SOC-as-a-Service Pricing: What Drives the Cost (and How to Scope It)

The Five Variables That Drive SOC-as-a-Service Cost

1. Environment Size and Log Volume

The most direct cost driver in any SOC-as-a-Service engagement is the volume of data the SIEM must ingest and the analyst team must monitor. Environment size is typically measured in endpoints (servers, workstations, mobile devices under management), log sources (network devices, cloud services, identity systems, applications), and daily log volume (gigabytes per day ingested into the SIEM).
Log volume is not the same as endpoint count. An organization with 200 endpoints and a complex Microsoft 365 environment, multiple cloud workloads, and an Active Directory of moderate size can generate significantly more log data than an organization with 400 endpoints operating a simpler network architecture. SIEM platforms are typically licensed or priced on log ingestion volume, and that licensing cost flows through to the SOC engagement. Understanding your current log volume — even approximately — is useful before entering a pricing conversation.
In the broader market, SOC-as-a-Service pricing is often anchored per endpoint, per user, or per gigabyte of log data ingested per day. Industry surveys and analyst coverage generally place mid-market SOC-as-a-Service programs in a range from a few dollars per endpoint per month for basic monitoring-and-alert tiers up to significantly higher per-endpoint figures for full MDR with active response, threat hunting, and compliance documentation included. The range is wide precisely because the included scope varies widely. Always confirm what is included before comparing per-endpoint numbers across providers.

2. Compliance Framework Scope

Compliance obligations add cost to a SOC-as-a-Service program in two ways: they expand the log sources that must be monitored, and they require additional documentation work to produce audit-ready evidence.
HIPAA, for example, requires monitoring of all systems that access, store, or transmit electronic protected health information (ePHI). For a healthcare organization, this means the SIEM scope typically includes EHR access logs, clinical workstations, medical device network segments, and any cloud application that touches patient data. That is a broader log source footprint than an equivalent-size non-healthcare organization. CMMC 2.0 adds similar scope requirements around Controlled Unclassified Information (CUI) access monitoring. PCI-DSS Requirement 10 specifies log retention periods and review cadences that must be documented and demonstrated.
The compliance documentation layer — generating the evidence packages that satisfy audit, examination, and assessment requirements — is real operational work. Organizations operating under multiple frameworks simultaneously (a defense contractor that is also processing credit cards, for example) should expect that compliance scope to be reflected in the program cost. The value of that documentation work is that it eliminates the manual evidence-gathering effort your team would otherwise perform before every audit.

3. Detection and Response Tier

Not every SOC-as-a-Service program includes the same level of response capability. Programs vary significantly along this axis, and the difference has material implications for your organization’s risk posture and your team’s operational burden.
At the monitoring end of the spectrum, a provider delivers alerts to your team and your team investigates and responds. This is closer to a traditional managed security services model and typically carries lower program cost. At the full MDR end, the provider investigates confirmed threats and executes active response — host isolation, credential invalidation, blocking rule deployment — without requiring your team to act first. The time between detection and containment is a primary determinant of breach impact, and that gap is much smaller under an active response model. The additional cost of the active response tier is routinely justified by the reduction in breach cost potential it represents.
SENTRY operates at the active response end of this spectrum. Armorstack is a Managed Intelligence Provider, not a monitoring-and-alert service. The response capability is not an optional add-on; it is the program model. For organizations evaluating providers at different points on this spectrum, see MDR vs. MSSP: What the Difference Means for Your Risk Posture.

4. Threat Hunting Frequency and Depth

Proactive threat hunting — hypothesis-driven analyst campaigns designed to find adversaries who have not triggered automated detection rules — is among the highest-value and highest-cost components of a mature SOC program. It requires senior analyst time, threat intelligence synthesis, and environment-specific knowledge that takes time to develop.
Programs that include threat hunting on a monthly cadence with documented hypothesis libraries cost more than programs that deliver monitoring only. For regulated industries facing sophisticated threat actors — healthcare systems targeted by ransomware groups, defense contractors targeted by nation-state APT groups — threat hunting is not optional. Reactive detection finds threats that trigger rules. Proactive threat hunting finds the threats that have established persistence and are moving laterally without triggering rules yet. The dwell time reduction from proactive hunting is among the most impactful risk reduction measures available at the program level.

5. OT/IT Convergence and Specialized Environments

Manufacturing, energy, and healthcare organizations frequently operate environments that include operational technology (OT) or industrial control systems (ICS) alongside traditional IT infrastructure. Monitoring these environments requires SIEM integrations, detection logic, and analyst expertise that differ meaningfully from standard IT monitoring. Providers who have built OT/ICS monitoring capability include that work in their program cost; providers who have not may undercount it in the initial proposal and struggle to deliver it operationally.
Similarly, organizations with complex multi-cloud architectures, hybrid identity environments, or non-standard applications may require additional SIEM engineering work during the onboarding phase. That engineering work is typically reflected in the initial program cost rather than billed as professional services after engagement start.

How to Get an Accurate Number

The most useful thing you can bring to an initial pricing conversation with any SOC-as-a-Service provider is a documented answer to the following questions. Providers who ask these questions before quoting are providers building accurate proposals. Providers who quote without asking them are building estimates that will change.

• How many endpoints are in scope? (Servers, workstations, cloud instances, mobile devices under management)
• What is your approximate daily log volume? (Even an order-of-magnitude estimate — tens of GB/day, hundreds of GB/day — is useful)
• What log sources are in scope? (On-premises network infrastructure, Microsoft 365, AWS/Azure, Active Directory, OT/SCADA, point-of-sale, EHR)
• What compliance frameworks govern your organization? (HIPAA, PCI-DSS, CMMC, GLBA, SOC 2, NIST CSF, state-specific regulations)
• What level of incident response do you need? (Alert-and-notify vs. investigate-and-respond vs. full active containment)
• Do you have existing security tooling in place? (Current SIEM, EDR/XDR platform, identity monitoring, existing vendor contracts that need to integrate or be replaced)
• What does your existing security team look like? (Internal analysts who will work alongside the SOC, or no dedicated internal security staff)

Armorstack’s scoped assessment process produces a program proposal built on the answers to these questions — not on a generic endpoint count. The 90-Day Proof is an alternative starting point: deploy the full program, generate real outcomes, and use those outcomes to build the business case for the ongoing engagement. Learn about the 90-Day Proof. For how MDR pricing compares across different provider models, see MDR Pricing: How Managed Detection and Response Is Priced.