SOC Cost for a 100-Employee Company in 2026

What the $30K to $120K actually buys

At the $30K to $50K floor, the contract typically buys EDR-only monitoring for around 100 endpoints, 24/7 alert triage by a vendor SOC, and basic incident response for confirmed threats. Examples include Huntress at roughly $4 to $7 per endpoint per month for the core managed EDR product, which lands a 100-employee company at $5,000 to $10,000 per year for endpoint coverage alone, plus identity or Microsoft 365 modules bringing the total to the $30K floor. Blackpoint Cyber, Defendify, and Cynet operate in similar bands.

At the $50K to $80K midpoint, the contract buys broader log-source coverage (endpoint plus identity plus cloud plus firewall), a named senior engineer or concierge contact, quarterly tuning sessions, and a retainer for incident response hours. Arctic Wolf operates predominantly in this band for SMBs and quotes per-employee rather than per-endpoint, with public ranges from $295 to $545 per employee per year depending on tier. A 100-employee company at the lower tier lands at $29,500, and the higher tier at $54,500, with services like compliance reporting and quarterly business reviews bumping the total toward $80K.

At the $80K to $120K ceiling, the customer is buying named-analyst SOC-as-a-Service with full SIEM integration, custom detection rule development, incident response retainer hours, threat hunting, and compliance evidence packaging for SOC 2 or HIPAA. Providers like eSentire, ReliaQuest, and Critical Start sit in this band for small organisations with complex requirements. The premium pays for vendor depth of engineering and the ability to handle a real incident without scrambling for outside counsel.

The hidden line items

The MSSP or MDR subscription is the visible cost, but a 100-employee company should plan for several additional line items that the vendor proposal will not include. The first is an endpoint detection and response tool licence, which the MSSP usually consumes on the customer's behalf but bills the customer for. CrowdStrike Falcon Insight at list runs around $60 per endpoint per year for the standard tier, so 100 endpoints lands at $6,000 per year. SentinelOne, Microsoft Defender for Endpoint Plan 2, and Sophos Intercept X sit in the $40 to $80 per endpoint per year band. The MSSP that includes the EDR licence in its per-employee fee is usually subsidising it from the per-employee margin, and the customer should still read the contract to confirm what licence transfers if the relationship ends.

The second hidden line is identity threat detection. Most modern attacks against SMBs start with phishing or credential theft. A 100-employee company on Microsoft 365 should expect to add Defender for Identity or Defender for Cloud Apps at $5 to $12 per user per month, which adds $6,000 to $14,400 per year on top of the SOC contract. The MSSP will require this telemetry to do its job, but the licence is rarely included.

The third hidden line is incident response surge cost. Every MDR contract includes a baseline number of IR hours, typically 40 to 80 per year, and the customer pays $250 to $500 per hour for additional time during an active incident. A serious incident easily consumes 200 to 400 IR hours, which adds $40,000 to $200,000 in surge spend that is not in the original annual budget. The right move is to attach a separate incident response retainer to a different firm (Mandiant, Unit 42, Kroll), priced at $25,000 to $75,000 per year, which guarantees a response team is available without paying surge rates.

Cost layered with cyber insurance

Cyber insurance for a 100-employee company in 2026 typically runs $5,000 to $25,000 per year for $1M to $5M of coverage, depending on industry. The interesting dynamic since 2023 is that carriers (Beazley, Coalition, At-Bay, Travelers) now require evidence of EDR and 24/7 monitoring before binding the policy, and they offer materially lower premiums for customers who can show an MDR contract. A 30% premium reduction on a $15,000 policy is $4,500 per year, which by itself does not pay for the MDR, but stacks alongside ransomware coverage that would otherwise be excluded entirely.

The total security spend calculation for a 100-employee company should therefore include MDR plus EDR plus identity plus IR retainer plus cyber insurance, which lands the realistic floor at $65,000 to $200,000 per year. That is the honest number, not the $30,000 headline that appears on the MSSP marketing page. A founder or CISO who budgets only the MSSP fee will be surprised by the EDR licence, the identity licence, the IR surge bill, and the insurance premium.

SOC 2, HIPAA, and PCI floor adjustments

A 100-employee company pursuing SOC 2 Type II should add roughly $10,000 to $30,000 to the security operations budget for continuous control monitoring tooling (Vanta, Drata, Secureframe) and evidence collection automation. The SOC 2 control set requires log review, vulnerability scanning, and incident response capability, all of which the MDR contract already satisfies, but the auditor will want machine-readable evidence rather than the MSSP's PDF summary. For deeper compliance budgeting see the SOC 2 audit cost reference.

HIPAA covered entities and business associates have similar log-review and monitoring requirements under the Security Rule. A 100-employee healthcare-adjacent company should plan for $50,000 to $100,000 in security operations spend, with the higher floor reflecting the regulator's expectation that audit logs cover six years of retention. PCI DSS 4.0 Requirement 10 specifies daily log review and 12 months of online retention, which most MSSPs price into an SMB tier without surcharge but which is a contract clause worth confirming.

Common mistakes at this scale

The most expensive mistake a 100-employee company can make is hiring a single internal security engineer with a six-figure salary and expecting that person to be a SOC. A solo engineer at $130,000 base plus benefits costs $170,000 fully loaded, more than a comprehensive MDR contract, and provides eight hours of coverage per day with no resilience. When that engineer takes a vacation, attends a conference, or leaves the company, the security function evaporates. The right model at this scale is one in-house security generalist (often the IT director with a security hat) plus an MDR contract for the 24/7 detection function.

The second common mistake is buying SIEM as a standalone product without a SOC contract attached. A $40,000 per year SIEM licence with nobody to read the alerts is a compliance theatre exercise. If the company already owns Splunk, Sentinel, or Elastic, the right move is to pay an MSSP $30,000 to $60,000 to operate it rather than hiring an analyst to half-operate it. The MSSP that operates a customer-owned SIEM (co-managed SIEM) is usually 20% to 40% cheaper than an MSSP that requires the customer to use the MSSP's own platform.

The third mistake is letting the MSSP also be the incident response firm. When the MSSP that did the monitoring is also the firm investigating why the monitoring missed the breach, the incentives are misaligned and the IR report tends to be defensive. A separate IR retainer with a firm that is genuinely independent (Mandiant, Unit 42, Crowdstrike Services, Stroz Friedberg) costs an extra $25,000 to $75,000 per year and is the single best money a 100-employee company can spend on security.

Recommended vendor shortlist for 100-employee companies

For pure cost-conscious SMBs (under $50K budget): Huntress for managed EDR plus Microsoft 365 monitoring, paired with a $25,000 to $40,000 cyber insurance policy. Total spend lands at $40,000 to $65,000 per year including insurance.

For compliance-driven SaaS startups (SOC 2 pursuit, $60K to $90K budget): Arctic Wolf or Blackpoint Cyber for 24/7 SOC, plus Vanta or Drata for SOC 2 evidence collection, plus CrowdStrike Falcon Pro for endpoints. Total spend lands at $60,000 to $110,000 per year.

For healthcare-adjacent or financial-services-adjacent companies (regulator scrutiny, $80K to $150K budget): eSentire or Critical Start for named-analyst SOC, plus CrowdStrike Falcon Insight Enterprise, plus a $25,000 IR retainer with Mandiant or Unit 42. Total spend lands at $100,000 to $180,000 per year.

Related pages

Frequently Asked Questions