Independent cost reference. Not affiliated with any security vendor or MSSP.

How we source SOC cost figures

Three-stream triangulation: government statistical sources (BLS Occupational Employment and Wage Statistics), independent industry surveys (Ponemon Institute SOC Performance Report, IBM Cost of a Data Breach Report, SANS Cyber Security Survey), and vendor public pricing pages cross-checked against published contract benchmarks. Every band on this site traces back to one of these three streams or a named cross-reference.

Prices verified: May 2026

Primary sources

BLS Occupational Employment and Wage Statistics (OEWS), occupation 15-1212 Information Security Analysts

The US Bureau of Labor Statistics OEWS program publishes annual median, 25th-percentile, 75th-percentile, and 90th-percentile wage data for Information Security Analysts (SOC code 15-1212), the occupation that covers SOC analyst, security engineer, and incident response analyst roles. This is the authoritative anchor for our salary bands. Glassdoor and Levels.fyi crowdsourced data is used as a cross-check, not as a primary source.

Source: bls.gov / oes / current / oes151212.htm

Ponemon Institute SOC Performance Report (annual)

Ponemon Institute survey of SOC operators and CISOs covering total annual SOC cost, headcount, MTTD and MTTC benchmarks, alert volume, and false-positive rate. The dataset that drives the headline figure that 65-70 percent of total SOC cost is staffing. We cite the multi-year average rather than a single annual snapshot because the absolute figures drift year over year while the ratios remain stable.

Source: ponemon.org publication series

IBM Cost of a Data Breach Report (annual)

IBM Security and Ponemon Institute joint report. Source of the headline $4.45M average data breach cost figure used in the SOC ROI analysis on /soc-roi, plus the MTTD and MTTC time-to-detect / time-to-contain medians that drive the breach-cost-vs-SOC-cost math. Most recent edition cited; figures roll forward when the annual edition publishes.

Source: ibm.com / reports / data-breach

Gartner Magic Quadrant references (SIEM, SOAR, MDR)

Gartner Magic Quadrant reports for SIEM, SOAR, MDR, and Endpoint Protection Platforms identify the named-vendor leaders that anchor our /siem-cost, /mdr-pricing, and SOC tools coverage. We use the Magic Quadrant only to establish which vendors qualify as leaders or visionaries worth covering; vendor-specific pricing comes from each vendor's own public pricing page or published contract value benchmarks, never from Gartner's reports.

Source: gartner.com / Magic Quadrant series

NIST Cybersecurity Framework 2.0

NIST CSF 2.0 (released February 2024) is the framework that drives the SOC maturity model on /maturity. The five functions (Identify, Protect, Detect, Respond, Recover) plus the new Govern function map to SOC capability levels and inform the maturity-vs-cost relationship cited across the site. NIST publications are public-domain US Government works.

Source: nist.gov / cyberframework

SANS Cyber Security Survey (annual SOC survey)

SANS Institute's annual SOC Survey covers practitioner-reported SOC structure, tool adoption (SIEM, SOAR, EDR, threat intel), staffing pain points, and budget allocation. Used as a practitioner cross-check on the Ponemon vendor / executive-survey figures. Where SANS and Ponemon disagree on a figure (typically tool adoption rates), we cite the wider band that includes both.

Source: sans.org / white-papers / soc-survey

Vendor public pricing pages

Public pricing tier descriptions and listing-price ranges for Splunk (Cloud and Enterprise), Microsoft Sentinel (Azure consumption pricing), IBM QRadar (EPS-based), Elastic Security (Elastic Cloud Enterprise tiers), Sumo Logic, Datadog Cloud SIEM, Rapid7 InsightIDR, and CrowdStrike Falcon LogScale. Where a vendor does not publish a tier price, the band reflects publicly-disclosed contract values from G2 / TrustRadius and customer write-ups in the security-engineering community.

Source: vendor public pricing pages plus G2 / TrustRadius

In scope

  • +Total annual SOC operating expense across in-house, MSSP, MDR, SOCaaS, and hybrid models
  • +Per-tier SOC analyst salary bands (Tier 1, Tier 2, Tier 3, SOC manager) referencing BLS OEWS 15-1212
  • +24/7 coverage staffing math (FTE-per-shift-position arithmetic)
  • +SIEM platform pricing tier bands across Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, Sumo Logic, Datadog Cloud SIEM, Rapid7 InsightIDR
  • +MSSP, MDR, and SOC-as-a-Service tier bands by organization size and coverage scope
  • +Hybrid SOC cost crossover math by employee count
  • +MSSP contract evaluation framework (SLA, scope, data handling, incident response, reporting, commercial terms)
  • +SOC ROI framing (breach cost vs SOC cost, MTTD / MTTC impact)

Out of scope

  • -Enterprise-negotiated MSSP, MDR, or SIEM pricing (subject to NDA, varies by sales motion)
  • -Sales-led custom SIEM or SOAR pricing (Splunk Enterprise custom quote, IBM QRadar enterprise contracts)
  • -Region-specific regulatory surcharges (GDPR data-residency premium, US public sector FedRAMP overhead)
  • -Compliance-driven SOC scope adders (FedRAMP High, IL5, CMMC Level 3) which require specialised vendor or in-house build out beyond a standard 24/7 SOC
  • -Cyber insurance premium offsets that depend on individual insurer underwriting
  • -Specific per-MSSP or per-MDR contract quotes (negotiated per engagement and not publishable)

Calculation framework

Staffing cost as 65-70 percent of in-house SOC TCO

Per Ponemon SOC Performance Report multi-year average, staffing accounts for 65-70 percent of total in-house SOC operating expense. Our staffing figure uses BLS OEWS occupation 15-1212 wage data: Tier 1 SOC analyst $75K-$95K, Tier 2 $95K-$130K, Tier 3 $130K-$160K, SOC manager $140K-$180K base salary. Loaded with 28 percent for employer payroll taxes, benefits, training, and equipment. The loaded multiplier (1.28x) is the BLS-published average for the Information sector employer cost ratio.

24/7 coverage math: 5-6 FTEs per shift position

One FTE provides ~1,800 productive hours per year (52 weeks at 40 hours minus 12 days PTO minus 10 sick days minus 12 days training minus 12 federal holidays). 24/7 coverage requires 8,760 hours per year. 8,760 / 1,800 = 4.87, rounded up to 5 FTEs per shift position. Most SOCs add a 6th FTE for resilience against vacancies and surge capacity. This is why a single 24/7 Tier 1 analyst position costs $480K-$730K loaded, not the $75K-$95K base salary number.

MSSP per-device, per-user, flat-rate, and outcome-based pricing models

MSSP pricing buckets reflect industry-survey distributions: ~45 percent per-device ($10-$60/device/month), ~30 percent per-user ($50-$350/user/month), ~20 percent flat-rate tiers ($2K-$100K+/month), ~5 percent outcome-based. Specific per-MSSP pricing is not cited; bands triangulate from public quote-page disclosures, RFP responses shared in the CISO community, and customer write-ups on G2 / TrustRadius. Named MSSPs (eSentire, Arctic Wolf, Huntress, UnderDefense, Critical Start, Lumifi, Expel, BlueVoyant) appear in coverage discussion without per-firm pricing attached.

SIEM cost math by ingestion volume

SIEM platforms price on data ingestion volume (GB/day or events-per-second). Tier bands: Splunk $150+/GB/day ingestion-based or workload-based Splunk Cloud pricing; Microsoft Sentinel $5.22/GB consumption (Azure list price, M365 logs free); IBM QRadar EPS-based starting around $10K/year; Elastic Security open-source base with Elastic Cloud commercial tiers ($95+/month start). A mid-size organization ingesting 100GB/day typically lands at $150K-$400K annually for SIEM licensing alone, ahead of FTE time to operate. SIEM represents 20-30 percent of total SOC cost per Ponemon.

MDR and SOC-as-a-Service tier pricing

MDR pricing typically falls in the $50K-$200K/year band for mid-market organizations, scaling with endpoint count and coverage hours. SOC-as-a-Service (SOCaaS) tiers run $12K-$120K/year covering monitoring-only at the low end and full 24/7 detection-and-response at the high end. Named MDR providers (CrowdStrike Falcon Complete, SentinelOne Vigilance, Sophos MDR, eSentire MDR, Arctic Wolf MDR, Huntress MDR, Rapid7 Managed Detection and Response, Critical Start MDR) appear in coverage with tier-band pricing only, never per-provider quotes.

Hybrid SOC cost crossover math

The crossover point where in-house SOC becomes cost-competitive with MSSP is typically 2,000-5,000 employees, driven by fixed-cost spreading across more endpoints and users. Below 500 employees, MSSP is almost always cheaper per protected entity. The 500-5,000 employee band is where hybrid models (internal Tier 2-3 plus MSSP Tier 1 / 24/7 coverage, or MSSP overflow on top of in-house core) typically deliver 30-60 percent savings versus full in-house. Our hybrid bands on /hybrid use a per-employee TCO model that triangulates across the Ponemon dataset, AICPA SOC peer-review fee schedules, and named-MSSP public contract benchmarks.

Refresh cadence

Cost bands and vendor pricing references are re-verified against public sources on the first business week of each month. The verification date is held in one constant (LAST_VERIFIED_DATE) that footer text, schema dateModified, and visible "Updated" headings all read from. Cosmetic date refreshes without underlying source check are structurally impossible because all three derive from one source.

Out-of-cycle refresh triggers:

  • BLS OEWS annual release (typically March / April each year, occupation 15-1212 figures roll forward)
  • Ponemon SOC Performance Report new edition
  • IBM Cost of a Data Breach Report new edition (typically July each year)
  • Named vendor public price change (Splunk, Microsoft Sentinel, IBM QRadar, Elastic, Sumo Logic, Datadog, Rapid7)
  • NIST CSF revision (major release, last was CSF 2.0 in February 2024)
  • Major MSSP / MDR acquisition or platform change affecting per-entity tier pricing

Limitations

Calculator outputs are estimates. Production MSSP, MDR, or SIEM quotes depend on enterprise agreements, regional surcharges, reserved-capacity commitments, and compliance scope adders not modelled here. The 24/7 staffing math assumes a US-located SOC on a single shift schedule; follow-the-sun and offshore-supplemented models change the FTE-per-position arithmetic.

Vendor pricing pages drift between verification cycles. Where a vendor lists a tier price one month and removes it the next (a common Splunk pattern around contract renewal windows), we keep the most recent verified figure on file and note the date. Splunk Workload Pricing, Microsoft Sentinel commitment-tier discounts, and IBM QRadar Cloud Pak for Security bundling all create individual-customer pricing that deviates from list.

Salary bands reflect US-national figures. Region-specific cost-of-living adjustments (San Francisco Bay Area +30 to +40 percent, NYC metro +20 to +30 percent, Austin / Atlanta / Denver +0 to +10 percent) are not modelled on the headline bands. Use the BLS OEWS state-level data for region-adjusted figures.

Corrections process

Spotted a stale band, a vendor pricing change we have not caught yet, or a calculation framework assumption that does not match your own SOC operating data? Email [email protected] with the page URL, the figure, and the source you would like cited. Substantive corrections are typically actioned within five business days. We log every correction request and update the LAST_VERIFIED_DATE constant when a substantive figure changes.

Updated 2026-05-11