Monday morning, 6:42 a.m.: A suspicious login from an unusual country. Shortly thereafter, several failed authentication attempts on a central server. It is still unclear whether this is a false alarm or the start of an attack. The internal IT team is not fully staffed at this time. Decisions need to be made quickly, and questions arise, such as:
- Who assesses the situation in the SOC?
- Who is responsible for responding to security incidents and attacks?
- Who bears responsibility if the suspicion of a cyberattack is confirmed?
Such situations are no longer the exception in the day-to-day work of IT staff. Cyberattacks occur around the clock, making it necessary to monitor the entire IT infrastructure 24/7, 365 days a year, without interruption. Internal IT teams are typically overwhelmed with their tasks, and there is a shortage of specialized personnel. In addition to 24/7 availability – which is often not guaranteed – specialized knowledge in the field of IT security is also essential. The ongoing shortage of skilled workers further exacerbates this structural challenge, and operating an in-house Security Operations Center (SOC) is out of the question for many companies and government agencies, even for economic reasons.
The solution is a Managed SOC. Several criteria can help in selecting the right service provider. These include transparency and data protection, the scope of the service, and the customization of the solution. An evaluation of these criteria should always be conducted from an overarching perspective: digital sovereignty.
Criterion 1: Transparency and Data Protection in a Managed SOC
When you hire an external security service provider, you grant them deep insights into your own IT infrastructure. This level of openness requires absolute trust. The following aspects are crucial in this regard.
The question of trust: To whom do you grant operational control over your IT landscape?
It is not just a matter of who evaluates alerts, but to whom the company grants operational control over parts of the IT landscape. If the SOC team detects a verified security incident, it can connect to the affected system. This makes it possible to analyze running processes and isolate compromised systems, move malicious files to quarantine, or remove digital traces left by the attackers. Such intervention rights must be clearly defined and require a solid foundation of trust.
The Legal Framework: Location, Data Centers, and Applicable Data Protection Laws
Trust also plays a crucial role in the integration of technology and service. In this context, it is important to consider where the managed SOC service provider is located and which data protection laws it is subject to. Companies based in Germany are bound by strict German and European data protection regulations. They may only access data on a case-by-case basis and only to the extent necessary for analyzing security incidents and cyber threats. In other jurisdictions, broader access rights may apply.
The location of the data centers also determines which legal framework governs the stored information. If data is processed outside of Europe, other government access provisions may apply. This is particularly relevant when dealing with confidential information subject to data protection laws.
Verifiable Expertise: Qualifications of Analysts for Security Monitoring and Response
Transparency also includes verifiable expertise. A managed SOC provider should disclose the experience and qualifications of its team of analysts. This team handles security-critical tasks for customers – from threat classification to coordinating the response. Certifications from independent bodies make these competencies visible to third parties as well.
For companies, a managed service therefore always requires a thorough review of the legal and organizational conditions under which this access occurs. Transparency and data protection are thus not secondary criteria, but the foundation for a trusting partnership.
Criterion 2: Scope of Services Offered by the Managed SOC – 24/7 Security, Prioritization, and Incident Response
The term “managed” is not a protected designation and is interpreted differently across the market. The key question, therefore, is whether the offering is purely a platform solution or an actual service.
An overview of the differences between a platform solution and a Managed SOC:
| Aspect | Platform solution (unmanaged) | Managed SOC (Service) |
| Evaluation of Alarms / Security Events | Internal team prioritizes and evaluates | SOC analysts evaluate, correlate, and contextualize |
| Response to Security Incidents | The company responds on its own | Monitoring of the response (as agreed), including recommendations |
With an unmanaged solution, operational responsibility remains with the company: The IT team must assess and prioritize alerts and respond in the event of an emergency. A managed SOC takes on these tasks as a service. A team of analysts evaluates alerts, puts them into context, consults with the customer as needed, and – depending on the agreement – also oversees specific response measures. It is important here to ensure that a true 24/7 service is offered and that off-hours do not have to be covered in-house.
Automation and AI: Support, Yes – But Responsibility Remains with Humans
The use of artificial intelligence (AI) also plays an important and supportive role in this context. Automation enables the detection of recurring patterns, faster classification of threats, and the meaningful clustering of security alerts. However, this does not replace human judgment: Alerts without the proper context and verification by experts can be misinterpreted. Ultimately, humans should make the final decision. A purely AI-based “managed” offering therefore falls short of the requirements for responsible security operations.
A managed SOC is effective when it is operational 24/7 and when “service” truly means taking responsibility – from detecting attacks to coordinating responses to security incidents.
Criterion 3: Flexible SOC Service – Customizable Configuration and Rapid Support
Every IT environment has its own processes, priorities, and critical systems that require a tailored approach. A true service takes these specific characteristics into account, as evidenced by the solution’s configurability.
Companies must be able to specify which systems are monitored and how, as well as which response measures are permitted. This may be the case, for example, in sensitive production environments where automated interventions could significantly disrupt operations and even lead to outages. The more granularly intervention rights can be defined, the better protection against cyber threats can be reconciled with business operations.
Support and Communication: Availability, Language, and Response Time
But it’s not just configurability that matters here; support is also crucial when urgent questions arise. If a service provider can only be reached by email, valuable time can be lost. Customer service should therefore be quickly accessible by phone so that it can respond immediately in urgent cases.
Equally important is clear communication in German. After all, there can be no room for misunderstandings in an emergency. If support is primarily provided from third countries and in a foreign language, communication problems can arise – especially under time pressure – that impair response speed and accuracy.
Conclusion: Evaluation of Criteria in Terms of Digital Sovereignty
Selecting the right managed SOC provider is not merely a decision based on performance or price. Transparency and data protection, the actual scope of services, and the customization of the service must always be evaluated from an overarching perspective: digital sovereignty.
This is where the strategic nature of the provider selection becomes clear. In this context, digital sovereignty means that companies retain control over data access, response channels, and decision-making processes despite having outsourced their security operations. And they do so without becoming tied to a single provider and its “ecosystem.” When you hire a service provider, you are transferring responsibility. Especially when it comes to deep insights into the IT infrastructure and potential points of intervention, trust exists only where transparency prevails.
A managed SOC thus becomes a strategic decision: not only for greater security in day-to-day operations, but also for long-term operational flexibility and the freedom to choose a provider. The key evaluation question is therefore not merely who can technically provide the service, but under what conditions this service also strengthens the company’s digital sovereignty.
So when an alert comes in on Monday morning, it doesn’t throw anyone off balance. An experienced SOC team assesses the situation, prioritizes potential threats, and initiates appropriate measures. Systems are isolated as needed, suspicious files are examined, and concrete recommendations for protection and further response are issued. All responsibilities are clearly defined, everyone knows their role, and the company remains fully capable of acting independently even with outsourced security operations.
