Tool
In-house SOC vs. managed MDR TCO calculator
A three-year total cost of ownership model that compares building a security operations capability in-house against buying a managed MDR service. All computation happens in your browser. Change the inputs. Expand the rationale. Send the output to your CFO with the assumptions visible.
Range: 100 to 20,000
EDR, SIEM, threat intel, orchestration
Baseline for sanity checking
Compliance frameworks subject to
Each framework adds 5% to in-house effort (evidence, audit prep, control monitoring).
In-house SOC
8 analysts, 1 framework
EFROS MDR
1,000 seats, $15/seat/month baseline
3-year delta (in-house minus MDR)
MDR is cheaper over 3 years at these inputs.
Directional model. Actual pricing depends on specific requirements (environment complexity, cleared personnel needs, geographic compensation variance, contract term). Use the output as a starting point for a real conversation, not as a procurement-grade number.
What this calculator actually models
The calculator compares two three-year spend profiles. On one side, the cost of standing up and running an in-house SOC sized to your headcount and coverage requirements. On the other, the cost of a managed MDR service priced by seat. Both sides compound over three years so the model reflects how the costs actually behave (analysts get raises, tooling licenses reprice, contracts have built-in escalators).
The in-house side starts from a base of eight analysts for 24/7 coverage (four shifts, two-per-shift redundancy). If 24/7 is toggled off, the model drops to business-hours staffing (three analysts). Each analyst is loaded at $180K (base, benefits, payroll tax, equipment, training budget), which reflects what L2 SOC talent commands in a tier-1 US market in 2026. Tooling spend is passed through from your current number. A first-year onboarding inefficiency penalty captures the gap between a paper org chart and a functioning SOC. Years two and three add wage inflation and a turnover replacement cost (SOC analyst attrition runs 25 to 40 percent annually at most companies that have not solved retention).
Inputs and why each one matters
Organization size (seats) drives the managed MDR side. Per-seat MDR pricing is how every mature provider quotes (including us), because it correlates with the telemetry volume and analyst effort the service actually consumes. If your environment has outsized endpoint count per user (VDI, contractor fleets, OT), use the higher number.
Current annual tooling spend is passed through to the in-house side unchanged (you pay for EDR, SIEM, threat intel, and orchestration whether you staff the SOC yourself or not). If you assume a managed provider would consolidate some of that tooling, reduce the number accordingly before running the model. Current annual security team spend is the baseline we use to sanity-check the in-house headcount assumption. Compliance framework selections add effort to the in-house path because evidence generation, audit prep, and continuous control monitoring consume analyst cycles. 24/7 coverage is the biggest single swing: business-hours SOC is roughly 40 percent of the headcount cost of round-the-clock coverage.
How we derived the default cost ranges
The analyst loaded-cost default of $180K comes from 2025-2026 compensation data across engagements where we priced SOC staffing in Boston, New York, DC metro, Austin, and Seattle. It lands mid-range: lower for lower-cost markets and remote-first teams, higher in major metros or for cleared analysts. Wage inflation at 15 percent annually on the in-house side reflects the combination of merit increase plus market catch-up that SOC talent has commanded for the past four years. It is aggressive compared to generic BLS figures and accurate compared to what people who have actually run in-house SOC programs have paid.
Turnover cost at $100K in year two and $150K in year three reflects the all-in cost of replacing a mid-level analyst: recruiting fees or internal recruiter time, the productivity gap during the open seat, onboarding, and the increased incident risk during coverage gaps. The MDR default of $15 per seat per month is on the low end of market pricing for true MDR (24/7 human operations, pre-authorized containment, threat hunting). Pure automated alerting services sell for less; those are a different product and should not be compared on this chart.
What the calculator deliberately leaves out
Shared overhead is not allocated. If you already have HR, facilities, and L&D capacity to absorb a SOC without net-new headcount, the in-house number overstates your incremental cost. Conversely, if building a SOC means standing up a 24/7 facility, a new compensation band, and a new training program, the model understates the cost. We chose to leave these out because they vary by 10x across customers and baking them into a default would make the output worse, not better.
The outcome side is also absent. A 30-minute MTTC versus a 4-hour MTTC has real dollar impact on breach cost, but breach cost is a probability-weighted calculation that depends on your industry, data sensitivity, cyber insurance structure, and regulatory exposure. A SOC TCO model that tries to monetize detection quality on top of everything else ends up with so much compounded uncertainty that the answer is no better than a coin flip. Use this model for the spend line. Do the outcome analysis separately with a threat profile specific to your business.
How to read the 3-year TCO output
The dollar delta and percentage delta at the bottom tell you how the two options compare in cumulative spend. A positive savings number means managed MDR is cheaper over the three-year window. A negative number means the in-house path is cheaper (rare at most realistic seat counts with 24/7 coverage, common at high seat counts with strong retention and a mature existing SOC team). The year-by-year breakdown matters more than the total, because a path that is cheaper in year three but 2x more expensive in year one still may not be affordable. Look at the shape of the cost curve, not just the area under it.
Finally, treat the output as directional. If the delta is under 15 percent either way, treat it as functionally equivalent and make the decision on operational fit (speed to value, risk tolerance for in-house build failure, board preference). If the delta is above 30 percent, the dominant option is probably the right answer and the remaining decision is how to get there. If you want the underlying numbers reviewed against your specific environment, the button below routes to a working session, not a sales call.