Build vs buy
MSSP vs in-house SOC: the build-versus-buy decision
In short
Build an in-house SOC or buy managed security? This guide compares real costs, the 24/7 staffing math, time to value, and when each model makes sense.
Every organisation running a serious security programme eventually faces the same question: do you build the capability internally, or do you buy it from a provider? For security operations in particular, the decision is harder than it looks on a spreadsheet, because the real costs on the build side are frequently underestimated and the real risks on the buy side are rarely explained clearly. This page tries to lay out both sides honestly.
What running a SOC actually requires
Before comparing options, it helps to understand what a Security Operations Center actually needs to function. The job is continuous threat monitoring and response, which means the requirement is not just tooling or technology. It is people, covering every hour of every day.
The 24/7 staffing calculation
A single analyst seat covered around the clock requires roughly 4.5 to 5 full-time staff. That figure accounts for three shifts per day, weekends, public holidays, annual leave, sick leave, and training time. A minimally viable multi-role SOC (tier-1 triage, tier-2 investigation, a shift lead, and a SIEM engineer) needs 8 to 12 people before the programme can operate reliably.
The 18-to-24-month build timeline
A functional SOC requires analysts across all three shifts, a calibrated SIEM, and runbooks built from real incident experience. Recruiting and onboarding the team, deploying and tuning the tooling, and building detection quality through actual incidents typically takes 18 to 24 months before the programme is genuinely operational.
Attrition as a structural risk
SOC work is high-pressure and repetitive at the triage level. Tines surveyed 468 SOC analysts in 2022 and found 71% reported experiencing burnout on the job. When key analysts leave, institutional knowledge about your environment goes with them, and the next hire starts from scratch on detection tuning.
The cost structure, compared
The two models have very different cost shapes, and that matters for how you plan.
An in-house SOC carries high fixed costs that you pay regardless of threat volume. Personnel is the largest line item: salaries, benefits, recruitment fees, and ongoing training for a team of 8 to 12 analysts. SIEM licensing adds another variable cost that scales with log volume and events per second. Tooling, threat intelligence feeds, and infrastructure add further fixed overhead. The upside is maximum control over the programme. The downside is that those costs are present from day one, before the programme has detected its first real threat.
A managed SOC converts most of those costs into a subscription that scales with your environment size. You trade some degree of customisation for speed to value and a predictable monthly cost. The onboarding period, typically two to four weeks, is a fraction of the 18-to-24-month in-house build.
There is no universal answer to which costs less. At very large scale with a mature team already in place, the economics of in-house can improve. For most Indonesian organisations not already running a substantial security programme, a managed service is materially cheaper to get to equivalent coverage.
Side-by-side comparison
| In-house SOC | Managed SOC / MSSP | |
|---|---|---|
| Cost model | High fixed costs from day one: 8–12 analyst salaries, SIEM licensing, tooling, training | Subscription based on environment size; onboarding cost, then predictable monthly fee |
| Time to value | 18 to 24 months to a fully operational programme | 2 to 4 weeks to live 24/7 monitoring |
| Staffing burden | Recruiting, managing, and retaining a specialist team entirely on you | Provider carries the staffing burden; you manage the relationship |
| 24/7 coverage | Requires 4.5–5 FTE per covered seat; difficult to maintain across holidays and leave | Always-on by design; coverage is the provider's contractual obligation |
| SIEM and tooling | You license, deploy, tune, and maintain the SIEM and detection stack | Provider operates the stack; costs are absorbed into the service |
| Regulatory fit (OJK, UU PDP) | Requires building local expertise in-house; generic team may not know OJK frameworks | Provider with Indonesia expertise applies OJK, POJK 11, and UU PDP playbooks directly |
| Key-person risk | High: when senior analysts leave, detection quality drops until replacements are trained | Lower: provider team depth means individual departures do not disrupt your coverage |
| Customisation depth | Full control over detection logic, runbooks, and escalation paths | Customisation within the provider's framework; varies by provider |
The threat volume that makes coverage non-optional
BSSN's 2024 Cybersecurity Landscape recorded 330,527,636 traffic anomalies across Indonesian networks during the year. That is approximately 900,000 potential incidents detected per day. The organisations exposed to that volume are not choosing between being targeted and not being targeted. They are choosing between having monitored coverage and not having it.
IBM's Cost of a Data Breach 2024 report found that the global average breach lifecycle was 258 days. That is the window between an attacker gaining access and an organisation fully containing the incident. A SOC that monitors continuously compresses that window. A security programme that relies on periodic scans or after-the-fact discovery does not.
330M+
Traffic anomalies detected in Indonesian networks in 2024 (BSSN Lanskap Keamanan Siber Indonesia 2024)
258 days
Average data breach lifecycle globally in 2024 (IBM Cost of a Data Breach 2024)
71%
SOC analysts reporting burnout in a 2022 survey of 468 analysts (Tines, Voice of the SOC Analyst)
When in-house genuinely makes sense
Building an in-house SOC is not always the wrong answer. There are situations where it is the right one.
You already have a mature security team of 15 or more people and the SOC is expanding an existing programme, not starting from zero → In-house SOC
Classified, state-sensitive, or otherwise restricted data means you cannot route telemetry outside the organisation's infrastructure, by policy or regulation → In-house SOC
You have the scale (hundreds or thousands of monitored endpoints) to spread the fixed cost of a large analyst team over a large enough base to make the per-endpoint economics work → In-house SOC
You are a growing company that has not yet built a dedicated security team, and you need 24/7 coverage now rather than in 18 to 24 months → Managed SOC / MSSP
You run a regulated environment under OJK, POJK 11, or PBI requirements and need demonstrated continuous monitoring without the cost of hiring a full specialist team → Managed SOC / MSSP
Key-person risk is a board-level concern and your security programme cannot afford detection quality degradation when analysts turn over → Managed SOC / MSSP
Where a managed SOC fits
For organisations that have worked through the comparison and decided to buy rather than build, the next question is what "managed SOC" actually means in practice. The label covers a wide range of services, and the differences matter.
A monitoring-only service gives you alerts. A true managed SOC also gives you a team that investigates those alerts and acts to contain threats on your behalf. That distinction, alert-only versus detection and response together, is the thing worth verifying in any proposal. The comparison between those two models is covered in more detail in our MDR vs MSSP guide.
For organisations evaluating whether to use their cloud provider's bundled security offering or an independent MSSP, there is a structural conflict of interest worth reading about in independent MSSP vs cloud-bundled security.
Our SOC-as-a-Service runs detection and response from our Jakarta Security Operations Center: analysts monitoring your environment every hour, with runbooks aligned to OJK, UU PDP, and BSSN requirements, and reporting in both Bahasa Indonesia and English. When something is detected, we act. We do not just send you an alert.
References
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
Covering one analyst seat around the clock, every day of the year, requires roughly 4.5 to 5 full-time staff once you account for three shifts, weekends, public holidays, annual leave, sick leave, and training time. A minimally viable SOC with multiple roles (tier-1 triage, tier-2 investigation, a shift lead, and a SIEM engineer) needs somewhere between 8 and 12 people before it can operate reliably.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.