nexalign

Decision guide · Security operations and Managed Detection & Response

SOC vs MDR: build vs buy under NIS2 and DORA

Choosing between in-house SOC, Managed Detection & Response (MDR), or hybrid is one of the most expensive and long-lasting security decisions. In-house teams cost 1.5-3 M EUR per year for 24/7 coverage; MDR contracts start at 150-400 k EUR. The decision depends on scale expectation, compliance duties, regulated escalation paths and talent availability, not just price.

TL;DR

Building a SOC pays off from around 5000 endpoints and a mature detection-engineering culture. Below that, MDR or hybrid is almost always more economical.

Who owns this decision

CISO is owner. CIO, COO, CFO in the steering group. Add CRO and Audit in regulated sectors.

Key criteria to weight

  • 24/7/365 coverage

    NIS2 Art. 21 and DORA Art. 17 require continuous detection, not business-hours only.

  • MTTD and MTTR with SLA

    Mandatory measurement. Without an SLA no contractual lever in an incident.

  • EU hosting of log data

    With third-country MDR, log-data outflow can become a compliance breach.

  • Threat hunting vs alerting

    Pure alert triage delivers limited value. Proactive hunting differentiates top vendors.

  • Integration with existing EDR and SIEM

    No double tooling. Stack consolidation is a cost lever.

  • Escalation and communication path

    In an incident the MDR vendor must legally and quickly escalate, not just open tickets.

Step-by-step decision flow

  1. 1

    Threat model and detection use cases

    Which attack cases must be detected? Mapping to MITRE ATT&CK.

  2. 2

    Build-vs-buy calculation

    5-year TCO for in-house SOC vs MDR. Staff, tooling, hosting, compliance, skill risk.

  3. 3

    Vendor longlist

    Global: SentinelOne Vigilance, CrowdStrike Falcon Complete, Microsoft Defender Experts, Sophos MDR, Arctic Wolf. DACH: G DATA, indevis, r-tec, secunet.

  4. 4

    Shortlist + PoC

    3 vendors, 60-day trial with real use cases. Escalation test (incident simulation) is mandatory.

  5. 5

    Memo and contract

    Decision memo plus mandatory clauses under DORA Art. 30 (for financial entities): audit rights, sub-outsourcing, exit strategy.

Compliance note

NIS2 Art. 21 (b) requires incident handling. DORA Art. 17-23 requires a defined incident process with classification and reporting. DORA Art. 28-30 applies to MDR as an ICT third party: eligibility assessment, mandatory clauses, exit strategy, concentration risk.

Common pitfalls

  • !MDR is bought without defining detection use cases. The output remains generic.
  • !Log hosting in a third country is overlooked. Schrems II and sector compliance risk.
  • !Escalation SLA missing. The vendor escalates by email, the CISO finds out too late.
  • !Exit strategy never tested. On vendor change, logs and detections cannot be migrated.

FAQ

When does an in-house SOC pay off?

Empirically from around 5000 managed endpoints or under regulated obligation to control detection content. Below that, MDR or hybrid is almost always more economical.

What is the difference between MDR and MSSP?

MSSP manages security tools; MDR focuses on detection and response with own analysts, own threat intel and proactive hunting. MDR is outcome-oriented and more expensive.

How is MDR evaluated under DORA?

MDR is an ICT third party. For critical or important functions the extended Art. 30 clauses apply: full audit rights, sub-outsourcing control, tested exit strategy.

Run this decision in DecisionOS →What is DecisionOS?