How to give your SOC a business model

SOCs are not a traditional 'operations' cost center, they're a service. However, most organizations have designed it as a cost center, which means we've organized it like a cost center, instead of a value add service. SOCs are a service, we've just done a terrible job at communicating it's value. Traditional SOCs provide some of the following services to both internal and external organizations:

  • Incident Response, Coordination and Monitoring

  • Intelligence Gathering

  • Threat Hunting

  • Risk Assessment

  • Threat Mitigation

  • Cyber Security Training and Awareness

  • Tool Development

More concisely:


Traditional business development has always lumped these, 'services' into the 'cost of doing business category'. Why is this a big deal? Have you ever had to make the business case to expand these services? How hard was it to describe their value? Whether you're membership driven or commercially driven, each of these features has downstream value. Learning how to articulate and design around that is something only a few very successful (commercial) organizations have solved.

Value for Value

The example I like to use goes back to the early days of CIF, ~2010. A REN-ISAC member gave a talk about the value of using real-time threat intelligence feeds (DNS specifically) had in their [incident response] business operations. They stated, because of their access to threat intel, they were able to free up ~5 FTE's to other tasks. They were able to use the threat intel to block threats [at the domain level] which means they had less compromised hosts on the network. Less compromises means less time spent cleaning those up and more time on advanced risks.

Us techno folks may have suggested "you get access to thousands of highly confident malicious domains in any kind of format you want!". What they suggested was; "this service saves us $500,000 a year so we can invest in other areas". What was the value? We'll do some of the general threat hunting for you, and help you mitigate threats. This will free up your FTEs to hunt for more advanced threats we haven't observed yet. A 'malicious domains' feed doesn't tell me anything, "we'll augment the intel gathering and mitigation for you" does.

Let's assume the average cost of an FTE at the time was $100,000. For 5 full time employees, that's a cost savings of roughly $500,000. Their membership to access that data was maybe $1,000 / year at the time? Value propositions like this are almost a no-brainer in those terms, yet as security engineers we don't describe our service in those terms. We use phrases like "real time threat data" or "thousands of indicators per day!" or "access to tons of malware, spam and bad guy stuff!".

Why do I pay for GitHub? It saves me an FTE to manage and host my source code repo's. Why AWS? It saves me 3-5 FTE's in terms of racking, provisioning and configuring servers. Why NoAgenda? So I don't have to filter through the news to figure out what's important or who's lying to me this week. Why TastyTrade? So I don't have to filter through all the garbage on the Internet to understand how to manage my own finances.

Marketing is a Four letter word

The trick here is aligning your services with the value they provide and figuring out your customers willingness to pay for them. This isn't anything new, but many of us have designed our operations centers around the wrong business model. It's one thing to start fresh, you just listen to the market and charge accordingly. Re-orienting around a new business model is a bit of a different animal, especially if you're already taking money from your customers.

Either way you have to have some things in place, the first is billing and the second is marketing. Changing both the billing and value proposition with your customer base will take time, trial and error and agile adjustment. It will mean adjusting for mistakes quickly and communicating (and re-communicating) the value of your services over longer periods of time. Your customers already have an expectation in mind and you'll have to re-market to them as to why the new "SOC as a Service" is better and adjust as you both learn the new model.

You have to make them want it, just like any other sexy new shiny thing. I WANT to pay GitHub, I WANT to pay AWS, they make my life easier. Some of it is marketing, some of it is time, a lot of it is in the way they bill for the service. Click Click Done. If I can wrap it up with PayPal or Apple Pay, even better. If you're not organizing your services around these principals, someone else will and they will adapt, market and take your customers away from you.

Price Discovery

Some of these billing expectations will help drive your decisions around service and prices as well. It might be easier for some groups to spend up to $999 on a single credit card purchase, but if you break the $1,000 limit, it requires a bit of paperwork. If the end goal is to bring them into your ecosystem as frictionless as possible (again, so they can understand more of your value add), then your services might need to reflect those different levels.

Want access to basic threat intelligence? We'll charge you $100 a year, no sales calls, no upsells, just a credit card. Want access to paid professionals to help you get it into your Suricata instance, $999 a year. Want access to our technical deep dives and risk assessments based on the global landscape? $20,000 / year (eg: Gartner style). Want us to monitor the Internet for your domain or ipv4|6 space for compromised hosts and alert you once a day? $100/mo. In real-time with someone on the other end willing to work through the intel with you? $200/mo.

I don't have access to AWS personnel (outside of the forums) unless I pay them $100 / month, but I do get to use all their cool technology for pennies an hour. You don't have to delineate this down to the "hourly rate", but you do have to delineate them somewhere if you want to articulate their value. You're trying to communicate why they should hire you rather than do it themselves. Why? Well, for starters, we assume they aren't interested in that task and YOU LOVE THAT STUFF. So the value is already there- you're just doing price discovery and helping them make the decisions NOT to do something easier.

Service Economics

We have to start thinking of SOCs as services, ESPECIALLY if they are internal to the business. It fundamentally changes the way a SOC is allocated resources and therefor scales. It no longer becomes a cost sink in the traditional sense where the endless cycle of "struggling for resources". The value per service is clearly articulated (through great marketing). Customers are able to help guide the SOC as to what services are important (eg: willing to pay for, and how much), where they're likely to pay for things in the future. This helps CLEARLY articulate to the SOC what prioritize are important.

Generalized budgets (or general yearly fees) create a grey area for operators which makes it harder to listen to what they're customers are telling them. This leads to the louder customers taking the SOC in directions that the broader customer base may not be willing to pay for, or feel important. This structure also doesn't penalize outlier customers that may not be worth what they're paying (eg: they over utilize the service), which can be just as much of a drain on the SOC resources.

It probably takes 3-5 FTEs to perform incident response and monitoring capabilities for a medium sized organization. Another 2-3 to add threat hunting capabilities, 1-2 to develop a threat intelligence and mitigation strategy, 1-2 to perform risk assessments and probably 2-3 for cyber security training and awareness. If you don't use AWS, maybe 3-5 for devops. This doesn't take into account software, licensing fees and other overhead.

Even if you use the lower end of these numbers you're looking at minimally ~12 FTE's. Lets suggest the average cost of these FTEs is $85,000, that's over $1,000,000 a year. With 12 FTEs come's a manager or two, hardware, training, travel, etc. You're numbers are likely more in the $1.5million range. We're a $1.5m cost sink with no business model to help define how, when and where to prototype new services.

Treating a SOC more like a business, through value communication and service defined pricing structures goes a long way in enhancing the signal to noise ratio. The faster you can define, prototype, charge and adapt a new service, the faster you can figure out the your customers willingness to pay. The faster you figure that out; the faster you can decide where to invest more resources, and the value proposition is already done for you. They either clicked your PayPal button, or they didn't.

The trick is starting out with a $10 paypal button and seeing if your value statements line up accordingly.

Did you learn something new?