Most product ideas start with a gap in the market. This one started with a pattern we kept seeing in incident response callouts — and a growing conviction that we were repeatedly cleaning up messes that should never have happened.
The scenario was almost always the same. A small organisation. A breach that had been running for days or weeks before detection. No monitoring in place. And a MD or practice manager staring at a screen, asking us what they should have done differently.
The answer was always the same too: you should have had a SOC. But that answer felt hollow when the follow-up question was invariably "how much does that cost?"
The Cost Architecture Problem
Traditional managed SOC services are expensive primarily because of their cost architecture, not because of what they do. The detection engine, the threat intelligence feeds, the analyst team — none of that inherently requires a six-figure contract. The cost comes from everything wrapped around it.
Dedicated infrastructure. Bespoke integration work for each client. Custom log ingestion pipelines. Months of tuning before monitoring goes live. Account management layers. The overhead of treating each client as a unique engineering project.
We already had something the traditional MSSP doesn't: our own SOC platform. SOC365 — built and operated in-house — was already running for enterprise clients. The detection rules, the threat intelligence integration, the analyst workflows, the EmilyAI triage layer: all of it existed and was already proven in production.
The question was whether we could deploy a sensor — a compact, pre-configured appliance — that would sit on a client's premises, collect the right telemetry, and feed it to SOC365 without any of the bespoke integration overhead that makes traditional SOC deployments so expensive.
The Insight: Move the Sensor, Not the Platform
This is the architectural insight that made everything else possible. In a traditional SOC deployment, the client's data travels to the SOC's infrastructure — or the SOC deploys agents and sensors into the client environment, requiring significant engineering time at each site.
We inverted this. Instead of bringing the client's environment to the platform, we built a self-contained sensor that could be pre-configured in our workshop and shipped to the client. Plug it in, point it at the network, and it connects back to SOC365. No on-site engineering. No bespoke integration. No months of setup.
The sensor handles network traffic analysis, endpoint telemetry aggregation, log collection, and deception sensor deployment — all in a single hardened appliance. SOC365 does the rest.
What We Refused to Compromise On
Early in the design process, we made a list of things that were non-negotiable. Things that, if we compromised on them, would mean we were building exactly the kind of product we were criticising.
- Same detection engine. Not a simplified version. Not a rule subset. The full SOC365 correlation engine, updated by the same threat research team that serves enterprise clients.
- Same analyst team. Not a separate tier of junior analysts for small clients. The same CREST-certified team that handles enterprise incidents.
- Named analyst assignment. Every client gets a named analyst who learns their environment. Not a ticket queue. Not a shared inbox. A person.
- No self-service detection. Clients shouldn't have to know what they're looking for. That's the analyst's job.
- Rapid deployment. If it takes months to go live, smaller organisations simply won't go through with it. Five working days, from order to 24/7 monitoring, was our target.
The Name
We spent longer than we expected on the name. "Managed detection and response" was accurate but invisible — every MSSP uses the same language. We wanted something that communicated the product's core proposition immediately: you order it, it arrives, and it is what it says it is.
SOC in a Box does that. It's slightly irreverent. It implies a challenge to the idea that a SOC has to be a vast, expensive operation. And it's memorable in a way that three-letter acronyms rarely are. The first time we said it aloud in a client meeting, they laughed — and then asked how to order one. That seemed like a good sign.
Next week, we'll get into the hardware: what goes inside the box, why we made the decisions we did, and why we offer both a physical appliance and a virtual one.
Update: From Idea to Platform
This post was originally published in August 2025 as the first entry in our development diary series. What follows is a summary of everything that has been built since — the full journey from concept to a live, shipping product serving clients across the UK.
The Hardware
The physical appliance became a hardened, fanless x86 unit — rack-mountable in a standard 1U bay or deployable as a desktop unit next to a switch. Six internal Ethernet interfaces plus two external give it the flexibility to handle segmented networks across VLANs without additional hardware. All telemetry is stored locally for up to 31 days with AES-256 encryption, and all data in transit uses TLS 1.3 with certificate pinning. The virtual appliance ships as an OVA/VMDK image supporting VMware, Hyper-V, Proxmox, and KVM — available for download within one hour of the scoping call.
SOC365 Detection Engine
The detection engine integration delivered exactly what we set out to build. SOC in a Box clients receive the same SOC365 correlation engine — the same SIGMA-based detection rules, updated by the same threat research team — that serves enterprise clients. No rule subsets. No simplified version. The sensor processes network data locally before transmission, keeping cloud egress to a minimum and working reliably over standard business broadband. Microsoft 365 and Azure audit logs are ingested directly via the Management Activity API.
EmilyAI Triage
EmilyAI — our AI triage layer — has been running in production for eight years. It pre-processes every alert before it reaches an analyst: contextual enrichment from threat intelligence and CVE data, behavioural baseline comparison, duplicate suppression, and composite priority scoring. The practical result is a significant reduction in false positive escalation — analysts spend their time on genuine threats, not noise. EmilyAI begins learning each client's environment from the first telemetry and reaches full calibration within 30 days.
DecoyPulse Deception Technology
DecoyPulse deploys network decoys (virtual hosts appearing as servers, printers, and workstations), credential decoys (inactive accounts with convincing names), and file decoys (attractively named files like "HR_Salary_2025.xlsx") across every client environment. The false positive rate is effectively zero: if something interacts with a decoy, it's doing something it shouldn't be doing. DecoyPulse events bypass the standard triage queue and escalate directly to the analyst's priority queue. All decoys are pre-configured during the appliance build to match the client's network topology and sector.
Named Analyst Model
Every SOC in a Box client is assigned a named CREST-certified analyst who learns their environment. Not a ticket queue, not a shared inbox — a person. The named analyst writes custom detection rules, establishes the behavioural baseline, handles escalations directly via phone or email, authors monthly board-ready reports, and continuously tunes the environment. Client feedback consistently identifies the named analyst as the most valued aspect of the service.
Confidence Score
The Confidence Score gives boards and decision-makers a single percentage metric representing security posture at any moment. It's calculated from sensor health, coverage completeness, detection rule currency, open incident status, and baseline stability — and it's always accompanied by a plain-English explanation of what's driving the number. One client used it to negotiate a reduction in their cyber liability insurance premium. The monthly board-ready report, authored by the named analyst, includes a compliance evidence pack structured for ISO 27001 auditors, FCA supervisors, and NHS Digital assessors.
Data Loss Prevention
SMB-focused data loss prevention is included in every deployment. Pre-built policy templates cover GDPR, SRA, FCA, NHS, and PCI requirements. Monitoring spans email, web uploads, USB devices, file copying, printing, and cloud services via Microsoft Purview integration. Policies are tuned during deployment for sector-specific data types — law firm matter numbers, GP NHS numbers, accountancy client references — so clients get meaningful DLP from day one without writing a single rule.
Dark Web Monitoring and Attack Surface Management
Continuous dark web scanning monitors criminal marketplaces, forums, paste sites, and Telegram channels for leaked credentials, business domains, and exposed data. Attack surface management provides continuous external asset discovery — domains, subdomains, exposed services, open ports, and shadow IT — showing clients what an attacker sees, updated continuously rather than once a year in a pen test report. Both are included in every plan.
Cyber Essentials and Insurance
Every SOC in a Box plan includes Cyber Essentials certification support and government-backed cyber liability insurance. Clients receive certification consulting alongside ongoing monitoring — security posture and compliance handled in a single subscription.
Five-Day Deployment — Achieved
The five-day deployment target we set during the design phase became the standard. Day 1: a 30-minute scoping call. Days 1–2: appliance build and pre-configuration. Day 3: appliance arrives — five steps on a laminated card, no configuration required. Day 4: go-live call with the named analyst, validation scan, 24/7 monitoring active. Day 5: first 24-hour review, tuning, and confirmation. For clients wanting on-site support, the Concierge Service provides a Cyber Defence engineer for two to three days.
Pricing
Three plan tiers — Small (25 assets, £335/month), Medium (50 assets, £600/month), and Large (100 assets, £1,000/month) — all include identical capabilities. No setup fees. Cancel anytime on a 30-day rolling contract. For a typical 50-asset firm spending £16,600 a year on fragmented security tools, SOC in a Box replaces up to seven separate invoices with a single payment and delivers a net annual saving of around £10,000.
What We Learned
The pre-configuration model, the named analyst, and the Confidence Score were validated by client feedback. We got the scoping call length wrong initially — cut it from 45 to 30 minutes. Agent deployment documentation needed simplifying for non-technical staff. OT infrastructure guidance needed expanding. And one of the biggest surprises: multi-academy trusts became a leading adoption sector, something we hadn't anticipated at the concept stage.
The full development diary series documents each of these areas in detail. What started as an idea in an incident response debrief is now a live platform — and the gap we set out to close is closing.
Development Diary Series
- Why Small Organisations Can't Get a Real SOC — And Why That's Wrong
- Building the Box: Hardware Decisions for a Hardened SOC Appliance
- The Same Engine: Integrating SOC365 With a Compact Sensor
- EmilyAI: The Triage Layer That Keeps Human Analysts Focused on Real Threats
- DecoyPulse: Deception Technology That Generates Zero False Positives
- Why Every SOC in a Box Client Gets a Named Analyst, Not a Ticket Queue
- The Confidence Score: One Number That Tells Your Board How Protected You Are
- Five Days: From Order to 24/7 Monitoring — How the Deployment Actually Works
- What We Learned Building SOC in a Box
See What We Built
The concept is one thing. The product is another. If you'd like to see exactly what's inside — the detection engine, the analyst model, the deception technology, and the pricing — take a look at the full product overview.
See what's inside