You run a 30-person company. You have a firewall, antivirus on every laptop, and maybe Microsoft 365 with MFA switched on. Then a vendor tells you that none of that matters without a "SOC," and that a SOC costs more than your entire IT budget. Is that true, or is it a scare tactic?
Here is the honest answer: you almost certainly need SOC capability. You almost certainly do not need to build a SOC. Those are two very different things, and confusing them is how small businesses end up either overspending or doing nothing at all.
What a SOC actually is
A Security Operations Center is not a product. It's a function — people, process, and tooling working together to do three things, around the clock:
- Monitor — watch what's happening across your laptops, servers, email, and cloud accounts.
- Detect — separate the one event that matters (a stolen password being used at 3 a.m.) from the thousands of harmless ones.
- Respond — act on the real threat fast: isolate the machine, kill the session, contain the damage before it spreads.
The hard part isn't buying tools. It's the "around the clock" and the "separate the one that matters." Attackers don't keep office hours, and a tool that fires an alert nobody reads at 2 a.m. on a Sunday has done nothing for you.
Does a 30-person company really get attacked?
Yes — and the data is blunt about it. According to Verizon's 2025 Data Breach Investigations Report, ransomware (or extortion malware) was present in 88% of breaches at small and mid-sized businesses, versus just 39% at large organizations. Smaller companies are not flying under the radar. They're the preferred target, precisely because they tend to have weaker monitoring and slower response.
The same report found the median ransom payment dropped to $115,000 — and that figure is just the ransom. It doesn't count downtime, lost customers, legal costs, or the week your team spends rebuilding instead of selling. For most 30-person businesses, a single serious incident is an existential event, not a line item.
The question isn't whether a small business is a target. It's how quickly you'd notice, and whether anyone is watching when you're asleep.
The three ways to get SOC coverage
1. Build your own (the expensive one)
A real 24/7 SOC is brutal math. There are 168 hours in a week and a person works about 40 of them, so keeping a single seat staffed at all times — accounting for shifts, holidays, sick days, and turnover — takes roughly 8 to 12 analysts, not one. Add a manager and an engineer to tune the tooling, and analyst salaries running $80,000–$120,000 each, and you're looking at $1 million to $4 million per year all-in for staff, tools, and threat-intelligence feeds. It also takes 6–18 months to reach the point where the team is actually catching things.
For a company of 30 people, this is a non-starter. It's not a budget problem; it's the wrong tool for the size.
2. One "security person" (the dangerous middle)
Many SMBs hire a single IT or security generalist and call it covered. That person is genuinely valuable — but they sleep, take holidays, and can't watch your environment at 3 a.m. on a Saturday, which is exactly when intrusions tend to play out. One person is a great asset and a terrible 24/7 SOC. The risk is the false sense of security.
3. Outsource it (SOC-as-a-Service / MDR)
This is where most small businesses land, and for good reason. A managed SOC — often sold as Managed Detection and Response (MDR) or SOC-as-a-Service — gives you a mature team, the tooling, and 24/7 eyes for a predictable monthly fee instead of a seven-figure build.
Pricing is usually per device or per asset, in the range of $8–$20 per asset per month. For a typical SMB that works out to somewhere around $120,000 down to a small fraction of that depending on size and scope — and crucially, it's live in days, not the year-plus an internal build takes. You're renting the part that's expensive to own: the people and the always-on coverage.
This is the model IronCastle is built on. We run the monitoring, detection, and response so a 30-person company gets enterprise-grade SOC coverage without hiring a 12-person team. You can see what's actually watched on our coverage page, and what it costs on pricing.
So — do you need one?
Use this quick test. You likely need real SOC coverage if any of these are true:
- You hold customer data, payment details, or anything regulated.
- Downtime of a few days would seriously hurt the business.
- You're in a supply chain — your clients ask about your security, or contracts require it.
- You have cloud email and accounts (Microsoft 365, Google Workspace) that an attacker could take over.
If two or more apply — and for almost every business, they do — the question isn't "do I need a SOC," it's "how do I get the capability without building one."
What to do this week
- Map your real risk. List the data and systems that would hurt most if they went down or got stolen. That's what any SOC should be protecting first.
- Check your coverage gaps. Ask one honest question: if something malicious happened on a Saturday night, who would see it, and how fast? If the answer is "nobody until Monday," that's your gap.
- Don't confuse antivirus with detection. Endpoint antivirus stops known malware. It does not watch logins, cloud accounts, or an attacker using stolen-but-valid credentials.
- Price the outsourced option. Get a per-device quote from an MDR or managed SOC provider and compare it against the cost of one bad incident — not against "doing nothing," which has its own price.
- Insist on response, not just alerts. A service that only emails you alerts has handed the hard part back to you. Make sure someone is contracted to act.
A 30-person company doesn't need to build a SOC. It needs the outcome a SOC delivers — someone watching, and someone responding, every hour of every day. Buy the outcome, skip the seven-figure build.