The question of whether to build or buy security operations capability is one of the most consequential strategic decisions a CISO or IT Director will make. Get it right, and your organisation benefits from 24/7 protection at a cost-efficient price point. Get it wrong, and you either overspend on an under-utilised in-house team or underspend on a managed service that lacks the depth you need.
This article cuts through the marketing noise to give you an honest comparison based on ISOLS's experience delivering both models across East African financial institutions, telcos, and government agencies.
The Real Cost of an In-House SOC
Let's start with numbers. Building a credible, 24/7 in-house SOC in Nairobi requires:
- Staffing: Minimum 8–12 analysts (Tier 1/2/3) for 24/7 coverage with shift rotation. At competitive market rates, this runs KES 40–80M per year in salaries alone.
- Technology: SIEM platform (KES 5–15M/yr), XDR/EDR (KES 3–8M/yr), NDR, SOAR, threat intel feeds — total technology spend of KES 15–30M/yr minimum for a credible stack.
- Training & Certifications: SOC analysts require continuous training to remain effective. Budget KES 2–4M/yr for certifications and skills development.
- Infrastructure: Secure SOC facility, dedicated connectivity, backup systems — KES 3–8M capex + ongoing opex.
All-in, a credible in-house SOC costs KES 65–130M per year — and that's before you account for analyst attrition (typically 20–30% in Kenya's competitive market), which creates ongoing recruitment and knowledge transfer costs.
"We consistently find that organisations underestimate in-house SOC costs by 40–60% in their initial business cases — primarily by understating staffing requirements and technology refresh cycles." — ISOLS Advisory Team
What You Get with ISOLS SECaaS
The ISOLS SECaaS model delivers enterprise-grade SOC capability at a fraction of the build cost:
- 24/7/365 monitoring by a team of experienced analysts who handle incidents as their full-time role
- Enterprise-grade technology stack including CrowdStrike/SentinelOne XDR, Fortinet FortiSIEM, Darktrace NDR, and CTM360 CTI — all included
- Threat intelligence specific to the African financial services and telco threat landscape
- Incident response capability that can be activated within minutes of a confirmed incident
- Compliance reporting aligned to CBK, Bank of Tanzania, and other regional regulatory requirements
Head-to-Head Comparison
| Factor | In-House SOC | ISOLS SECaaS |
|---|---|---|
| Annual Cost | KES 65–130M+ | KES 8–35M (tier-dependent) |
| Time to Operational | 12–24 months | 4–8 weeks |
| 24/7 Coverage | Requires 8–12 analysts | Included |
| Technology Stack | Separate procurement required | Included in service |
| Threat Intelligence | Must procure separately | Africa-specific CTI included |
| Staff Attrition Risk | High — 20–30% annual turnover | None — ISOLS absorbs this risk |
| Expertise Breadth | Limited to team hired | Multi-domain specialist team |
| Control & Visibility | Full internal control | Full visibility, ISOLS operates |
When In-House Makes Sense
In-house SOC investment can be justified for:
- Tier-1 banks or telcos with very specific regulatory requirements mandating internal capability
- Organisations with existing mature security teams looking to expand from a strong base
- Organisations where data sovereignty requirements preclude any external access to logs
The Co-Managed Model: Best of Both Worlds
Many ISOLS clients operate a co-managed model — where an internal security team handles Tier-1 alert triage during business hours, and ISOLS provides 24/7 out-of-hours coverage and escalation for complex incidents. This hybrid approach provides cost efficiency without sacrificing internal capability development.
Explore ISOLS SECaaS Packages
ISOLS offers three SECaaS tiers — Core, Advanced, and Elite — designed for SACCOs & SMEs through to Tier-1 banks and telcos. Get a customised quote based on your organisation's size and requirements.
View SECaaS Packages →