If two quotes look identical on paper, they are probably not covering the same hours, the same escalation depth, or the same log volume.
SOC-as-a-Service is sold under a dozen names—MDR, managed detection, “AI SOC,” co-managed SIEM. Pricing is rarely comparable because scope is negotiable and risk is not printed in the appendix.
This post is a buyer’s lens for Israeli SMBs and mid-market teams comparing vendors in a hurry.
The four cost drivers
| Driver | What inflates your bill |
|---|---|
| Ingested volume | EPS/GB per day, hot retention, rehydration fees |
| Coverage window | true 24/7 vs. “follow-the-sun” vs. business-hours triage |
| Response depth | notify-only vs. hands-on keyboard containment |
| Onboarding | excluded professional services that show up after signature |
Always model year-two cost. Year one is designed to win the deal.
Red flags in a quote
- Unlimited logs with a footnote about “fair use.”
- MTTR guarantees without defining “resolution.”
- Tier-3 included but only during business hours in a single time zone.
- IR hours bundled so thinly that a single weekend incident consumes the annual allowance.
Ask for a sample monthly report: alert counts, true-positive rate trend, top noisy rules, and mean time to acknowledge for your queue.
Questions that surface the real price
- What happens when daily ingest exceeds the contracted tier—soft cap, hard block, or surprise invoice?
- Who owns tuning when a new log source doubles event volume?
- What is excluded from “24/7 monitoring” (cloud-only, email-only, P1-only)?
- How are national holidays handled in SLA math?
If answers live only in a verbal demo, assume the worst.
Final thought
Price is what you pay. Coverage is what you get when someone tries to log in from an impossible geography at 2 a.m. If you want a straight comparison between hiring in-house and outsourcing monitoring for an Israeli team, start with SOC-as-a-Service vs. Hiring—then reach out if you want help pressure-testing a vendor quote against your actual AWS and identity footprint.