MSP Business

SOC Economics for UK MSPs: Build vs Buy vs Augment in 2026

30 May 2026 12 min read By Bazam

If you run a UK MSP, you've almost certainly had the SOC conversation in the last twelve months. An SME client asks for 24/7 monitoring. Their cyber insurance now requires it. A prospect rules you out for not offering it. You sit down with a spreadsheet and realise the economics are brutal.

This post is that spreadsheet, done properly. We'll compare the three realistic options — build, buy, augment — at three tenant sizes, with numbers drawn from 40+ live UK MSP engagements. No marketing, no hand-waving. If the numbers don't work for your book, don't do it.

The scenario

We'll model a hypothetical UK MSP — let's call them Meridian IT — servicing SME clients out of Manchester. Meridian has 35 tenants averaging 120 seats each, Microsoft 365 dominant, with some Azure and SentinelOne workload. Three of their tenants are in regulated sectors (legal, financial advisory, healthcare) and are now contractually required to have 24/7 monitoring. The other 32 are "CE+ level" clients who would benefit from proper monitoring but won't pay top-tier prices.

Meridian's pricing to clients:

Option 1 — Build in-house SOC

Meridian hires two Tier 1 analysts, one Tier 2, and a part-time detection engineer. They lease 24/7 coverage via three shifts plus weekends. They buy Microsoft Sentinel and build their own content library.

Costs

Line itemYear 1Year 2+
3 Tier 1 analysts @ £38k + 28% on-cost£146k£150k
1 Tier 2 analyst @ £55k + 28% on-cost£70k£72k
Detection engineer, 50% allocation @ £68k£43k£44k
SOC manager, 25% allocation @ £80k£26k£27k
Sentinel ingestion (35 tenants × avg 15GB/day × £2.13/GB)£408k£408k
SOAR / playbook tooling (Logic Apps, Tines)£24k£18k
EDR (SentinelOne) at MSP rate, 4,200 seats × £42/seat/year£176k£176k
Threat intel feeds£18k£18k
Training, certs, on-call stipends£22k£22k
Setup costs (SOC fit-out, onboarding, documentation)£60k
Total£993k£935k

Revenue (35 tenants, 4,200 seats, all on SOC)

If every client moves to the regulated tier at £18/seat/month: £907k/year. That's a loss of ~£86k in year 1 even with 100% uptake — which will not happen. Realistic uptake is 40–60% in year 1, 70–80% by year 2.

Gotchas

Verdict: viable for MSPs with 80+ tenants where the fixed costs amortise. Poisonous below 50 tenants.

Option 2 — Buy a white-label MSSP

Meridian outsources SOC to a UK-based white-label MSSP (names withheld). The MSSP provides 24/7 monitoring, ticketing into Meridian's PSA, and a quarterly threat brief.

Costs

White-label MSSP pricing in the UK market in 2026 sits at £11–£16 per seat per month depending on volume and SLA tier. For Meridian's volume:

Revenue

Same as build — £907k if all tenants move to £18/seat/month. Margin: 4–6%. That's not a business; that's an expensive pass-through.

Gotchas

Verdict: works for MSPs who want to say "yes" to 24/7 without building it, and are willing to take zero margin on the SOC line. Poor if you want the SOC to be a profit centre.

Option 3 — Augment Tier 1 with agentic AI

Meridian keeps their existing two T1 analysts. They layer SocSage's agentic SOC platform on top. SocSage handles 60–70% of alert investigation autonomously, with HITL gates for all destructive actions. The human analysts focus on the 30–40% that need judgement, plus threat hunting and detection engineering.

Costs

Line itemYear 1Year 2+
2 existing T1 analysts (no new hires)£97k£100k
1 T2 analyst (existing)£70k£72k
SocSage platform, 35 tenants @ £400/tenant/month£168k£168k
Sentinel ingestion (same as build option)£408k£408k
EDR + threat intel (same as build)£194k£194k
Night/weekend on-call stipend (SocSage covers most out-of-hours triage)£14k£14k
Setup and onboarding£8k
Total£959k£956k

At first glance the total is similar to buy. But look at the revenue side:

Revenue potential

But the bigger story is capacity

Meridian's 2 T1 analysts, augmented, can service 50+ tenants without adding headcount. That's the real economics: the marginal cost of onboarding tenant 36, 37, 38 is £400/month each, not £28k/year in new analyst time. At 50 tenants, Meridian's P&L looks fundamentally different.

Side-by-side

BuildBuy MSSPAugment with AI
Year 1 cost (35 tenants)£993k£875k£959k
Margin on SOC line-9% (loss)4%~6%
Can offer SOC to non-regulated tierMarginalNo (cost too high)Yes
Marginal cost per new tenantLow (analyst time only)£1,500/month£400/month
Scales to 100+ tenants without painYes, after £1M+ investmentYes, but no marginYes, with existing team
Time to launch6–12 months8–12 weeks2–3 weeks
Client relationship ownershipFullPartial (white-label gap)Full

When to pick which

See SocSage investigate your first alert — in 3 minutes.

Run 330+ compliance checks on your Microsoft 365 or Google Workspace tenant. No credit card, no agents. See a real AI-triaged alert before lunch.

Start free scan