A SOC — Security Operations Centre — is the team and technology that watch your systems around the clock for signs of a cyber attack and respond when one is found. Think of it as a manned alarm centre for your IT: not just sensors, but trained people who notice when something is wrong and act on it.
Most small and medium UK businesses can’t justify their own 24/7 security team, so they buy this as a service — a managed SOC, usually sold under the banner of MDR (Managed Detection and Response), often from their MSP. This guide explains what that actually delivers and how to tell a real service from a marketing badge.
What a SOC actually does
A SOC combines three things: technology that collects security signals from across your devices, cloud services and network; people — analysts who investigate those signals; and process — defined ways of triaging, escalating and responding. Day to day, that means:
- Continuous monitoring — watching for suspicious logins, malware, unusual data movement and known attack patterns, 24/7.
- Threat detection & triage — separating real threats from the noise of everyday alerts, so you’re not drowned in false alarms.
- Investigation — analysts confirming whether an alert is a genuine incident and how far it has spread.
- Response & containment — isolating an affected device, disabling a compromised account or guiding your team to stop an attack spreading.
- Reporting — clear write-ups of what happened, what was done, and what to fix.
The point of a SOC is speed. Most serious breaches are not instant; attackers move through a network over hours or days. Catching them early is the difference between a contained incident and a front-page one.
SOC, MDR, SIEM, EDR: cutting through the acronyms
These terms get used loosely, which makes services hard to compare. Here’s how they fit together:
| Term | What it is |
|---|---|
| Antivirus | Blocks known malware on a single device. Necessary, but only catches what it already recognises. |
| EDR | Endpoint Detection & Response — records and analyses what happens on devices to catch subtler, behaviour-based attacks. |
| SIEM | Security Information & Event Management — collects and correlates logs from across your systems to surface patterns. |
| SOC | The team and function that monitor and respond, using tools like EDR and SIEM. |
| MDR | Managed Detection & Response — the service that wraps people and process around the technology, delivered for you 24/7. |
The simplest way to think about it: tools (EDR, SIEM) generate signals; a SOC is the people watching them; and MDR is how that capability is sold to you as a managed service. A pile of tools with nobody watching them is not a SOC.
Where it fits with prevention and certifications
Security has two halves: prevention and detection and response. Certifications such as Cyber Essentials and a managed information-security system under ISO 27001 are about getting prevention right — closing the doors. A SOC or MDR service assumes that, despite good prevention, some attacks will still get through, and exists to catch them fast. The two are complementary: strong prevention means fewer incidents, and a SOC limits the damage of the ones that happen anyway.
What to look for in a managed SOC / MDR
“We monitor your systems” can mean anything from a fully staffed 24/7 operation to a dashboard nobody watches overnight. Pin it down:
- Genuine 24/7 coverage — attacks favour evenings, weekends and holidays. Confirm cover is round-the-clock, not just business hours.
- Response, not just alerts — does the service actively contain threats, or simply email you an alert and leave the rest to you?
- Defined response times — guaranteed times to act on serious incidents, in writing.
- The technology behind it — EDR, SIEM and current threat intelligence, named clearly.
- Where the analysts are — location and availability of the people, which affects both speed and data residency.
- Clear reporting — you should receive plain-English incident reports and regular summaries.
If a provider sells “SOC” or “MDR” but can’t say whether anyone is watching at 3am, or whether they actively respond versus merely alert, you may be buying a tool licence dressed up as a service. Ask exactly what happens when a real threat is detected out of hours.
How WhatMSP factors this in
A managed security stack — including SOC/MDR capability and 24/7 cover — sits within the Capability & Technical category of our independent /50 score. It helps distinguish providers running an enterprise-grade security operation from those offering basic antivirus and hoping for the best. If continuous monitoring matters to you, it’s a capability worth comparing directly.
Find providers with real security operations
Compare vetted MSPs on their security capability, independently scored out of 50 and verified at source. We don’t sell rankings — the score is earned. Free for buyers.
Frequently asked questions
What is a SOC?
A SOC, or Security Operations Centre, is a team and toolset that continuously monitors an organisation's systems for signs of a cyber attack and responds when something is found. A managed SOC delivers this as a service, so a smaller business gets round-the-clock threat detection and response without building its own 24/7 security team.
What is the difference between a SOC and MDR?
A SOC is the function — monitoring and responding to security threats. MDR (Managed Detection and Response) is the service most providers actually sell to deliver that function: technology plus human analysts who detect threats and take or guide response, around the clock. In practice "managed SOC" and "MDR" are often used to describe the same outcome.
What is the difference between antivirus, EDR, MDR and SIEM?
Antivirus blocks known malware on a device. EDR (Endpoint Detection and Response) records and analyses endpoint activity to catch subtler attacks. SIEM collects and correlates logs from across your systems to spot patterns. MDR is the managed service that puts people and process around tools like EDR and SIEM so threats are actually investigated and acted on, not just logged.
Does my business need a SOC or MDR?
If you hold sensitive data, operate in a regulated sector, or simply could not absorb a serious breach, then continuous monitoring is increasingly important — attacks do not keep office hours. Many small and medium UK businesses meet this need through an MSP's managed SOC or MDR service rather than building one in-house.
What should I look for in a managed SOC service?
Ask about genuine 24/7 coverage, whether the SOC actively responds or only alerts, guaranteed response times for serious incidents, the technology behind it (EDR, SIEM and threat intelligence), where the analysts are based, and how incidents are reported to you. Vague "we monitor your systems" claims with no detail are a warning sign.
How does a managed SOC relate to certifications like Cyber Essentials?
Certifications such as Cyber Essentials and ISO 27001 show that preventative controls and security management are in place. A managed SOC or MDR is the detection-and-response layer that assumes some attacks will get past prevention and catches them quickly. They are complementary: good prevention reduces incidents, and a SOC limits the damage of the ones that occur.