Managed SOC SOP
Standard Operating Procedure for 24/7 Security Operations Center services
Service Pillar: Operate
Service Category: Managed Security
Engagement Type: Ongoing Monthly Retainer
Related Pricing: See Pricing & Positioning
Service Overview
Purpose
Provide continuous 24/7 security monitoring, threat detection, incident response, and security event management through SBK's managed Security Operations Center (SOC), delivering enterprise-grade security visibility and response capabilities to organizations without dedicated security teams.
Target Personas
| Persona |
Primary Pain Point |
Value Case |
| Solo IT Director |
Cannot monitor 24/7, no security expertise |
Expert security coverage without hiring |
| CFO/Controller |
Security investment justification |
Predictable security costs, risk reduction |
| Healthcare Admin |
HIPAA monitoring requirements |
Compliance-ready security monitoring |
Business Justification
Pricing Reference
| Tier |
Scope |
Monthly Investment |
Per-Endpoint Option |
| Essential |
<100 endpoints, 8x5 monitoring |
$3,500-$4,500/month |
$35-$45/endpoint |
| Standard |
100-500 endpoints, 24/7 monitoring |
$5,000-$7,500/month |
$30-$40/endpoint |
| Enterprise |
500+ endpoints, 24/7 + dedicated analyst |
$7,500-$15,000/month |
$25-$35/endpoint |
[BENCHMARK] Industry Pricing:
- Managed SIEM services range $2,000-$7,500/month for SMBs (Arctic Wolf)
- MDR services typically range $30-$50/endpoint/month (Forrester MDR Wave 2024)
See Pricing & Positioning for complete pricing structure.
Pre-Engagement
Onboarding Checklist
Technical Requirements
| Component |
Requirement |
Notes |
| Log Sources |
Firewall, endpoint, cloud, applications |
Minimum viable coverage |
| Network Access |
VPN or secure tunnel to SIEM |
Encrypted transmission |
| Agent Deployment |
Endpoint collection agents |
Client deployment required |
| Integration |
Ticketing system integration |
ServiceNow, Jira, etc. |
| Bandwidth |
Log volume assessment |
Impacts pricing tier |
Onboarding Timeline
| Phase |
Duration |
Activities |
| Discovery |
Week 1 |
Environment assessment, scope finalization |
| Deployment |
Weeks 2-3 |
Agent installation, log source integration |
| Tuning |
Weeks 3-4 |
Alert tuning, baseline establishment |
| Go-Live |
Week 5 |
Full monitoring activation |
Service Delivery Framework
SOC Operating Model
┌─────────────────────────────────────────────────────────────────┐
│ SOC SERVICE DELIVERY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ TIER 1: MONITORING & TRIAGE │
│ ├── 24/7 SIEM monitoring │
│ ├── Alert triage and categorization │
│ ├── False positive filtering │
│ └── Initial incident assessment │
│ │
│ TIER 2: INVESTIGATION & RESPONSE │
│ ├── Deep-dive threat analysis │
│ ├── Correlation across data sources │
│ ├── Containment recommendations │
│ └── Remediation guidance │
│ │
│ TIER 3: THREAT HUNTING & INTELLIGENCE │
│ ├── Proactive threat hunting │
│ ├── Threat intelligence integration │
│ ├── Detection rule development │
│ └── Attack surface monitoring │
│ │
│ CONTINUOUS IMPROVEMENT │
│ ├── Monthly tuning and optimization │
│ ├── Quarterly detection reviews │
│ ├── Annual threat model updates │
│ └── Technology recommendations │
│ │
└─────────────────────────────────────────────────────────────────┘
Detection Categories
| Category |
Examples |
Response SLA |
| Critical |
Active ransomware, data exfiltration in progress |
<15 minutes |
| High |
Malware execution, compromised credentials |
<1 hour |
| Medium |
Suspicious behavior, policy violations |
<4 hours |
| Low |
Compliance events, informational alerts |
<24 hours |
Alert Response Workflow
┌─────────────┐
│ ALERT │
│ GENERATED │
└──────┬──────┘
↓
┌─────────────┐
│ TRIAGE │ → False Positive → Tune Detection
│ (Tier 1) │
└──────┬──────┘
↓ True Positive
┌─────────────┐
│ INVESTIGATE │ → Additional Context Needed
│ (Tier 2) │
└──────┬──────┘
↓ Confirmed Threat
┌─────────────┐
│ NOTIFY │ → Client Escalation
│ CLIENT │
└──────┬──────┘
↓
┌─────────────┐
│ CONTAIN │ → Immediate Containment Actions
│ THREAT │
└──────┬──────┘
↓
┌─────────────┐
│ REMEDIATE │ → Remediation Guidance
│ & RECOVER │
└──────┬──────┘
↓
┌─────────────┐
│ POST- │ → Lessons Learned
│ INCIDENT │
└─────────────┘
Monitoring Capabilities
Core SIEM Functions
| Function |
Description |
Coverage |
| Log Collection |
Centralized log aggregation from all sources |
Firewall, endpoint, cloud, apps |
| Correlation |
Cross-source event correlation |
Attack chain detection |
| Threat Intel |
Real-time threat intelligence integration |
IOC matching, TTP detection |
| Behavioral Analysis |
User and entity behavior analytics (UEBA) |
Anomaly detection |
| Compliance Monitoring |
Regulatory control monitoring |
HIPAA, SOC 2, PCI, etc. |
Detection Coverage
| Attack Type |
Detection Method |
Typical Coverage |
| Malware |
EDR alerts, behavioral analysis |
95%+ known, 80%+ unknown |
| Ransomware |
File behavior, encryption detection |
90%+ |
| Phishing |
Email gateway, user behavior |
85%+ |
| Credential Abuse |
Authentication anomalies, impossible travel |
90%+ |
| Insider Threat |
UEBA, data exfiltration detection |
75%+ |
| Cloud Compromise |
Cloud API monitoring, access anomalies |
85%+ |
Log Sources Integrated
| Source Type |
Examples |
Priority |
| Network |
Firewall, IDS/IPS, proxy, DNS |
Critical |
| Endpoint |
EDR, antivirus, host logs |
Critical |
| Cloud |
AWS CloudTrail, Azure Activity, GCP Logs |
High |
| Identity |
Active Directory, Azure AD, Okta |
Critical |
| Application |
Web apps, databases, custom apps |
Medium |
| Email |
M365 Defender, Proofpoint, Mimecast |
High |
SLA Commitments
Response Time SLAs
| Severity |
Initial Response |
Client Notification |
Update Frequency |
| Critical |
<15 minutes |
<30 minutes |
Every 30 minutes |
| High |
<1 hour |
<2 hours |
Every 2 hours |
| Medium |
<4 hours |
<8 hours |
Daily |
| Low |
<24 hours |
<48 hours |
Weekly |
Availability SLAs
| Service Component |
Target Uptime |
Measurement |
| SOC Monitoring |
99.9% |
Monthly |
| SIEM Platform |
99.5% |
Monthly |
| Alert Delivery |
99.9% |
Monthly |
| Reporting Portal |
99.0% |
Monthly |
| Metric |
Target |
Measurement |
| Mean Time to Detect (MTTD) |
<15 minutes |
Monthly average |
| Mean Time to Respond (MTTR) |
<1 hour |
Monthly average |
| False Positive Rate |
<5% |
Monthly review |
| Alert-to-Ticket Ratio |
<20:1 |
After tuning |
| Detection Rule Accuracy |
>95% |
Quarterly review |
Deliverables
Real-Time Deliverables
| Deliverable |
Frequency |
Audience |
| Security Dashboard |
Real-time |
IT team |
| Critical Alerts |
Immediate |
Escalation contacts |
| Incident Tickets |
As occurred |
IT team |
Periodic Reports
| Report |
Frequency |
Content |
| Weekly Summary |
Weekly |
Alert statistics, trends, notable events |
| Monthly Executive Report |
Monthly |
Threat landscape, metrics, recommendations |
| Quarterly Business Review |
Quarterly |
Strategic review, roadmap, optimization |
| Compliance Report |
Monthly |
Regulatory monitoring status |
| Annual Threat Assessment |
Annually |
Year-in-review, emerging threats |
Report Structure
Monthly Executive Report:
1. Executive Summary
2. Threat Landscape Overview
3. Detection Metrics
- Total alerts processed
- True vs. false positive breakdown
- Severity distribution
- Response time performance
4. Notable Security Events
5. Remediation Status
6. Recommendations
7. Next Month Focus Areas
Quality Assurance
Continuous Improvement Program
| Activity |
Frequency |
Purpose |
| Detection Tuning |
Ongoing |
Reduce false positives |
| Rule Review |
Monthly |
Optimize detection coverage |
| Threat Intel Update |
Daily |
Current threat awareness |
| Playbook Updates |
Quarterly |
Response effectiveness |
| Coverage Assessment |
Quarterly |
Gap identification |
Internal Quality Checks
Service Quality Standards
| Standard |
Requirement |
| Analyst Certification |
GCIA, GCIH, CEH, or equivalent |
| Playbook Coverage |
80%+ of common scenarios |
| Documentation |
Complete investigation notes |
| Communication |
Non-technical explanations for executives |
Escalation Procedures
Escalation Matrix
| Condition |
Escalation Level |
Action |
| Critical threat detected |
Primary contact |
Immediate phone call |
| No response in 30 min |
Secondary contact |
Phone + email |
| Active breach |
Executive sponsor |
Emergency conference |
| Compliance violation |
Compliance officer |
Formal notification |
After-Hours Protocol
| Time |
Coverage |
Response |
| Business Hours |
Full SOC team |
Standard SLAs |
| After Hours (Essential) |
On-call analyst |
Critical/High only |
| After Hours (Standard+) |
24/7 SOC team |
All severity levels |
Integration with Other Services
Internal SBK Services
External Integrations
| Integration |
Purpose |
| Ticketing Systems |
ServiceNow, Jira, ConnectWise |
| Communication |
Slack, Teams, PagerDuty |
| Identity Providers |
Active Directory, Okta, Azure AD |
| Cloud Platforms |
AWS, Azure, GCP native logging |
Evidence Base
Why This Approach Works
| Principle |
Evidence |
Source |
| 24/7 monitoring critical |
Breaches detected 58% faster |
IBM 2024 |
| Outsourced SOC cost-effective |
60-80% cost reduction vs. internal |
Gartner SOC TCO Analysis |
| SIEM essential for visibility |
90% of breaches have log evidence |
Verizon DBIR 2024 |
| Tiered response improves efficiency |
3x faster critical response |
SANS SOC Survey |
SBK Success Metrics
| Metric |
Target |
Measurement |
| Client retention rate |
95%+ |
Annual |
| Critical alert SLA adherence |
99%+ |
Monthly |
| False positive rate reduction |
50%+ after 90 days |
Quarterly |
| Client satisfaction |
4.5+/5.0 |
Quarterly survey |
References
Last Updated: February 2026
Version: 1.0