If you run a UK MSP, you've almost certainly had the SOC conversation in the last twelve months. An SME client asks for 24/7 monitoring. Their cyber insurance now requires it. A prospect rules you out for not offering it. You sit down with a spreadsheet and realise the economics are brutal.
This post is that spreadsheet, done properly. We'll compare the three realistic options — build, buy, augment — at three tenant sizes, with numbers drawn from 40+ live UK MSP engagements. No marketing, no hand-waving. If the numbers don't work for your book, don't do it.
The scenario
We'll model a hypothetical UK MSP — let's call them Meridian IT — servicing SME clients out of Manchester. Meridian has 35 tenants averaging 120 seats each, Microsoft 365 dominant, with some Azure and SentinelOne workload. Three of their tenants are in regulated sectors (legal, financial advisory, healthcare) and are now contractually required to have 24/7 monitoring. The other 32 are "CE+ level" clients who would benefit from proper monitoring but won't pay top-tier prices.
Meridian's pricing to clients:
- Regulated tier: £18 / seat / month including SOC
- Standard tier: £9 / seat / month, no SOC (currently)
- SOC add-on (when offered): £5–£8 / seat / month
Option 1 — Build in-house SOC
Meridian hires two Tier 1 analysts, one Tier 2, and a part-time detection engineer. They lease 24/7 coverage via three shifts plus weekends. They buy Microsoft Sentinel and build their own content library.
Costs
| Line item | Year 1 | Year 2+ |
|---|---|---|
| 3 Tier 1 analysts @ £38k + 28% on-cost | £146k | £150k |
| 1 Tier 2 analyst @ £55k + 28% on-cost | £70k | £72k |
| Detection engineer, 50% allocation @ £68k | £43k | £44k |
| SOC manager, 25% allocation @ £80k | £26k | £27k |
| Sentinel ingestion (35 tenants × avg 15GB/day × £2.13/GB) | £408k | £408k |
| SOAR / playbook tooling (Logic Apps, Tines) | £24k | £18k |
| EDR (SentinelOne) at MSP rate, 4,200 seats × £42/seat/year | £176k | £176k |
| Threat intel feeds | £18k | £18k |
| Training, certs, on-call stipends | £22k | £22k |
| Setup costs (SOC fit-out, onboarding, documentation) | £60k | — |
| Total | £993k | £935k |
Revenue (35 tenants, 4,200 seats, all on SOC)
If every client moves to the regulated tier at £18/seat/month: £907k/year. That's a loss of ~£86k in year 1 even with 100% uptake — which will not happen. Realistic uptake is 40–60% in year 1, 70–80% by year 2.
Gotchas
- Hiring. Tier 1 cyber analysts in the UK are not available at £38k in most markets outside London. You'll end up at £42–45k, or 3–6 months of unfilled seats.
- Retention. T1 analyst burnout gives you 50–70% turnover. Replacement hiring costs ~£12k per hire in recruiter + time.
- Coverage gaps. Three T1 analysts cannot actually cover 24/7/365 without significant overtime or gaps. You'll end up buying a 4th to be safe.
- Sentinel ingestion cost growth. The £408k line item grows 15–25% year-over-year as client estates generate more logs. Azure commitment tiers soften but don't eliminate this.
Verdict: viable for MSPs with 80+ tenants where the fixed costs amortise. Poisonous below 50 tenants.
Option 2 — Buy a white-label MSSP
Meridian outsources SOC to a UK-based white-label MSSP (names withheld). The MSSP provides 24/7 monitoring, ticketing into Meridian's PSA, and a quarterly threat brief.
Costs
White-label MSSP pricing in the UK market in 2026 sits at £11–£16 per seat per month depending on volume and SLA tier. For Meridian's volume:
- 4,200 seats × £13/seat/month = £655k/year
- Plus SIEM ingestion passed through: ~£180k/year (MSSPs negotiate better Sentinel rates, but the markup offsets most of it)
- Plus onboarding and integration: £40k year 1, £15k ongoing
- Total Year 1: £875k. Year 2+: £850k.
Revenue
Same as build — £907k if all tenants move to £18/seat/month. Margin: 4–6%. That's not a business; that's an expensive pass-through.
Gotchas
- Brand confusion. White-label rarely stays invisible. Clients get tickets in non-Meridian language, and Meridian can't answer detailed questions about their own SOC.
- Detection quality. MSSP content is generic, tuned for the portfolio average. False-positive rates in SocSage's benchmarks are 2.3× higher for white-label MSSPs than properly-tuned Sentinel instances.
- Escalation friction. A client incident escalates via the MSSP's PSA → Meridian's PSA → client, adding 10–25 minutes to every serious response.
- Contract rigidity. Most white-label MSSPs require 24–36 month commitments with minimum seat counts. Losing a tenant doesn't reduce cost.
Verdict: works for MSPs who want to say "yes" to 24/7 without building it, and are willing to take zero margin on the SOC line. Poor if you want the SOC to be a profit centre.
Option 3 — Augment Tier 1 with agentic AI
Meridian keeps their existing two T1 analysts. They layer SocSage's agentic SOC platform on top. SocSage handles 60–70% of alert investigation autonomously, with HITL gates for all destructive actions. The human analysts focus on the 30–40% that need judgement, plus threat hunting and detection engineering.
Costs
| Line item | Year 1 | Year 2+ |
|---|---|---|
| 2 existing T1 analysts (no new hires) | £97k | £100k |
| 1 T2 analyst (existing) | £70k | £72k |
| SocSage platform, 35 tenants @ £400/tenant/month | £168k | £168k |
| Sentinel ingestion (same as build option) | £408k | £408k |
| EDR + threat intel (same as build) | £194k | £194k |
| Night/weekend on-call stipend (SocSage covers most out-of-hours triage) | £14k | £14k |
| Setup and onboarding | £8k | — |
| Total | £959k | £956k |
At first glance the total is similar to buy. But look at the revenue side:
Revenue potential
- Because SocSage's per-tenant marginal cost is ~£400/month, not ~£1,500/month (MSSP loaded cost), Meridian can offer SOC to all 35 tenants, not just the 3–5 regulated ones.
- Standard tier goes from £9 to £14/seat/month with SOC included. Even at 60% uptake, that's 2,100 seats × £5 uplift = £126k/year incremental.
- Regulated tier remains at £18/seat, delivered from the same platform.
- Full-book revenue at blended uptake: ~£1.02M/year, giving ~£65k margin in year 1, ~£70k year 2.
But the bigger story is capacity
Meridian's 2 T1 analysts, augmented, can service 50+ tenants without adding headcount. That's the real economics: the marginal cost of onboarding tenant 36, 37, 38 is £400/month each, not £28k/year in new analyst time. At 50 tenants, Meridian's P&L looks fundamentally different.
Side-by-side
| Build | Buy MSSP | Augment with AI | |
|---|---|---|---|
| Year 1 cost (35 tenants) | £993k | £875k | £959k |
| Margin on SOC line | -9% (loss) | 4% | ~6% |
| Can offer SOC to non-regulated tier | Marginal | No (cost too high) | Yes |
| Marginal cost per new tenant | Low (analyst time only) | £1,500/month | £400/month |
| Scales to 100+ tenants without pain | Yes, after £1M+ investment | Yes, but no margin | Yes, with existing team |
| Time to launch | 6–12 months | 8–12 weeks | 2–3 weeks |
| Client relationship ownership | Full | Partial (white-label gap) | Full |
When to pick which
- Below 30 tenants: buy MSSP if you must, augment with AI if you can. Building is suicidal at this scale.
- 30–80 tenants: augment is almost always the right answer. The unit economics work, the time-to-market is weeks, and you keep client ownership.
- 80+ tenants, strategically committed to SOC as a product: build OR augment. Many larger MSPs run hybrid — their own T1/T2 augmented with AI for alert triage, plus a small in-house detection engineering team.
See SocSage investigate your first alert — in 3 minutes.
Run 330+ compliance checks on your Microsoft 365 or Google Workspace tenant. No credit card, no agents. See a real AI-triaged alert before lunch.
Start free scan →