Why Small Organisations Can't Get a Real SOC — And Why That's Wrong

Every year, thousands of organisations with fewer than 100 endpoints experience a cyber incident with no monitoring in place to detect it — let alone stop it. They don't find out until the ransomware note appears on a Monday morning, or a client rings to say their data has appeared on the dark web.

We know this because we see the aftermath. Our incident response team at Cyber Defence picks up the phone when it's already too late. And almost every time, when we ask "what security monitoring did you have in place?", the answer is some variation of the same thing: "we were told we were too small for that."

The Industry's Dirty Secret

The cybersecurity industry has a problem it doesn't like to talk about. Security Operations Centres — the teams and technology that provide 24/7 monitoring, threat detection, and incident response — have been positioned as enterprise infrastructure. Six-figure contracts. Dedicated hardware. Months of onboarding. Minimum asset counts that exclude most of the UK business population.

This isn't because the technology can't scale down. It's because the business model hasn't had to. Enterprise clients pay enterprise fees, and for years that's been enough.

The result? A two-tier security landscape. Organisations above a certain size — usually those with over 500 endpoints, or those willing to spend north of £100,000 per year — get real protection. Everyone else gets a product that looks like protection but isn't: a dashboard they check themselves, an automated alert system with no analyst behind it, or a managed antivirus dressed up in SOC language.

"We were told a SOC was a six-figure investment. That it required a dedicated team. That the technology alone would cost more than our entire IT budget. So we bought some tools and hoped for the best."

We've heard versions of that sentence from a GP surgery in Cambridgeshire, a law firm in the South East, a multi-academy trust in the Midlands, and a parish council that didn't even know it was a target until it was.

The Threat Doesn't Care About Your Asset Count

Here's the uncomfortable truth: attackers don't filter their target lists by organisation size. Ransomware gangs use automated tools to scan the entire internet for vulnerable systems. Phishing campaigns are sent to millions of addresses simultaneously. Supply chain attacks compromise smaller organisations specifically because they're the weakest link in a larger contractor's ecosystem.

A boutique law firm with 20 fee earners holds the same categories of sensitive personal and financial data as a Magic Circle practice. A GP surgery with 4,000 patients holds health records — some of the most valuable data in existence to the right buyer. An engineering consultancy bidding on Ministry of Defence contracts holds intellectual property that nation-state actors are actively hunting.

Asset count is irrelevant to the attacker. It's only relevant to the security industry's pricing model.

What We Decided to Build

In early 2025, we asked ourselves a straightforward question: if you stripped away all the enterprise overhead — the dedicated data centre infrastructure, the bespoke integration work, the account management layers — could you deliver the same core SOC capability for a fraction of the cost?

Not a watered-down version. Not a self-serve dashboard. The actual thing: continuous monitoring by qualified analysts, real threat detection, deception technology, threat intelligence integration, and a named person who calls you when something happens.

The answer, it turned out, was yes. And the mechanism was simpler than we expected: a pre-configured sensor that lives on your premises, connected to the same SOC365 platform that protects our enterprise clients.

We called it SOC in a Box.

Over the next several weeks, we're going to document exactly how we built it — the hardware decisions, the software architecture, the analyst model, the deployment process, and the lessons we learned along the way. If you're running security for a small or medium-sized organisation, or if you're advising one, we think this story is worth following.