SOC · 7 MIN READ · SCOUT SCHOLES · DEC 29, 2025 · TAGS: Guidance
TL;DR
- It’s not just recruiting that’s a challenge these days when scammers are starting to target job hunters and systematic challenges limit your talent pools
- If you don’t quantify your SOC needs–for tooling and headcount–you’re putting yourself at constant risk of burning out your team
- Our free SOC Metrics & Efficiency KPIs Dashboard Tool can help you understand (and calculate) your org’s specific requirements
Here’s what we keep hearing from security leaders: “We need to build a proper SOC.” Then we walk through the actual numbers—staffing, salaries, alert volumes, turnover—and watch the business case fall apart in real time.
The economics of running a 24×7 security operations center (SOC) have shifted dramatically over the past few years. Not because security got more important (though it did), but because the foundational assumptions about talent availability, operational costs, and sustainable workloads no longer match reality.
This isn’t theoretical. Across hundreds of customer environments, we see security teams stretched beyond sustainable limits, talented analysts burning out within months, and critical threats slipping through because even well-funded SOCs can’t keep pace with alert volumes. The question isn’t whether you need strong security operations—you absolutely do. The question is whether the traditional build-it-yourself approach still makes sense.
Let’s look at what’s actually happening.
The talent pool is smaller than you think
Everyone knows cybersecurity has a staffing problem. What’s less obvious is how structural barriers limit the available workforce before you even start recruiting.
Women represent only 22% of cybersecurity professionals globally—worse than tech overall, where 27% of roles go to women. This isn’t just a diversity concern; it’s a capacity crisis. When you eliminate half the potential workforce through structural barriers, everyone competes for the same limited talent pool.
The pipeline problems start early. Boys consistently show higher confidence in tech skills (88% vs. 83% for girls), greater interest in cybersecurity careers (68% vs. 50%), and stronger sense of belonging (83% vs. 77%). More concerning: 33% of girls perceive cybersecurity as “too technical” compared to 22% of boys (insert internal existential screaming here). These misconceptions and limited exposure create knowledge gaps that persist throughout careers, artificially constraining the workforce for years.
In practice, this looks like: posting SOC analyst positions and getting three qualified applicants. Maybe. If you’re lucky. And two of them are evaluating three other offers simultaneously. And that’s after you find them in the pile of 1,000+ resumes submitted per listing.
When job hunting becomes a security risk
Here’s a twist we didn’t expect: sophisticated hiring scams are now targeting security professionals specifically (as if job hunting needs to be any scarier right now). According to recent survey data of 1,254 U.S. job seekers, six in ten encountered fake postings in 2025, with one in four falling for hiring scams.
DNSFilter identified 8,724 malicious domains containing “jobs” over six months, with 88% being newly registered or newly observed. Attackers are getting sophisticated—using excessive hyphens, urgent language, and unusual TLDs to lure victims.
The downstream effects matter for SOC staffing: 56% of job seekers report being less trusting of opportunities, 52% experience greater stress in job searches, and 38% say scams have slowed their progress. This means longer recruitment cycles, more extensive vetting requirements, and candidates who hesitate to engage with legitimate opportunities—all adding time and cost to hiring processes that were already difficult (and that’s being optimistic).
The math doesn’t math
Let’s talk actual numbers. Entry-level security analysts now command around $98,333 annually. For true 24×7 coverage, you need a minimum of eight to twelve analysts. That’s roughly $1 million in base salaries before benefits, management overhead, specialized senior roles, and recruiting costs.
For a mid-sized organization (around 5,000 employees), costs scale based on SOC maturity:
- Basic SOC: $1.5-2 million annually
- Intermediate SOC: $2.5-3.5 million
- Advanced SOC: $4-6 million
- Fully mature SOC with automation and analytics: $7-10 million+
These figures don’t account for turnover costs. When turnover exceeds 20% annually—increasingly common in overwhelmed SOCs—you lose institutional knowledge about detection rules, false positive patterns, and response procedures. Knowledge that takes months for new analysts to rebuild while they’re also trying to handle incoming alerts.
Technology costs compound the problem. A basic SOC might spend $200,000-300,000 annually on tools. An advanced SOC with SIEM, EDR, network forensics, SOAR platforms, and threat intelligence feeds? Easily $800,000-1.2 million per year in licensing and maintenance alone.
Then add implementation: $100,000-200,000 for basic SOC setup, $400,000-600,000 for advanced SOCs with custom integrations. These are one-time costs that don’t include ongoing tuning, optimization, and tool updates required to maintain effectiveness.
Alert fatigue isn’t a metaphor—it’s an operational crisis
Even perfectly staffed SOCs face a brutal operational reality: overwhelming alert volumes that make effective security impossible.
In mid-sized organizations, you’re looking at 1,000-5,000 raw alerts daily from security tools. Mature operations filter this down to 50-200 alerts requiring human review, with only 5-20 representing actual incidents needing response. When SOCs fail to achieve this filtering, analysts drown in noise.
A single analyst can handle 20-30 quality alerts per shift if investigating thoroughly. When they’re triaging 100+ alerts per shift, they’re not doing proper investigations—they’re clicking through screens to clear queues. Which means they’re missing threats.
The primary cause: misconfigured security tools. Out-of-the-box detection rules rarely work well without customization. They’re designed to be overly sensitive to avoid missing threats, which generates massive false positives. Without proper tuning for your specific environment, security tools flag normal business activities as suspicious, burying analysts in irrelevant alerts.
We see this pattern repeatedly: organizations invest heavily in security tools, deploy with default settings, then wonder why analysts are overwhelmed and threats slip through. The tools aren’t broken—they’re just not tuned for how your business actually operates.
The burnout cycle that breaks SOCs
Without enough analysts to handle alert volumes, teams start taking shortcuts—spending less time investigating each alert, missing important context, eventually becoming desensitized to warnings.
Analysts facing impossible volumes and constant pressure burn out quickly. They experience stress, job dissatisfaction, and eventually leave for less overwhelming positions. The cybersecurity industry already suffers from severe talent shortages; alert fatigue and burnout make retention even harder. And add in scams on top of that? It’s a good old-fashioned dumpster fire.
When experienced analysts leave, you lose institutional knowledge about what alerts matter in your environment, which systems generate false positives, and how to efficiently investigate different threat types. New analysts take months to develop this expertise, during which alert handling becomes even less efficient.
Here’s a critical metric: if your Analyst Gross Utilization Rate consistently hovers above 70%, that’s a data-backed warning sign that your team lacks capacity to manage threats sustainably. Organizations pushing analysts to 80% or 90% utilization aren’t achieving efficiency—they’re setting up teams for failure.
Warning signs your SOC is down bad
Watch for these indicators that operations have become unsustainable:
- Mean time to respond exceeding four hours on critical incidents
- More than 25% of alerts going uninvestigated due to backlog
- False positive rates exceeding 90%
- Analyst turnover above 20% annually
- Regular coverage gaps during nights and weekends
- No capacity for proactive threat hunting
- Consistently late compliance reporting
- Mounting backlogs of unresolved incidents
- Analysts working regular overtime
- Security incidents discovered by external parties rather than your SOC (yikes, double yikes if that third party happens to be your customer)
If you’re experiencing three or more of these, your security operations need an intervention.
The most dangerous consequence: threats go undetected. When teams are drowning in alerts, sophisticated attacks requiring careful investigation and analysis simply aren’t caught until it’s too late. Operational metrics become security gaps that attackers exploit.
What actually works: Data-driven staffing
Before making any decisions, quantify actual needs. Here’s the framework:
- Calculate average handling time for security alerts from initial triage to final resolution
- Estimate total alert volume based on historical trends and projected growth
- Apply utilization targets (aim for 70% to prevent burnout)
- Determine required headcount (with math)
Example: 500 alerts weekly with 45-minute average handling time equals 375 analyst hours needed. At 70% target utilization, that’s 536 total analyst hours required, which translates to 13-14 analysts for sustainable operations.
This data-driven approach builds compelling business cases. Rather than making ad hoc requests, you present clear, data-supported cases for required SOC resources articulating business risk, operational efficiency, and tangible needs.
Alternative approaches that address core problems
Given these challenges, many organizations are reconsidering build-versus-buy decisions. MDR providers address several pain points simultaneously:
- Eliminate recruitment challenges: No need to hire, train, or retain specialized analysts
- Immediate 24×7 coverage: Operations start immediately without months-long hiring cycles
- Mature tooling and automation: Leverage tools and detection logic refined across hundreds of environments
- Flexible scaling: Adjust coverage and capabilities without long-term hiring commitments
MDR providers achieve dramatically better signal-to-noise ratios through automation refined across hundreds of customer environments. We’ve learned which alerts truly matter and which can be safely automated away—institutional knowledge that takes years to develop internally.
Hybrid models offer another path: maintain internal security expertise for strategic initiatives, threat intelligence, and security architecture while outsourcing tier-one triage, after-hours coverage, and alert management. This addresses staffing constraints while preserving internal capability.
Calculate your actual requirements
Before making build-versus-buy decisions, understand your actual costs and requirements. The operational realities of modern SOC management demand data-driven planning rather than aspirational staffing models.
We’ve developed a free (really) SOC Metrics & Efficiency KPIs Dashboard Tool that enables security leaders to calculate true staffing requirements based on alert volume, handling times, and target utilization rates. This self-service tool provides the quantitative foundation for building business cases and making strategic decisions about security operations.
Download the free SOC cost calculator to understand your organization’s specific requirements and explore whether building, buying, or augmenting your SOC makes most sense.
What this means for your security operations
The challenges facing organizations attempting to build in-house SOCs have intensified. Talent shortages, escalating costs, operational pressures, and retention challenges create barriers that make traditional approaches increasingly difficult for many organizations.
The path forward requires honest assessment of costs, capabilities, and constraints. For some organizations, building comprehensive in-house SOCs remains the right choice despite challenges. For others, MDR partnerships, hybrid models, or augmentation strategies offer more sustainable paths to effective security operations.
What’s clear: old approaches no longer suffice. And at this point, even somewhat recent approaches might not either. Security leaders must make data-driven decisions based on realistic understanding of costs, staffing requirements, and operational realities. Your organization’s security depends not on aspirational plans, but on sustainable operations that can actually deliver effective protection day after day, year after year.
Start by calculating your true requirements, understanding your constraints, and exploring the full range of options available. Your analysts, your budget, and your organization’s security posture will benefit from the clarity that data-driven planning provides.
