Managed security and SOC, built to the 24-hour clock.

The squeeze is measurable. The median time for an intruder to move from a first foothold into the rest of the network, the breakout time, has fallen to around 29 minutes, and AI-enabled attackers increased their operations by nearly 90% year on year. Detection that runs only in office hours, or a response that waits for an analyst to arrive in the morning, loses the race before it starts. The clock that matters most is the attacker's, and it now runs in minutes.

The regulator's clock runs alongside it. NIS2 expects an early warning within 24 hours of becoming aware of a significant incident, a fuller notification within 72, and a final report within a month; DORA imposes its own incident reporting on financial entities; and the NIS2 Implementing Regulation published in late 2024 spells out concrete monitoring, detection, testing and documentation duties that land on managed security providers directly. A SOC that detects late does more than let an attacker run longer: it starts the legal clock against you from behind.

The cheapest security service on paper is often the most expensive in practice, because the contract price hides the staff it still demands. A managed SIEM at around eight thousand a month that needs two of your own analysts to investigate its alerts costs far more, all in, than a detection-and-response service at twelve thousand that does the investigating for you. The honest comparison is total cost of operation, the fee plus the internal hours, rather than the line on the quote.

The models differ mainly in how much work stays with you. Managed SIEM hands you the tooling and the triage; managed detection and response adds the people who investigate and act; a full outsourced operations centre runs the lot. Security-services spending is growing faster than any other part of the market in 2026 precisely because organisations have concluded they cannot staff this internally at the speed the threat now demands. We scope the model to the team you have rather than the one a brochure assumes.

A SOC that ships your logs to a US-owned platform quietly reintroduces the jurisdiction problem you were trying to solve. We run detection on Wazuh inside the EU, so your security telemetry stays in-region. Detection runs continuously and automated; response follows documented runbooks, with response tiers scoped to your risk profile rather than sold as a fixed package. The monitoring sits on the same foundation as our observability work.

<!-- 6 failed SSH logins in 120s from one source → contain -->
<group name="local,syslog,sshd,">
  <rule id="100200" level="10" frequency="6" timeframe="120">
    <if_matched_sid>5710</if_matched_sid>
    <description>SSH brute force from same source</description>
    <mitre><id>T1110</id></mitre>
  </rule>
</group>

<!-- ossec.conf: drop the source at the edge for 600s -->
<active-response>
  <command>firewall-drop</command>
  <rules_id>100200</rules_id>
  <timeout>600</timeout>
</active-response>

A hidden cost of an outsourced operations centre is lock-in. When the provider owns the detection logic, the correlation rules and the tuning, leaving them means starting over: organisations have lost months of custom rules, threat integrations and business-context tuning overnight when switching vendor. The intelligence built up about your own environment ends up trapped inside someone else's platform.

We build detection in open formats, SIGMA rules and Wazuh configuration, versioned and owned by you, so the work done to understand your environment stays yours. If you ever move on, the detection logic goes with you rather than evaporating, and while we run it you can see and audit what is watching you rather than trusting a sealed box. It is the same instinct that runs through the rest of what we do: the operator runs it, but the asset belongs to you.

The clearest case is an organisation in NIS2 or DORA scope without a round-the-clock security operation of its own, which most below enterprise scale cannot staff: continuous monitoring needs a rota of analysts that few mid-sized teams can justify or recruit into a market short millions of people. Close behind are companies whose insurers or customers now require evidence of continuous monitoring and incident response before they will sign or renew.

What they share is an attack surface that has outgrown office-hours, best-effort security, and a regulatory or commercial reason that protection now has to be demonstrable rather than assumed. A business still relying on a firewall and hope, or on an IT generalist watching security among ten other duties, is the typical fit. Where an organisation genuinely has the scale to run its own mature SOC, we will say so, and co-management is often a better answer than duplicating what it already has.

A SIEM out of the box catches the obvious and buries you in the rest. The work that makes detection useful is engineering: writing and tuning the rules to your environment, mapping coverage against a framework like MITRE ATT&CK so the gaps are known rather than assumed, and cutting the false positives that cause the fatigue described above. A tool watched without that work is a source of noise; a tool with it is a source of signal.

We treat detection as an ongoing discipline rather than a one-time setup. Coverage is mapped to the techniques an attacker would use against a business like yours, rules are tuned as the environment and the threats change, and threat hunting looks for the activity no rule yet catches. Because the rules are written in open formats and owned by you, the coverage is auditable rather than a vendor's secret, and it improves rather than ossifying after the install. The difference shows up as a higher proportion of real threats caught and a lower proportion of analyst time wasted on noise.

The market is full of services that sound alike and deliver very differently, so a few questions separate them. Ask for the provider's own detection and response times from its client base rather than industry averages, and be wary of any that cannot share them. Ask which compliance frameworks the reporting genuinely supports, NIS2, DORA, SOC 2, ISO 27001, since a generic security report will not satisfy a specific regulatory obligation. Ask whether the service augments your existing tooling or demands a full replacement, and what the coverage gap looks like during the transition.

Then ask the awkward ones. Who owns the detection rules if you leave? Is response limited to alerting you, or does it include active containment? Where is the telemetry stored, and under whose jurisdiction? A provider confident in its answers gives them plainly; one that deflects is telling you something. We would rather you ask all of this upfront and choose on the answers than discover the gaps during an incident, which is why we put our own answers in writing: EU-resident telemetry, detection rules owned by you, and active response scoped in the engagement rather than left vague.

Raw threat feeds are easy to buy and hard to use; a list of malicious addresses with no bearing on your environment adds noise rather than protection. Intelligence earns its place when it is filtered to what matters for a business like yours: the techniques active against your sector, the vulnerabilities being exploited in the wild right now, the indicators tied to threats you are plausibly exposed to rather than every threat in existence.

We fold that context into the detection rather than bolt it on as a separate dashboard, so a rule carries the knowledge of what is currently being used against organisations like yours, and the prioritisation reflects real-world activity instead of a generic severity score. The point of intelligence is to spend attention where the threat is live, and that works only when it is married to detection that can act on it rather than left as a feed someone is supposed to read and rarely does.

Zero Trust is sold as a product often enough that it is worth saying plainly: it is a design principle, not a thing you purchase and switch on. The principle is to stop treating the network perimeter as a trust boundary — to verify every request as though it came from an open network, grant the least privilege that the task needs, and assume a breach has already happened rather than that the inside is safe. In 2026 it is shifting from a recommended posture to an expectation written into the security requirements of some regulated sectors, which means it increasingly has to be demonstrable rather than aspirational.

Because it is an architecture, a managed SOC does not sell you Zero Trust so much as operationalise it. Identity becomes the centre of gravity, so the detection watches for identity-based attack — credential abuse, anomalous access, privilege escalation — as closely as it watches the network, and the segmentation that limits how far an intruder can move is monitored rather than assumed. The same logic runs through our compliance and sovereignty work, where verifying access and minimising trust is also how data stays under control. Zero Trust, done honestly, is the set of habits the rest of the security operation already practises, made explicit and provable rather than a dashboard with the name printed on it.