Standing up an 8-person SOC from scratch: what it really takes.

Standing up a SOC from scratch is rarely about the technology. The hard part is sequencing the right people through the right disciplines at the right time.

A security consultancy came to us with a problem that, on paper, looked simple. They had won a contract with a healthcare client to build a complete Security Operations Centre. They needed a full team in place, fast. The healthcare environment carried the usual sensitivities – patient data, regulatory pressure, no margin for error – and the consultancy's reputation was on the line.

The brief was for eight roles, across six disciplines, all live, all on-site. This is a write-up of how that engagement actually ran. The names and specifics are anonymised; the sequencing and decisions are real.

What the team had to look like

A SOC isn't one role repeated eight times. It is a layered operating model with very different specialisms doing very different work. The team we needed to build comprised:

• 1 × SOC Team Lead – overall operational ownership, shift management, escalation and client interface.
• 2 × SOC Engineers – platform engineering, SIEM tuning, detection rule development.
• 3 × SOC Analysts (L1, L2, L3) – the core analyst pyramid running daily monitoring and triage.
• 1 × Threat Intelligence Engineer – external threat landscape monitoring and IOC integration.
• 1 × Vulnerability Management Consultant – scanning programme, prioritisation, remediation tracking.

Each of those is a distinct talent pool. A senior SOC Engineer is not interchangeable with a senior Threat Intelligence Engineer, despite both being "experienced cyber people". Treating them as fungible is the most common reason SOC builds slip.

Sequencing was the whole game

We did not try to land all eight at once. The order mattered.

• Week 1: SOC Team Lead and L3 Analyst on-site first. Two senior people who could shape the operating model and the runbooks before the wider team arrived.
• Week 2–3: SOC Engineers in to start platform tuning, with the L3 Analyst feeding them detection requirements live.
• Week 4: L2 Analyst and Threat Intelligence Engineer in, runbooks now mature enough to onboard against.
• Week 5–6: L1 Analyst and Vulnerability Management Consultant in, to round out the operating model and start the scanning programme.

This sequencing did two things. It meant senior people set the standard before junior people arrived – so juniors learned the right habits from day one. And it meant the client could see operational progress every week, rather than waiting six weeks for a "team complete" milestone.

What slowed it down (and what didn't)

The healthcare context introduced two specific complications. Background checks were heavier than most commercial environments – DBS, NHS Employer Check Standards, and supplier-specific vetting all in parallel. We allowed for this in the timeline rather than discovering it on day one.

The technology stack was less of a problem than expected. The client had a working SIEM and a tooling set the team had used elsewhere. What did slow things down was access provisioning – getting eight separate people through the client's identity and access management process. We pushed the consultancy to start access requests at offer-acceptance stage, not start-date stage. That alone saved around two weeks across the team.

Why we delivered against an exclusive arrangement

The consultancy gave us the brief on an exclusive basis. We have a 100% hit rate on exclusive engagements, and this one was no exception – not because we are luckier than other recruiters, but because exclusivity changes how the work runs.

• We invest senior time in scoping. When we know we're the only supplier, we run the brief properly, including talking to the client team about working culture and operating model.
• We use our network rather than the open market. Eight specialist roles via job boards is a recipe for noise. Eight specialist roles through a known network is a recipe for fit.
• We control the candidate experience. Candidates know they're being represented by one party; the client knows they're getting a curated shortlist. Nobody is competing internally on the same role.

The result was a fully operational 8-person SOC delivered against the consultancy's contractual commitment, with the healthcare client live with monitoring and incident response capability that hadn't existed eight weeks earlier.

Three lessons that travel

If you are about to stand up a SOC – or any specialist team at scale – three things matter more than they get credit for:

• Sequence senior first. Two seniors in week one is worth four juniors in week one. Always.
• Start onboarding admin at offer stage, not start date. Background checks and access provisioning are the silent killers of go-live timelines.
• Pick one supplier and give them exclusivity. Multi-supplier panels for an integrated team build are slower and produce more friction, not less.

A SOC built well in week eight is worth ten times a SOC argued about in week sixteen. The decisions that get you there are made on day zero.

Talk to us about a SOC build →