection and Response (NDR)(optional)
$50,000 - $200,000/year
Case Management / Ticketing
$5,000 - $30,000/year
Deception / Honeypots(optional)
$20,000 - $80,000/year

Required tools represent minimum viable SOC. Optional tools are recommended for intermediate and advanced maturity programs.

SOC Build Timeline and Cost Phases

1

Phase 1: Foundation (Months 1-3)

$200,000 - $500,000
  • +Define SOC scope, coverage hours, and escalation paths
  • +Hire SOC Manager and 2-3 seed analysts
  • +Deploy core tooling: SIEM, EDR, ticketing
  • +Establish baseline monitoring use cases (top 20-30 alerts)
  • +Integrate critical log sources (directory services, firewall, endpoint)
2

Phase 2: Operationalization (Months 4-9)

$300,000 - $700,000
  • +Tune alert rules to reduce false positive rate below 20%
  • +Build playbooks for top 10 incident types
  • +Expand log source coverage to 80% of environment
  • +Deploy SOAR for tier-1 automation
  • +Complete training and certification for analyst team
3

Phase 3: Maturity (Months 10-18)

$400,000 - $900,000/year ongoing
  • +Launch proactive threat hunting program
  • +Integrate commercial threat intelligence
  • +Develop custom detection for organization-specific risks
  • +Establish metrics and reporting cadence
  • +Build relationship with IR retainer for major incidents

Facility and Overhead Costs

Most modern SOCs operate without a dedicated physical space, using remote analyst positions and secure access to tooling via VPN and MFA. Organizations that require a physical SOC facility should budget additionally:

  • *Dedicated workspace: $3,000 - $8,000 per analyst workstation (monitors, secure desk, encrypted laptop)
  • *Video wall / incident display: $15,000 - $80,000 one-time
  • *Physical security controls for the SOC space: $20,000 - $100,000
  • *Secure communications (encrypted voice, video): $5,000 - $20,000/year
Compare with MSSP and Hybrid Models