SOC architecture review for a regional telco

Context

The client had built an in-house SOC three years earlier and was starting to feel the strain. Tool sprawl, six products with overlapping scope across SIEM, EDR, NDR, UEBA, SOAR, and TIP, plus a team of four analysts running shifts, meant they were busy but not always detecting. The security lead wanted an independent second opinion before their next renewal cycle, which would commit them to roughly €1.2M of licensing for another three years.

The brief was explicitly not “pick a winner.” The brief was: is what we have fit for the threats we actually face, and if not, what would fit instead?

Approach

Four weeks, with deliverables built as we went.

1. Coverage mapping, mapped existing detections to the MITRE ATT&CK techniques relevant to a regional telecommunications provider (Russian and Chinese state actor profiles, plus financially-motivated access brokers), weighted by observed prevalence in the last three years of threat-intel reports from ENISA, NCSC-NL, and sector ISACs.
2. Tool rationalisation, for each of the six tools, identified what detection capability would be lost if it were removed, and whether another tool in the stack could cover that gap. Two tools had essentially full overlap; a third was covering a capability the team wasn’t using.
3. Operating-model review, sat with the analysts for two shift handovers, watched the alerts they triaged, and measured mean time-to-triage against the volume of false positives from each source.

Outcome

Recommended consolidation to three products, closing two contracts at renewal and reallocating the saved budget to a dedicated detection engineer. Projected operating cost reduction of roughly 30% with improved coverage, given the dedicated engineering role. The telco’s security lead took the recommendation to procurement; eighteen months later, mean time-to-triage was down by half and the SOC was producing its own detection content rather than waiting on vendor rulesets.