Alexios Lekidis, R&D Director -Sphynx
Cybersecurity is no longer a concern only for large enterprises.
Small and medium-sized businesses are increasingly targeted by cyber threats, while often lacking the in-house resources or expertise to monitor and respond to incidents effectively.
Within this context, Security Operations Center as a Service (SOCaaS) emerges as a practical and accessible solution for SMEs. Through SOCaaS, advanced threat detection, incident investigation, and response capabilities are delivered remotely by specialised teams—without the need for complex infrastructure or dedicated internal security staff.
The following article explains how SOCaaS works in practice within the SOC4SME framework, outlining the operational flow, the role of the central SOC, and how incidents are detected, investigated, and managed across SME environments.
Through this option, a Managed Detection and Response (MDR) solution is offered to the customers by SOC4SME. Specifically, the SOC provider uses a detection and response toolset along with a control room that constitutes a central SOC, and personnel such as L1, L2, and L3 security analysts as well as the SoC manager are located in it. Each customer site has a dedicated event captor in order to collect logs as well as events/alerts. The logs are then forwarded to the central SOC that is operated by the SOC4SME team, which is responsible for performing the investigation, event/alert analysis, triage as well as mitigation actions through dedicated Incident Response tools. In this case, the actions are derived from the SOC4SME SOC team and sent to the event captors, who accordingly perform them on the respective Site.
Specifically, the SOCaaS solution consists of different phases, starting with the initial detection through Endpoint Detection and Response (EDR) tools. This phase also involves the SOC analysts performing triage of the incidents. Then, the hunting phase follows where the analyst receives additional data and logs from the event captors, allowing them to perform the investigation. While investigating the incident, the customer is given first notification of the incident along with the site where it occurred within a certain timeframe that is defined by the SLA contract. After the investigation, the customer is again notified about the verdict along with proposed containment actions as Incident Response in a time duration also defined by the SLA contract. The containment actions are then sent from the central SOC office towards the event captor of the Site where the incident occurred. Finally, the SOC4SME SOC team monitors explicitly the Site for further incident manifestations and starts preparing an incident report that provides root cause analysis, performed mitigation actions and indicators for the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) to the incident.
What this means for SMEs is simple: cybersecurity becomes a continuous service rather than a reactive task. SOCaaS allows businesses to benefit from professional monitoring, faster detection and response times, and structured incident handling—while remaining focused on their core operations.
Through SOC4SME, SMEs gain access to enterprise-grade security operations adapted to their scale and real needs, helping them strengthen resilience, meet regulatory expectations, and reduce the impact of cyber incidents in an increasingly complex digital landscape.