MDR vs Building a SOC 2026 - Full Cost Comparison and Decision Guide
The build-vs-buy decision for security operations is one of the most consequential choices a CISO or IT director makes. Building an in-house security operations centre (SOC) gives you complete control over detection and response but requires enormous upfront and ongoing investment. MDR provides equivalent 24/7 monitoring and response capability at a fraction of the cost. This guide provides the real numbers CFOs and CISOs need for a defensible business case, including salary data, infrastructure costs, and breakeven analysis.
MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor. Pricing data is compiled from public sources, partner channels, and verified buyer reports.
Three Options Compared: MDR vs SOC-as-a-Service vs In-House SOC
| Factor | MDR | SOC-as-a-Service | In-House SOC |
|---|---|---|---|
| Annual Cost (500 ep) | $90K-300K | $60K-600K | $800K-1.3M |
| Year 1 Setup | Minimal | Moderate | $1M-2M infrastructure |
| Time to Operational | 1-4 weeks | 2-8 weeks | 6-12 months |
| Staffing Required | None | 1-2 internal contacts | 5-6 analysts + manager |
| Technology | Vendor-provided | Your tools + their monitoring | You buy and maintain |
| Customisation | Limited to vendor capabilities | Moderate | Full control |
| Coverage Hours | 24/7/365 | 24/7/365 | 24/7 if fully staffed |
| Best For | Under 2,000 endpoints | Existing tool investments | 5,000+ endpoints, regulated |
In-House SOC Cost Breakdown
Building a SOC from scratch is a multi-million dollar undertaking in year one. The costs break down into three categories: staffing (the largest ongoing expense), infrastructure (the largest upfront expense), and ongoing operations. These numbers represent a mid-market SOC capable of 24/7 monitoring for 500-2,000 endpoints in a North American or Western European labour market.
Staffing ($600K-$900K/year)
Minimum 5-6 analysts for 24/7 coverage accounting for shifts, PTO, and turnover. Cybersecurity analyst turnover averages 25-30% annually.
Infrastructure ($1M-$2M Year 1)
One-time setup costs. Ongoing licence renewals add $200K-400K/year.
Ongoing ($200K-$400K/year)
Annual recurring costs beyond salaries. Total year 2+ cost: $800K-1.3M/year.
Breakeven Analysis: When In-House SOC Wins
MDR pricing is per-endpoint, while in-house SOC costs are relatively fixed regardless of endpoint count (the same 5-6 analysts can monitor 500 or 5,000 endpoints). This means MDR wins at smaller scale but in-house SOC becomes competitive at larger scale. The typical breakeven point is around 5,000 endpoints. Below that threshold, MDR is almost always more cost-effective. Above it, the per-endpoint cost of in-house staff drops below MDR pricing for many vendors. However, this analysis ignores the opportunity cost of management attention and the risk of analyst turnover disrupting coverage.
| Endpoints | MDR (Mid-Range) | In-House SOC | Winner |
|---|---|---|---|
| 500 | $90K-180K/yr | $800K-1M/yr | MDR by $620K-820K |
| 1,000 | $120K-240K/yr | $800K-1M/yr | MDR by $560K-880K |
| 2,500 | $225K-450K/yr | $850K-1.1M/yr | MDR by $400K-875K |
| 5,000 | $360K-600K/yr | $900K-1.2M/yr | MDR by $300K-840K |
| 10,000 | $600K-1M/yr | $950K-1.3M/yr | Close - evaluate case by case |
The Hybrid Model: In-House Team + MDR
Many organisations find the optimal solution is neither pure MDR nor a full in-house SOC, but a hybrid model. Maintain a small in-house security team (2-3 analysts) for business-hours monitoring, strategic security projects, and internal stakeholder communication. Use MDR for after-hours, weekend, and holiday coverage. This approach reduces staffing from 5-6 analysts to 2-3 (saving $200,000-300,000 per year in salaries) while maintaining 24/7 monitoring through the MDR provider. The in-house team handles day-to-day security operations and acts as the escalation point for the MDR provider during business hours, while the MDR team provides continuous coverage during the 128 hours per week that your in-house team is not working.
MDR vs In-House SOC FAQ
How much does it cost to build an in-house SOC?
Building a 24/7 in-house security operations centre costs $1.8-3.3 million in the first year and $800,000-1.3 million per year ongoing. The largest cost is staffing - you need a minimum of 5-6 security analysts plus a SOC manager for round-the-clock coverage, costing $600,000-900,000 in salaries alone. Initial infrastructure investment including SIEM, SOAR, network monitoring tools, and a secure facility runs $1-2 million. Ongoing costs include training, tool licences, threat intelligence feeds, and staff retention.
Is MDR cheaper than building a SOC?
For most organisations, yes. MDR costs $90,000-300,000 per year for 500 endpoints compared to $800,000 or more per year for an in-house SOC. MDR is cheaper below approximately 5,000 endpoints. Above that threshold, the per-endpoint cost of in-house analysts begins to match MDR pricing because analyst capacity scales more efficiently at large scale. For organisations with fewer than 2,000 endpoints, MDR is almost always the more cost-effective option.
What is the difference between MDR and SOC-as-a-Service?
MDR typically includes both the security technology (EDR agent, detection rules) and the managed monitoring service. SOC-as-a-Service is usually a pure monitoring service that monitors your existing tools without providing its own technology stack. MDR is more turnkey - you get a complete security monitoring solution. SOC-as-a-Service offers more flexibility in tool selection but requires you to maintain your own security infrastructure. Pricing for SOC-as-a-Service ranges from $5,000 to $50,000 per month depending on scope.
When does an in-house SOC make more sense than MDR?
An in-house SOC becomes cost-effective at roughly 5,000 or more endpoints, in regulated industries requiring cleared personnel (government, defence), when you need custom detection rules for proprietary systems, or when your organisation has unique compliance requirements that standard MDR cannot satisfy. Large enterprises often justify in-house SOCs not purely on cost but on control - the ability to customise detection, integrate with internal processes, and retain institutional security knowledge.
Can I use a hybrid model with both in-house staff and MDR?
Yes, hybrid models are increasingly common. The most popular approach is maintaining a small in-house security team for business-hours monitoring and strategic projects while using MDR for after-hours, weekend, and holiday coverage. This reduces staffing from 5-6 analysts for 24/7 coverage to 2-3 for business hours only, saving $200,000-300,000 per year in salaries while still maintaining 24/7 monitoring through the MDR provider. Expel MDR is particularly well-suited for hybrid models since it works with your existing tools.