KIDANVerse

Zurich

KIDANVerse

Lausanne

A refreshed experience is in progress. A few pages may be temporarily limited.

TOC

End-to-end security operations monitoring.

On-demand Consulting

Expert guidance for strategic technology decisions.

As a Service (Managed)

Enterprise services supporting critical IT infrastructure.

Implementation

Seamless enterprise technology solution deployment.

Training

Empower teams with expert-led technology programs.

Assessment and Audit

Gain complete visibility into your technology infrastructur

Solutions

Tailored IT solutions for operational excellence.

Procurement and Licensing

Expert on-demand consultation for technology procurement

Support

Dedicated IT support for seamless operations.

Most visited page

Expert guidance for strategic technology
decisions.

About Us

Learn more about KIDAN’s vision, values, and expertise.

Security Operations
Center (SOC)

Proactive security operations to
protect data asset

Infrastructure Operations Center (IOC)

Intelligent operations control for
agile IT systems

Network Operations
Center (NOC)

Ensuring smooth network operations
and uptime 24/7

About us

Expert guidance for strategic technology
decisions.

Contact Us

Learn more about KIDAN’s vision, values, and expertise.

Our Partners

Meet KIDAN’s partners working together to deliver technology solutions, support, and growth for businesses.
Strategic Vendor Partners
Collaborating with global leaders for advanced IT solutions
200 +
Technical Managed Solutions
Delivering specialized tools to address complex IT challenges
110 +
Enterprise clients across industry sectors
trust KIDAN’s strategic partnerships and solutions to drive technology success.
1250 +

ManageEngine

IAM

Access Manager Plus

ADManager Plus

ADSelfService Plus

Access Manager Plus

Key Manager Plus

Identity 360

PAM360

Password Manager Pro

Recovery Manager Plus

IAM

UEM

Security

Networks

Cloud

MSP

Help Desk

IT Analytics

ColorTokens

Cloudflare

SentinelOne

Microsoft

Horizon3

Zoho

Xink

Sangfor

390+

Strategic Vendor Partners

115+

Technical Managed Solutions

1'300+

Enterprise clients across industry sectors

TOC

Security Operations Center (SOC)

Infrastructure Operations Center (IOC)

Network Operations Center (NOC)

Help Desk and Service Desk

What a Security Operations Center Does and Why You Need One

A peer-reviewed deep-dive into how a SOC actually detects, contains, and stops cyber threats – and the honest decision framework for choosing in-house, hybrid, or SOC-as-a-Service in Switzerland.

READ TIME · 14 MIN

UPDATED · APR 2026

CATEGORY · SOC / SOCaaS

BY · KIDAN SECURITY

A cyberattack can go undetected for 207 days on average. By then, the damage is done – data is gone, operations are disrupted, and trust is broken. A Security Operations Center (SOC) exists to close that window dramatically. After reading this, you will know exactly how a SOC works, who sits inside one, what it costs to get wrong, and whether an in-house or outsourced model makes sense for your organization.
What makes this guide different from every other resource on this topic: it draws on peer-reviewed research by Vielberth, Böhm, Fichtinger, and Pernul, which maps the specific roles, responsibilities, and skill sets inside a working SOC. It also covers what competitors consistently skip: the disadvantages of running a SOC, realistic setup timelines , and SOC-as-a-Service options in Switzerland .

Key Note

The leading resources on SOC – including guides from Microsoft, IBM, and Check Point – cover the basics well. None of them address the real costs and limitations of building a SOC, the time it takes to become operational, or outsourced SOC options for Swiss businesses. This article fills those gaps directly, using sourced Swiss-market data.

The Cost of Not Knowing

207 Days: The Invisible Window

Without a SOC, attackers operate undetected. This is the window they exploit - and the window a SOC closes.

0

Days avg.

In those 207 days, attackers move laterally, escalate privileges, exfiltrate data, and prepare ransomware payloads. A mature SOC compresses this window to minutes, not months – through continuous monitoring, behavioral analytics, and a tiered analyst response that never clocks out.

< 5

MTTD (minutes) – Mature SOC

< 15 - 30

MTTR (minutes) – Mature SOC

298 days

Avg. time to contain – no SOC

Industry baseline dwell times. Source: IBM Cost of a Data Breach Report. MTTD/MTTR estimates based on mature SOC benchmarks.

What Is a Security Operations Center?

A Security Operations Center (SOC) is a dedicated team – supported by technology – that monitors, detects, investigates, and responds to cybersecurity threats around the clock. It centralises security operations into a single function combining people, processes, and tools.
Think of the SOC as your organization’s immune system. Rather than just preventing threats, its real power is detecting anomalies early, containing damage before it spreads, and learning from every incident. The SOC is not a product you buy – it is an operational capability you build or contract.

At its core, a SOC performs four primary functions:

Continuous monitoring

24/7 visibility across endpoints, networks, cloud environments, and applications

Threat detection

identifying malicious activity by correlating logs, alerts, and threat intelligence

Incident Rresponse

containing, eradicating, and recovering from confirmed security incidents

Compliance support

maintaining audit trails and evidence for frameworks like GDPR, ISO 27001, SOC 2, and HIPAA

The SOC Team: Who Does What

A modern SOC is built on a tiered analyst structure – Tier 1 (triage), Tier 2 (incident response), and Tier 3 (threat hunting) – supported by specialist roles and a SOC Manager. Each tier requires distinct skills, and the handoff between them is critical to effective incident response.

Analyst Hierarchy

The SOC Tier Structure

Based on peer-reviewed research by Vielberth, Böhm, Fichtinger & Pernul (2020). Volume decreases as you move up - but the cost of a wrong decision increases.

Tier 1

Triage Specialist

0 s

alerts/shift

Tier 2

Incident Responder

0 s

incidents/wk

Tier 3

Threat Hunter

Proactive

hunts/wk

Leadership

SOC Manager

Strategy

& budget

Tier 1 filters the noise

thousands of alerts down to confirmed incidents. First responders, highest alert

Tier 2 investigates scope

which systems, how far has it spread, what’s the containment plan.

Tier 3 hunts proactively

finding threats and gaps before they’re exploited.

The handoff between Tier 1 and Tier 2 is the highest failure point

in most SOC operations. Poorly defined escalation criteria result in missed incidents and wasted analyst capacity.

Tier 1 - Triage Specialist

Tier 1 analysts are the first filter. They collect raw telemetry data, review alarms and alerts generated by SIEM and EDR tools, and make the first critical call: is this a real threat or a false positive? Alert fatigue is one of the most significant operational problems in any SOC – analysts are often reviewing hundreds or thousands of alerts per shift.

Confirming, adjusting, or dismissing alert criticality

Enriching alerts with contextual data (asset owner, network segment, user history)

Identifying high-risk patterns across multiple low-severity events

Managing and configuring monitoring tools

Escalating confirmed or suspected incidents to Tier 2

Tier 2 - Incident Responder

Tier 2 analysts receive escalated incidents and do the deeper forensic work. They use threat intelligence – including Indicators of Compromise (IoCs) and updated detection rules – to understand the full scope of an attack. This is the tier where raw telemetry becomes actionable intelligence.
For a deeper look at how Swiss organisations can structure their incident response planning and 24/7 security operations, explore KIDAN’s managed services.

Assessing which systems are affected and how far the attack has spread

Designing and executing containment and recovery strategies

Coordinating with IT teams to isolate or patch affected assets

Escalating major incidents to Tier 3 or calling in additional Tier 2 analysts

Tier 3 - Threat Hunter

Tier 3 analysts are the most experienced people in the SOC. Their most important function is proactive : they hunt for threats, security gaps, and unknown vulnerabilities before an attacker exploits them.

Handling major escalations from Tier 2

Proactively identifying unknown attack vectors

Reviewing and optimising deployed monitoring tools

Evaluating critical threat intelligence from lower tiers

SOC Manager & Specialist Roles

The SOC Manager bridges technical operations and executive leadership: hiring analysts, developing incident response processes, overseeing the SOC budget, supporting security audits, and reporting to the CISO.

Specialist Role

Malware Analyst / Reverse Engineer

Forensics Specialist

Vulnerability Manager

Security Architect

Security Consultant

Specialist Role

Deconstructs malware to support investigations and improve future detection

Investigates cyber events using digital evidence from IT systems and networks

Continuously identifies, assesses, and remediates vulnerabilities across endpoints

Designs the SOC's security infrastructure; oversees vulnerability testing and recovery

Benchmarks SOC capabilities against industry standards and competitor posture

Expert Note - KIDAN SOC Floor

The Tier 1 → Tier 2 handoff is the highest failure point in SOC operations. If escalation criteria are poorly defined, Tier 2 analysts waste time on noise and Tier 1 misses real incidents. Investing in clear, documented escalation thresholds – tied to MITRE ATT&CK-mapped detection rules – reduces both false positives and missed detections.

The Technology Stack

A SOC runs on a layered toolset. The SIEM is the central engine – aggregating logs and generating alerts. SOAR automates response playbooks. EDR/XDR covers endpoint and extended threat visibility. UEBA detects anomalous user behaviour.

Tool

SIEM (Splunk, Microsoft Sentinel)

SOAR

EDR / XDR

NDR

Threat Intelligence Platform

Vulnerability Scanner (Nessus, Qualys)

ITDR

DLP

DRP

Primary Function

Log aggregation, correlation, alerting (e.g. Splunk, Microsoft Sentinel)

Automated response playbooks, case management

Endpoint and cross-domain detection and response

Network traffic analysis and anomaly detection

Aggregates external IoCs and feeds detection rules

Identifies unpatched weaknesses (e.g. Nessus, Qualys)

Identity monitoring, anomaly detection, and account compromise response

Sensitive data monitoring, access control, and data exfiltration prevention

External threat monitoring, brand protection, phishing and data leak detection

Analyst Hierarchy

The SOC Tier Structure

Based on peer-reviewed research by Vielberth, Böhm, Fichtinger & Pernul (2020). Volume decreases as you move up, but the cost of a wrong decision increases.
Illustrative SOC SIEM alert queue. Real interfaces: Splunk, Microsoft Sentinel, QRadar, Elastic SIEM.
The detection rules loaded into your SIEM should be mapped against the MITRE ATT&CK Framework – the industry-standard knowledge base of adversary tactics and techniques used by SOC teams worldwide. For Swiss organisations evaluating SIEM implementation and configuration , KIDAN’s Log360 deployment includes MITRE-mapped detection rules out of the box.

SOC Setup: What It Actually Takes

Building an in-house SOC from scratch typically takes 12 to 18 months before it reaches operational maturity. The timeline includes technology procurement, integration, team hiring, process development, and tuning. Most organisations significantly underestimate this.

The Real Timeline

In-House SOC Implementation Roadmap - 18 Months

Most “quick-win” SOC pitches skip Phase 3 (tuning) and Phase 4 (maturity) – but that’s where 70% of the actual security value is delivered. Outsourced SOCaaS: 4 – 8 weeks to equivalent coverage.
In-house SOC implementation roadmap. SOCaaS providers like KIDAN achieve equivalent coverage in 4 – 8 weeks.
Many organisations begin with a hybrid model – staffing Tier 1 internally while outsourcing Tier 2 and Tier 3 functions – to maintain control without the full setup burden.

The Advantages of a SOC

A SOC reduces dwell time, improves incident response consistency, centralises visibility across your environment, and supports regulatory compliance. For organisations handling sensitive data, a SOC is not optional – it is a compliance requirement.

Faster detection and response

MTTD and MTTR improve significantly with a mature SOC. Shorter dwell time means less data exfiltrated, fewer systems encrypted, and lower recovery costs.

Centralised visibility

Without a SOC, security monitoring is fragmented across firewalls, endpoints, cloud platforms, and applications. A SIEM-backed SOC aggregates all log sources into a single correlated view.

Proactive threat hunting

Tier 3 analysts actively search for adversary behaviour that automated tools miss. This is the difference between reactive and proactive security.

Compliance support

Whether you operate under GDPR, HIPAA, ISO 27001, SOC 2, or Switzerland's nDSG and FINMA Circular 2023/1, a SOC provides the audit trails, incident documentation, and access controls that auditors require.

Expertise on demand

A mature SOC team - malware analysts, forensic specialists, security architects - gives you capabilities most organisations could not hire individually.

The Disadvantages: What No One Tells You

Building an in-house SOC is expensive, time-consuming, and operationally demanding. Analyst burnout, alert fatigue, and tool complexity are persistent challenges. For many organisations, the cost-benefit calculation favours outsourcing.

Swiss-Market Cost Data

In-House SOC Annual Cost - Switzerland

These are not estimates – they are composites built from four verified Swiss-market data sources. The CHF 1.1M floor assumes a lean team with managed tooling.

In-house SOC cost breakdown for Switzerland. Sources [1–5] listed at the end of this article.

High operational cost

As the sourced breakdown above shows, annual costs in Switzerland range from CHF 1.1M to over CHF 4M depending on team size and tooling choices.

Talent scarcity

Experienced SOC analysts - particularly at Tier 2 and Tier 3 - are in short supply globally. Hiring and retaining them in Switzerland's competitive market is a sustained challenge.

Alert fatigue

Poorly tuned SIEM rules generate thousands of false positives per day, eroding analyst focus and increasing the risk that real threats are missed.

Time to operational maturity

A new SOC takes 12 - 18 months to become truly effective. During that window, coverage is incomplete and detection logic is still being refined.

Complexity creep

Integrating new data sources, maintaining detection rules, and keeping tools updated is ongoing operational work - not a one-time project.

In-House SOC vs. SOC-as-a-Service

An in-house SOC gives you full control and deep contextual knowledge. An outsourced SOC (SOCaaS) offers faster deployment, predictable cost, and access to analyst expertise – without the build burden.

In-House SOC

You build, hire, and operate the entire function
internally. Maximum control, maximum cost and time.

Time to deploy

12–18 months

Annual cost (CH)

CHF 1.1M – 4M

24/7 coverage

6–10 analysts min.

Best for

Large enterprises

vs

SOC-as-a-Service

A managed provider runs the SOC on a subscription.
Faster, predictable, expert-led from day one.

Time to deploy

4–8 weeks

Cost model

Monthly subscription

24/7 coverage

Included

Best for

SMEs & mid-market

SOC in Switzerland: Why It's Not Optional

Swiss Regulatory Reality

Three Laws That Make a SOC a Legal Requirement

Most organisations treat SOC as a security decision. In Switzerland, it is also a legal obligation – for financial services, healthcare, and critical infrastructure operators.

Data sovereignty, FINMA
compliance & Swiss-time
coverage.

Switzerland's regulatory environment is among the most demanding in Europe. FINMA's 24-hour reporting deadline, the nDSG's personal liability provisions, and the ISA's mandatory reporting requirements all point to the same conclusion: you cannot meet these obligations without a functioning SOC.

Data Sovereignty

Log data and security events must remain within Swiss borders. Critical for nDSG compliance and financial sector requirements.

FINMA Circular 2023/1

Significant cyberattacks must be reported to FINMA within 24 hours of discovery - operationally impossible without a functioning SOC.

DE/FR Coverage · CET Timezone

German- and French-speaking analysts in CET is a material operational advantage during an active incident in Switzerland.

Swiss compliance requirements and SOC delivery. Sources: nexova.ch [6], lexology.com [7], grantthornton.ch [8], iclg.com [9].

nDSG (Revised Swiss Data Protection Act)

In force since 1 September 2023, the nDSG applies to all organisations processing personal data in Switzerland, with fines of up to CHF 250,000 - imposed on individual employees, not just the company. The SOC's SIEM generates the tamper-proof incident records and breach notification evidence the nDSG requires.

FINMA Circular 2023/1

In force since 1 January 2024. FINMA explicitly recommends that supervised institutions "develop a security operations centre (SOC) that operates around the clock to monitor, detect and respond to cyber incidents in real time." Significant cyberattacks must be reported to FINMA within 24 hours of discovery - impossible without a functioning SOC.

ISA (Information Security Act)

Since 1 April 2025, operators of critical infrastructure - energy, finance, healthcare - must report significant cyberattacks to Switzerland's National Cyber Security Centre (NCSC) within 24 hours. The SOC is the only operational mechanism capable of meeting this deadline reliably.

Ready to skip the 18-month build? KIDAN SOC is live in weeks.
Explore managed SOC services for Swiss organisations – FINMA-aligned, Swiss data residency, German/French analyst coverage.

Frequently Asked Questions

A SOC monitors your IT environment 24/7, detects threats, and responds to incidents. Its tiered analyst structure — from Tier 1 triage to Tier 3 threat hunting — ensures every alert is assessed at the right expertise level. The goal is to minimise MTTD and MTTR before damage occurs.
A SIEM is a tool — it aggregates logs, correlates events, and generates alerts. A SOC is an operational function — the team, processes, and full technology stack that acts on what the SIEM surfaces. The SIEM is the SOC’s central nervous system, not a replacement for it. A SIEM without a SOC produces alerts nobody investigates.
Yes — persistently. Alert volumes are high, incidents can escalate rapidly, and the work is often shift-based. Research consistently identifies alert fatigue as a leading cause of analyst burnout. Well-structured SOCs mitigate this through automation, clear escalation paths, and defined analyst development tracks.
The four types are: Strategic (high-level trends for executive decision-making), Tactical (adversary TTPs mapped to MITRE ATT&CK), Operational (specific attack campaigns and threat actor intent), and Technical (IoCs — file hashes, IP addresses, domain names — used directly in detection tools).
A SOC framework defines team structure, incident classification and escalation, tooling, and performance measurement. Common reference frameworks include NIST CSF, ISO 27001, and the MITRE ATT&CK Framework. The tiered analyst model — Tier 1 triage, Tier 2 incident response, Tier 3 threat hunting — is itself a foundational framework element validated by academic research.

Written by

KIDAN Security Team

Switzerland's managed SOC experts - delivering FINMA-aligned, 24/7 security operations from Swiss data centres. Based in Gland and Zurich.

A cyberattack can go undetected for 207 days on average. By then, the damage is done — data is gone, operations are disrupted, and trust is broken. A Security Operations Center (SOC) exists to close that window dramatically. After reading this, you will know exactly how a SOC works, who sits inside one, what it costs to get wrong, and whether an in-house or outsourced model makes sense for your organization.

What makes this guide different from every other resource on this topic: it draws on peer-reviewed research by Vielberth, Böhm, Fichtinger, and Pernul, which maps the specific roles, responsibilities, and skill sets inside a working SOC. It also covers what competitors consistently skip: the disadvantages of running a SOC, realistic setup timelines, and SOC-as-a-Service options in Switzerland.

Content Gap Notice

The leading resources on SOC — including guides from Microsoft, IBM, and Check Point — cover the basics well. None of them address the real costs and limitations of building a SOC, the time it takes to become operational, or outsourced SOC options for Swiss businesses. This article fills those gaps directly, using sourced Swiss-market data.

 Infographic 1 — The Cost of Not Knowing

207 Days: The Invisible Window

Without a SOC, attackers operate undetected. This is the window they exploit — and the window a SOC closes.

207

Days avg.

In those 207 days, attackers move laterally, escalate privileges, exfiltrate data, and prepare ransomware payloads. A mature SOC compresses this window to minutes, not months — through continuous monitoring, behavioral analytics, and a tiered analyst response that never clocks out.

< 5

MTTD (minutes) — Mature SOC

< 15 - 30

MTTR (minutes) — Mature SOC

298 days

Avg. time to contain — no SOC

Fig. 1 — Industry baseline dwell times. Source: IBM Cost of a Data Breach Report. MTTD/MTTR estimates based on mature SOC benchmarks.

What Is a Security Operations Center?

A Security Operations Center (SOC) is a dedicated team — supported by technology — that monitors, detects, investigates, and responds to cybersecurity threats around the clock. It centralises security operations into a single function combining people, processes, and tools.

Think of the SOC as your organization’s immune system. Rather than just preventing threats, its real power is detecting anomalies early, containing damage before it spreads, and learning from every incident. The SOC is not a product you buy — it is an operational capability you build or contract.

At its core, a SOC performs four primary functions:

Continuous monitoring

24/7 visibility across endpoints, networks, cloud environments, and applications

Incident Rresponse

containing, eradicating, and recovering from confirmed security incidents

Compliance support

maintaining audit trails and evidence for frameworks like GDPR, ISO 27001, SOC 2, and HIPAA

The SOC Team: Who Does What

A modern SOC is built on a tiered analyst structure — Tier 1 (triage), Tier 2 (incident response), and Tier 3 (threat hunting) — supported by specialist roles and a SOC Manager. Each tier requires distinct skills, and the handoff between them is critical to effective incident response.

Infographic 2 — Analyst Hierarchy

The SOC Tier Structure

Based on peer-reviewed research by Vielberth, Böhm, Fichtinger & Pernul (2020). Volume decreases as you move up — but the cost of a wrong decision increases.

Tier 1

Triage Specialist

1,000s

alerts/shift

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Thank you for applying to the KAI Builder Program by KIDAN.

Your application is now under review. Our team will carefully evaluate your use case, commitment level, and strategic fit. If shortlisted, you will hear from us within 5 business days to schedule your Discovery Call.

We look forward to potentially building the future of AI together.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details For Pricing

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.

Quick details before your demo

Almost there – a few quick details first.