Five Days: From Order to 24/7 Monitoring — How the Deployment Actually Works

The five-day deployment claim is the one that gets the most sceptical responses when we talk to people who've been through traditional SOC onboarding. They've sat through six-week scoping engagements. They've waited three months for their first detection rules. They've handed over network diagrams and been told the build process would take another four weeks. Five days sounds implausible.

It's not implausible. It's the result of a specific architectural decision we described in an earlier post in this series: all the complexity of deployment is handled before the box leaves our hands. By the time it reaches the client, there's almost nothing left to configure.

Here's exactly what happens on each of the five days.

Day 1: Scoping Call

The scoping call is a 30-minute conversation between the client, a member of the sales team, and the analyst who will be assigned to the deployment. It covers seven things:

• Asset count and device types (determines which plan tier is appropriate)
• Network topology (flat network, VLANs, multiple subnets, VPN usage)
• Cloud services in use (Microsoft 365, Google Workspace, Azure, AWS)
• Sector-specific data types (determines DLP policy selection)
• Escalation preferences (who to contact, in what order, via which method)
• Physical or virtual deployment preference
• Existing security tooling (to avoid duplication and ensure compatibility)

This call is the only technical intake the client needs to complete. There's no questionnaire to fill in, no network diagram to produce (we'll draw one during onboarding), and no agent to install before the call. The call itself is the intake.

Days 1–2: Appliance Build

The scoping call feeds directly into the appliance build. Our engineering team has the information they need from the call to pre-configure the sensor: network interface assignment, detection rule selection, DLP policy configuration, DecoyPulse sensor positioning, and SOC365 tenant provisioning.

For virtual appliances, the build completes within hours and the download link is provided before the end of Day 2. For physical appliances, the unit ships same-day or next-day depending on when the scoping call completes. UK mainland next-day delivery means most clients receive the physical appliance on Day 2 or Day 3.

The named analyst uses Days 1–2 to review what they learned from the scoping call, begin drafting the custom detection rules specific to the client's environment, and establish the initial escalation documentation that the wider analyst team will use for overnight coverage.

Day 3: Appliance Arrives

Physical appliance clients: the box arrives. Everything needed is in it — the appliance itself, a rack kit if appropriate, rubber feet for desktop deployment, two Ethernet cables, and a single laminated card with five steps and a phone number.

The five steps are: connect power, connect the LAN cable to your switch, connect the WAN cable to your router, wait for the green LED, call the number on this card. That's it. No configuration. No login credentials to set. No drivers to install. The appliance knows what it's supposed to do the moment it connects to the network.

Virtual appliance clients receive their download link on Day 2. Deployment into the hypervisor typically takes 20–30 minutes, at which point the same verification process applies.

Day 4: Go Live

The client calls the number on the card. We verify the connection from our end — confirm that the appliance is transmitting telemetry, that the SOC365 tenant is receiving it correctly, and that the network interfaces are seeing the expected traffic. We run a validation scan to confirm coverage of the assets identified in the scoping call.

The named analyst introduces themselves — some clients have already spoken to them during the scoping call; others haven't. The analyst confirms the escalation preferences, asks any questions that have arisen during the build process, and confirms that the client knows how to reach the SOC if they need to.

The whole process takes less than an hour. At the end of it, 24/7 monitoring is live.

Day 5: Tuned and Watching

The final day of the initial deployment period is tuning day. The analyst reviews the first 24 hours of telemetry, identifies any false positive patterns that need suppression, validates that the DecoyPulse sensors are correctly positioned and not generating alerts from legitimate traffic, and configures the Confidence Score dashboard to reflect the client's environment.

By end of Day 5, the client has a fully operational Security Operations Centre — not in a provisional state pending further configuration, not with temporary rules that will be replaced later, but fully tuned and watching. The named analyst sends a short written summary confirming that the environment is live and detailing anything notable from the first 24 hours.

The Concierge Option

For clients who want on-site support during deployment, we offer the Concierge Service: a Cyber Defence engineer who visits the premises for two to three days, handles the physical deployment, assists with agent installation on endpoints, conducts a network topology review, and provides a verbal briefing on the environment to the named analyst before departing. Concierge is an optional add-on, priced per engagement based on location and network complexity.

The standard remote deployment is right for most clients. Concierge is right for clients who have complex or segmented networks, who want to be walked through what the SOC is seeing from the outset, or who simply prefer having a person on-site during the go-live process.

Next week: what we've learned. The final post in this development series covers the lessons from building SOC in a Box — what we got right, what we got wrong, and where the product is going next.