Managed SOC contracts are among the more opaque purchasing decisions in enterprise security. The pricing model is complex, the scope is often ambiguous, and the terms that seem minor during procurement have a habit of becoming expensive surprises six months in.
This post covers the five hidden costs that appear most frequently in managed SOC agreements, and how to address each one before you sign.
1. Onboarding and Integration Fees
Most managed SOC pricing is quoted as a recurring monthly fee. What many providers don’t lead with is that before that monthly fee starts, there’s an onboarding fee — sometimes called a “professional services” or “deployment” fee — that covers getting your log sources connected, tuning alert thresholds, and configuring the initial rule set.
Onboarding fees typically range from one to three months of the monthly contract value. For a ₪30,000/month contract, that’s potentially ₪90,000 before you receive a single alert.
What to do: Ask for the onboarding fee to be disclosed explicitly in the proposal, not buried in a statement of work delivered after you’ve agreed in principle. Negotiate to cap it, spread it across the first few invoices, or waive it if the vendor wants a multi-year commitment.
2. Log Volume Overage Charges
Many managed SOC services price based on a “log volume” metric — gigabytes of logs ingested per day, or events per second. The base contract includes a volume allowance. Exceed it, and you pay overage rates.
The problem: log volumes are not constant. A security incident, an application bug causing excessive logging, or simply business growth can push you over your allowance at exactly the moment when you most need the service to be performing well. Overage rates are often two to three times the per-unit rate of the base contract.
What to do: Get the overage rate in writing before signing. Ask the vendor for the average log volume for companies similar to yours to calibrate whether your allowance is realistic. Request a 30-day lookback of your current log volume if you have existing infrastructure, and use it to negotiate the right-sized tier from the start. Consider whether you can negotiate a cap on monthly overage charges.
3. Incident Response Retainer Requirements
Some managed SOC contracts include monitoring and alerting but not incident response. If an alert escalates to an active incident — a confirmed breach, an active intrusion, a ransomware outbreak — the SOC declares it an incident and hands it to an incident response (IR) team, which operates under a separate retainer or hourly fee structure.
This is not necessarily unreasonable — IR work is different from monitoring work — but it can be a significant cost that wasn’t visible in the original pricing conversation. IR retainers can run from ₪50,000 to ₪200,000+ per engagement, and some providers require you to use their IR team (not a third party) when incidents are escalated through their SOC.
What to do: Clarify what “response” means in the contract. Does the SOC take containment actions (isolate an endpoint, block a source IP, disable a compromised account)? Or does it only notify you? If containment is handled separately, understand what triggers an escalation, who provides IR, and what it costs. Check whether you’re free to use your own IR provider.
4. Scope Creep on Covered Assets
Managed SOC contracts often define scope in terms of “covered assets” — a specific list of systems, log sources, or accounts that the SOC monitors. Assets added after contract inception may not be covered automatically. Adding them may require a contract amendment and a price increase.
This is particularly relevant for growing Israeli startups. New AWS accounts, acquired subsidiaries, new SaaS tools, or additional cloud regions all represent assets that need monitoring. If your environment grows significantly and those new assets aren’t in scope, you may be paying for a SOC that’s watching 70% of your environment while an attacker uses the remaining 30% as an entry point.
What to do: Negotiate an “all future AWS accounts and log sources under the same terms” clause rather than a fixed asset list, or agree on a predefined unit rate for adding assets rather than requiring a full contract amendment. Review scope at each renewal.
5. Reporting and Compliance Documentation Fees
Many Israeli companies need security reports for compliance purposes — evidence for INCD audits, SOC 2 Type II assessments, customer security questionnaires, or Amendment 13 compliance documentation. Some managed SOC providers include standard reporting in their base fee. Others charge extra for compliance-specific reports, executive summaries, or custom formats.
This gets particularly frustrating when you discover that the data exists in the SOC platform but extracting it in the format you need costs extra. Some providers also charge for historical data exports — relevant if you need to produce audit evidence for a specific time period after the fact.
What to do: Inventory the compliance reports you’ll need over the contract period. Ask the vendor to confirm which reports are included and provide samples. If you have specific compliance frameworks (INCD, SOC 2, ISO 27001), ask whether the provider has report templates that match each framework’s evidence requirements. Get confirmation of data export rights and any associated fees in writing.
A Pre-Signature Checklist
Before signing any managed SOC contract, confirm the following in writing:
| Item | What to confirm |
|---|---|
| Onboarding fee | Amount, payment schedule, scope of work included |
| Log volume | Allowance, overage rate, overage cap |
| Incident response | What “response” is included, who provides IR, at what cost |
| Scope | How new assets are added, at what price |
| Reporting | Which reports are included, formats, data export rights |
| SLAs | Response time commitments and financial penalties if missed |
| Termination | Notice period, data return/deletion on exit |
The managed SOC market is competitive, especially for Israeli companies of 50-500 employees. Vendors want your business, and most of these terms are negotiable if you ask before signing. The time to negotiate is before you’re dependent on a provider, not during a renewal conversation when switching costs are high.
If you want to compare Xpernix’s pricing model against your current proposals, contact us.