24/7 SOC Cost in 2026: Why Round-the-Clock Coverage Costs 5x

The 8,760 / 1,800 math

A year contains 8,760 hours. A SOC seat that needs continuous coverage must have a human in it for all of them. One full-time employee in the US delivers roughly 1,800 productive hours per year after subtracting 10 to 15 holidays, 15 to 20 vacation days, 5 to 10 sick days, and 5 to 10 training days. The exact number varies by country and employer: 1,800 is a US-private-sector midpoint; UK and EU figures are closer to 1,650 because of higher statutory vacation entitlement. 8,760 divided by 1,800 equals 4.87, which rounds up to five FTEs per single 24/7 chair. A SOC that wants resilience (the ability to absorb one resignation or extended leave without a coverage gap) plans six FTEs per chair.

This math compounds for every position the SOC wants on duty around the clock. A single tier-1 analyst on shift needs five FTEs; two analysts on shift needs ten; a dedicated tier-2 investigator on shift adds another five. A minimum viable 24/7 SOC with one tier-1 and one tier-2 on shift at all times needs ten FTEs of analysts plus the daytime-only positions (manager, detection engineer, threat hunter). That is the entire reason 24/7 SOCs cost what they do: it is not the tooling, it is the labour.

The math is invariant to automation. SOAR, AI-assisted triage, and noise reduction tools change what each FTE can accomplish per hour, but they do not change the number of hours in a year or the number of productive hours per FTE. Automation lets a 5-FTE chair handle 3x the alert volume, but the chair still needs five humans because the constraint is calendar-time presence, not throughput. This is why headline claims that AI will "replace the SOC analyst" are not yet visible in the staffing data: AI is reducing toil per alert, not eliminating the requirement for analyst-hours of coverage.

Per-position cost build

Most enterprise 24/7 SOCs run two tier-1 chairs (to handle parallel alerts and provide peer-review on shift), one tier-2 chair, and tier-3 on call from home with an on-call premium rather than always physically present. That configuration costs roughly $1.85M to $2.5M per year for the round-the-clock chair staffing alone, plus business-hours-only positions (manager, engineering, threat hunter) at another $700K to $1.2M. Total in-house staffing for a mature 24/7 SOC therefore runs $2.5M to $3.7M, which matches the staffing-share component (60% to 70%) of the headline $3M to $5M enterprise SOC budgets observed in the field.

24/7 outsourcing as an alternative

For organisations below the 5,000-employee crossover, paying an MSSP for 24/7 coverage is significantly cheaper than building it in-house. Arctic Wolf, Critical Start, Expel, ReliaQuest, and a dozen comparable vendors offer 24/7 SOC-as-a-Service at $100K to $400K per year for the small-to-mid-market segment. That contract delivers what an in-house team of five to ten people would cost between $700K and $1.5M to provide, with the difference being amortisation of the MSSP analyst pool across multiple customers.

The trade-off is environment knowledge. An MSSP analyst handles dozens of customers and cannot know any one as well as an internal team would. The MSSPs that compete on quality (Expel, Critical Start, ReliaQuest) invest heavily in onboarding and named-analyst models to compensate; the MSSPs that compete on price (Trustwave's lower tiers, Secureworks at the entry level) accept the environment-knowledge gap and operate on standardised playbooks. The customer's choice depends on whether response quality matters more than cost predictability.

The hybrid pattern (internal team for business hours, MSSP for after hours) often delivers the best blend for mid-market organisations. The internal team carries the environment knowledge and handles the high-severity escalations; the MSSP handles after-hours triage with playbooks the internal team has authored. Total cost lands at 40% to 60% of full in-house and the response quality lands closer to in-house than pure MSSP. See the hybrid SOC architecture page for the operational model.

Does the organisation actually need 24/7?

The honest answer is that not every organisation does, but the threat data argues strongly in favour for any organisation with material data assets or revenue dependence on systems. Sophos's 2024 State of Ransomware report shows 60% of confirmed ransomware incidents began outside normal business hours, with attackers explicitly preferring weekends and US public holidays. Mandiant's M-Trends 2024 reports the mean attacker dwell time is now 10 days globally and 13 days in North America. Detecting an attack at 3am Saturday rather than 9am Monday saves 54 hours of dwell, and dwell time is the single largest determinant of breach cost (IBM Cost of a Data Breach 2024 shows breaches contained under 200 days cost $1.4M less than those over 200 days).

The organisations that can legitimately skip 24/7 are those where (a) the attack-surface is limited to business-hours systems (e.g. retail stores that close at night, B2B services that batch overnight), (b) the data sensitivity is genuinely low (no PII, PHI, payment data, or regulated information), and (c) cyber insurance does not require it. For everyone else, the question is not whether to do 24/7 but how (in-house, MSSP, hybrid). See the 8x5 SOC cost page for organisations where business-hours-only is a defensible choice.

Automation impact on 24/7 cost

The dominant cost-reduction lever in 2025-2026 is not headcount reduction; it is per-FTE throughput improvement. A tier-1 analyst in 2020 handled roughly 20 to 40 alerts per shift after triage. A tier-1 analyst in 2026 with SOAR enrichment, AI-assisted triage (Microsoft Security Copilot, Google SecOps Gemini, Crowdstrike Charlotte), and a maturity-driven low false-positive rate handles 80 to 200 alerts per shift. That 3-5x throughput improvement does not reduce the FTE count for the chair, but it does mean that a single chair can cover a larger organisation, deferring the need for a second 24/7 chair from roughly 1,000-employee scale to roughly 3,000-employee scale.

The cost of this automation is non-trivial: SOAR platforms run $50K to $250K per year, AI triage assistants add $30 to $80 per analyst per month, and detection engineering effort to build and maintain the automation typically takes 0.5 to 1 dedicated FTE. Net impact is positive at organisations with high alert volume (above 100 alerts per day) and break-even-to-negative at organisations with lower volume. Smaller organisations should not invest heavily in SOAR until alert volume justifies it.

Related pages

Frequently Asked Questions