STRATEGY & MSSP · 11 MIN

Building a SOC: A 90-Day Playbook for Mid-Market Security Leaders

A realistic 90-day playbook for mid-market CISOs building or rebuilding a Security Operations Center — what to deploy, what to outsource, what to defer.

QMasters SOC Team· Strategy & Operations· 2026-01-28
TL;DR

How do you build a security operations center?

Build a SOC in three sequenced 30-day phases: (1) Visibility first — deploy or expand EDR coverage, ingest cloud and identity logs into a SIEM, document asset inventory, baseline known-bad. (2) Detection second — implement ATT&CK-mapped detection content focused on top-priority techniques for your threat model, integrate threat intelligence, build a coverage map. (3) Response third — define incident classification, build runbooks for top alert types, establish escalation paths, deploy SOAR or automation for high-volume response actions. For most mid-market organizations, building a 24×7 internal SOC is uneconomical at sub-$10B revenue scale; the practical model is hybrid — internal security leadership and engineering, outsourced 24×7 monitoring and response via a flat-rate MDR provider.

90-day SOC build timeline showing parallel workstreams across visibility, detection, response, and team capabilities
90-day SOC build timeline showing parallel workstreams across visibility, detection, response, and team capabilities

Building a SOC: A 90-Day Playbook for Mid-Market Security Leaders

Most "build a SOC" articles read like enterprise CISO memoirs — staffing models for a 50-person team, three years of platform engineering, governance frameworks no mid-market organization will ever implement. They're not wrong. They're just not useful for the security leader at a 2,000-person company who has 90 days, three FTE, a budget the CFO is watching, and an incident yesterday that made the board ask questions.

This is the playbook for that situation. Three 30-day phases, sequenced by what makes the next phase possible. What to build, what to buy, and what to defer.

The build-vs-buy reality at mid-market

Before the 90-day plan, the foundational decision: how much of this do you build internally?

A credible 24×7 internal SOC needs:

  • 5–6 analysts minimum to staff three shifts plus coverage redundancy
  • 1–2 detection engineers to author and tune content
  • 1 SOC manager
  • SIEM platform and operations
  • SOAR or automation tooling
  • Threat intelligence subscriptions
  • Incident response retainer

Loaded annual cost in Israel or the US — easily $2.5M to $4M for a real operation. Below ~$10B revenue or ~20K employees, that math rarely works.

The mid-market answer is hybrid:

  • Internal: security leadership, security engineering, vendor management, incident command, board reporting
  • Outsourced: 24×7 monitoring, alert investigation, containment, threat intelligence operation, SIEM operation
  • Hybrid: detection engineering (provider builds general content; internal team adds environment-specific rules), incident response (provider does initial response; internal/IR retainer handles major incidents)

The 90-day plan that follows assumes this hybrid model. If you're committed to fully internal, multiply the timeline by 4–6x and rebudget.

Days 1–30: Visibility

You cannot detect what you do not log. Phase one is mostly logistics, mostly boring, and absolutely fundamental.

Week 1 — Inventory and assessment

  • Asset inventory. What endpoints, servers, cloud accounts, SaaS apps, identity systems, network segments. Complete enough to be useful, not so complete you spend a month on it.
  • Current logging state. What is being logged where, what is feeding into a SIEM, what isn't. Be honest about gaps.
  • Existing tool stack. Endpoint security, network security, cloud security, identity, SIEM (if any), SOAR (if any). Their current state — deployed but unused, deployed and tuned, or just owned-on-paper.
  • Risk register update. Top business-critical assets, top regulatory requirements, top threat scenarios specific to your industry.

This week's deliverable is a one-page state-of-the-environment summary that the board would understand.

Weeks 2–3 — Critical visibility gaps closed

  • EDR on every endpoint. If you have EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), confirm 95%+ coverage. If you don't, this is the highest-priority deployment of the 90 days.
  • Identity logs flowing to SIEM. Entra ID sign-in and audit logs, Okta event logs, Active Directory Security event log forwarding. Identity is the single highest-value log source category in 2026.
  • Cloud audit logs. AWS CloudTrail, Azure Activity, GCP Audit — all going to your SIEM with the right scope and retention.
  • Critical SaaS audit logs. Microsoft 365 Unified Audit, Google Workspace audit, GitHub audit if applicable.
  • DNS query logs. From your resolvers — high-value, often-skipped detection surface.

Week 4 — Baseline and prioritize

  • Baseline normal. Top users, top hosts, top traffic patterns, top admin activities. You're going to detect deviations from this; you need to know what "this" is.
  • ATT&CK threat model. Which techniques are most relevant given your industry, environment, and known threat actors. This becomes the priority list for phase 2.
  • Quick-win detections. A handful of high-confidence detections you can deploy immediately based on visibility you now have — impossible-travel logins, EDR-detected malware, cloud root account use, mass file deletion.

End of phase 1 deliverable: visibility you can build on, plus a small but real set of detections firing.

See our endpoint security capabilities

Days 31–60: Detection

With visibility established, build the detection layer that turns logs into signal.

Weeks 5–6 — Detection content

  • MDR engagement live. If hybrid, this is when your MDR provider's monitoring goes live on the visibility you established. Their detection content runs against your data; their analysts triage your alerts 24×7.
  • ATT&CK-mapped content. For top-priority techniques from your week-4 threat model, ensure detection content exists. Some comes from MDR; some you author for environment-specific scenarios.
  • Threat intelligence integration. IOC feeds into reference sets, used in detection logic. This is where DailyIOC-style services compound value.

Weeks 7–8 — Tuning and coverage

  • False positive triage. Most detection content is noisy initially. Spend time tuning, not bypassing.
  • Coverage map. ATT&CK matrix, color-coded for what you detect. Living document.
  • Gap closure plan. For known gaps, scheduled work — own engineering or scoped to the MDR provider.

Weeks 9–10 — Hunting

The first proactive hunt happens in this phase. Pick a high-value scenario (e.g., "AD enumeration by non-admin accounts," "anomalous service account behavior") and run a hunt against your data. Findings become detection content. The hunt itself becomes a recurring practice.

End of phase 2 deliverable: detection content live, MDR operating, coverage map documented, first hunt complete.

Days 61–90: Response

Detection without response is theatre. Phase three turns alerts into containment.

Weeks 11–12 — Incident classification and runbooks

  • Incident severity classification. What's a P1 vs P3, who gets paged when, what's the SLA. Document it.
  • Runbooks for top alert types. The 10–15 most common alert categories should have a one-page runbook each. What it is, how to triage, when to escalate, when to contain.
  • Containment authority. Who can isolate a host, kill a process, disable an account, block an IP — and at what severity tier. With your MDR, the answer should be: they can, on confirmed runbook scenarios, without paging you at 3 AM.

Weeks 13–14 — Automation and orchestration

  • High-volume response actions automated. Phishing email triage, host isolation on EDR confirmed-malicious detections, account disable on credential abuse confirmation. SOAR or vendor-native automation handles the volume.
  • Communication patterns. Slack/Teams channels for SOC alerts, paging integration, escalation tree, internal status dashboard for leadership.

Week 15 — Tabletop

Run a tabletop exercise. Pick a realistic scenario (ransomware on a file server, business email compromise of a finance executive, a leaked AWS access key in GitHub). Walk through it: who detects, who decides, who acts, who communicates. The first tabletop will reveal gaps you'd never have found in a planning meeting. That's the point.

Week 16 — Review and roadmap

  • State-of-the-SOC review. What got deployed, what got tuned, what's the current detection coverage, what's the response posture.
  • Year-2 roadmap. Identity threat detection deepening, cloud security posture, OT security if applicable, awareness training program, vulnerability management maturity.

End of 90-day deliverable: a functioning SOC operating model, with internal leadership and external 24×7 capability, documented coverage and response, and a year-2 plan.

What to defer

The 90-day plan deliberately defers some work that gets prioritized in longer programs:

  • Custom SOAR development beyond high-volume automation
  • Deep threat intelligence program (you're consuming TI, not producing yet)
  • Red team engagements (defer to year 2 — there's nothing to test yet)
  • OT and ICS security unless you're in critical infrastructure
  • Compliance program build (detection-driven, not the other way around)

These all matter. None of them blocks year-1 SOC value.

Where QMasters fits

For mid-market customers, the StrongHold MCSS model is built for this exact phasing:

  • 24×7 SOC monitoring activates as visibility comes online
  • Detection content runs against your environment from day one of MDR engagement
  • Containment-included response — analysts pre-authorized to act on documented runbooks
  • DailyIOC threat intelligence feeds enforcement and detection
  • Incident response retainer integrated for major-incident escalation

We've onboarded 240+ customers into this exact model. The 90-day playbook is what most of them ran.

See StrongHold MCSS for mid-market

For more context, start at QMasters, review our managed cyber security services, or check out team.

Frequently asked questions

Should mid-market companies build or buy a SOC?

For most under-$10B-revenue organizations, hybrid is the right answer — internal leadership and engineering, outsourced 24×7 monitoring and response.

What's the most important first step?

Visibility. EDR on every endpoint, identity logs to SIEM, cloud audit logs flowing. Without visibility, every later step is theatre.

How big should an internal SOC be?

For 24×7 coverage with redundancy: 10–14 people total. Below that, hybrid economics dominate.

Can this 90-day plan compress to 60 days?

Some — but not without quality cost. If the visibility deployment goes faster (existing EDR, existing SIEM), the timeline collapses. The detection and response phases are gated by tuning and runbook quality, which don't compress safely.

---

Building or rebuilding your SOC?

Talk to a QMasters strategy lead. We'll walk through your environment, your team, and your timeline, and produce a written 90-day plan tailored to your situation — with the build-vs-buy decisions called out explicitly. Book a SOC strategy call →

FAQ

Frequently asked questions.

  • For most mid-market organizations (under ~$10B revenue, under ~20K employees), building a fully internal 24×7 SOC is uneconomical — the FTE cost of three shifts of analysts plus engineering, leadership, and tooling routinely exceeds $3M annually. The practical model is hybrid: internal security leadership owns strategy, vendor relationships, and incident command; outsourced MDR provides 24×7 monitoring, alert investigation, and containment.

ABOUT THE AUTHOR

QMasters SOC Team
Strategy & Operations

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

BUILDING OR REBUILDING A SOC?

Skip the 18-month build. Get an MDR partner.

Talk to a SOC strategy lead about flat-rate MDR, SIEM operations, and what to keep in-house versus outsource.

Explore Managed Cyber Security Services

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.