Cybersecurity Glossary

What is SOC (Security Operations Center)?

Q: How do we measure if our SOC is working?

Track mean time to detect (MTTD), mean time to respond (MTTR), detection coverage (percentage of attack techniques monitored), and hunt activities (proactive investigations, not just alert-driven).

A Security Operations Center (SOC) is the team — internal or outsourced — responsible for monitoring, detecting, investigating, and responding to cybersecurity threats around the clock. A mature SOC combines people, process, and technology to produce real-time defensive coverage.

Blocks 99% of password attacks

Required by most cyber insurance

Core to SOC 2, HIPAA, PCI

How It Works

How SOC works

Three-step view of how it operates in practice.

Collect

Logs, alerts, and telemetry flow in from endpoints, email, identity, network, and cloud.

Triage & investigate

Analysts filter noise, investigate real alerts, and confirm what’s a true threat vs a false positive.

Respond & improve

Confirmed threats are contained, evidence is preserved, lessons are fed back into detection rules and response playbooks.

SOC Variants

SOC staffing models

A clear breakdown of the common variants.

Model

In-house SOC

Your own team, your tools. Requires 3-5 analysts for 24/7 coverage, plus a manager. High cost, high control.

Most common

Hybrid SOC

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

SOC as a Service (SOCaaS)

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

MDR + analyst

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why SOC matters for SMBs

A Security Operations Center (SOC) is the team — internal or outsourced — responsible for monitoring, detecting, investigating, and responding to cybersecurity…

207 days

average time to identify a breach without a SOC; reduced to 67 days with a mature SOC

Source: IBM Cost of a Data Breach, 2024

Pitfalls

Common SOC mistakes

Tools without peopleSIEM, EDR, and XDR without analysts reviewing alerts are expensive shelfware. The people layer matters most.
No runbooksAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
Alert fatigueUntuned SOCs drown in false positives. Regular rule tuning is a continuous activity, not a one-time setup.
No metricsWithout mean time to detect, mean time to respond, and alert-to-incident conversion rates, you can’t tell whether the SOC is improving.

Common Questions

SOC frequently asked questions

Do SMBs need a SOC?⌄

Every business needs the SOC function — monitoring, detection, response. Most SMBs don’t build an internal SOC; they outsource to MDR or SOCaaS providers.

What’s the difference between SOC and NOC?⌄

The NOC (Network Operations Center) focuses on IT infrastructure availability and performance. The SOC focuses on security. Some providers combine both; the skill sets are different.

How much does a SOC cost?⌄

An in-house 24/7 SOC runs $1M+ annually. Outsourced SOC/MDR for an SMB typically ranges $5-$15 per endpoint per month.

What does a SOC actually do during an incident?⌄

Triages the alert, investigates the full scope, contains affected systems (isolate device, disable account), collects evidence, coordinates with the IT team for remediation, and produces a post-incident report.

How do we measure if our SOC is working?⌄

Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.

Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.

Related Terms

Need 24/7 monitoring without building a team?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services

No commitment · Local engineers · Response within 1 business day