Definition

The SOC build-vs-buy decision framework evaluates in-house, co-sourced (hybrid), and fully outsourced Managed Detection and Response (MDR) models against total cost, detection capability, and talent retention metrics specific to GCC labour market conditions. It provides a structured comparison to guide organisations toward the model that optimises MTTD/MTTR at the lowest sustainable cost.

Why it matters

The pressure on Cybersecurity Advisory programmes is shifting in specific, observable ways:

• NCA ECC-1 3-6-1 and SAMA CSF 3.4.2 require 24×7 security monitoring; in-house SOCs in KSA and UAE face a 40–60% annual analyst turnover rate that structurally undermines compliance continuity.
• GCC in-house SOC total cost (L1–L3 team, SIEM, tooling) runs SAR 3.5M–8M annually for mid-market firms; MDR contracts range SAR 600K–2M for equivalent coverage, compressing the CFO conversation.
• CBUAE and DFSA outsourcing frameworks require documented vendor due diligence (concentration risk, exit plans) — a co-source model with defined RACI satisfies this without full build cost.
• MTTD benchmarks: in-house GCC SOCs average 18–26 hours; MDR providers with ML-assisted triage average 4–8 hours — a gap that directly affects ransomware blast radius and regulatory notification timelines.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• SIEM (Splunk / Microsoft Sentinel) alert queue metrics — L1 triage volume per analyst per day, escalation rate to L2, and false-positive percentage by use case.
• MTTD/MTTR incident register — per-incident timestamps from first alert to containment, segmented by model (in-house vs. MDR shift).
• HR cost workbook — fully loaded annual cost per SOC analyst tier (L1: AED 180K–260K; L2: AED 280K–380K; L3: AED 400K–600K) including visa, training, and turnover replacement.
• MDR SLA performance reports — contractual vs. actual MTTD, escalation SLA breaches, and monthly false-positive rate from provider.
• Vendor due diligence questionnaire responses — SOC 2 Type II certificates, data residency confirmations (UAE/KSA), and subcontractor disclosure per CBUAE outsourcing guidance.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CISO commissions a current-state SOC cost model (HR, tooling, facilities in AED/SAR) and benchmarks MTTD/MTTR against NCA ECC-1 3-6-1 requirements and the organisation's incident response SLA.
• Day 31–60: Procurement and Security Architect issue an RFP to three GCC-present MDR providers (e.g. CrowdStrike Falcon Complete, Palo Alto XMDR, regional MSSPs) specifying data-residency, MTTD SLA ≤4 hrs, and NCA-aligned use-case coverage.
• Day 61–90: CISO presents a three-scenario TCO model (build/co-source/outsource) to CFO and CISO steering committee, including hidden costs (turnover replacement ~SAR 80K per analyst, re-training, tool licensing).
• Day 90+: Selected model is contracted with documented SLAs, RACI, and quarterly service review cadence embedded in vendor management framework per SAMA CSF 3.4.
• Ongoing: Security Operations Manager reviews MTTD/MTTR monthly against SLA thresholds and triggers penalty clause or model-switch review if MTTD exceeds 8 hours for critical severity events.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• MTTD for critical severity events — target: ≤4 hours (MDR benchmark); ≤8 hours acceptable for hybrid model.
• MTTR to containment — target: ≤2 hours for ransomware-class incidents per NCA ECC-1 IR requirements.
• SOC analyst annual attrition rate — flag if >30%; triggers co-source review threshold.
• False-positive rate per SIEM use case — target: <10% after tuning; review use cases above 25%.
• Total SOC cost per security event investigated — benchmark: SAR 180–450 in-house vs. SAR 60–150 MDR.

What the numbers say

The dataset behind this benchmark covers anonymised Cybersecurity Advisory programmes across the UAE, KSA and India. Numbers are reproduced in ranges to preserve confidentiality while remaining useful for planning.

Across the portfolio, four indicators consistently separate the upper-quartile programmes from the median:

• control maturity by NIST CSF function — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• mean time to detect (MTTD) and respond (MTTR) by incident class — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• % of privileged accounts with phishing-resistant MFA — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• patch latency for critical CVEs by environment — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.

Pitfalls we keep seeing

Across MAST Consulting Group's Cybersecurity Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: a strategy that lists capabilities but not outcomes. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: IR plans untested against the company's actual likely scenarios. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: identity controls that stop at email but not at admin tooling. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: logging without a use case behind each source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Cybersecurity Advisory engagements because the integrations are cheap and the evidence is defensible:

• PAM (CyberArk, BeyondTrust, Delinea) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• EDR (CrowdStrike, SentinelOne, Defender) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• SIEM/XDR — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Cybersecurity Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this benchmark is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Cybersecurity Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.