What is a security operations centre (SOC)?

by Simon Fisher | Jan 21, 2026

Categories: Blog | Consult | Cybersecurity | Essential | Stuart Black

Tags: Cyber Essentials | Cyber Insurance | Security Operations Centre

The cybersecurity landscape has fundamentally changed. Five years ago, most managed service providers (MSPs) didn’t have a dedicated Security Operations Centre. Today, it’s become an essential component of protecting businesses from increasingly sophisticated threats. But what exactly is a SOC, and why has it become so critical?

Understanding the modern SOC

A Security Operations Centre is a centralised unit that monitors, detects, analyses, and responds to cybersecurity incidents around the clock. As Martin Lake, Security Operations Centre Manager at ERGOS, explains: “The Security Operations Centre is responsible for managing and responding to incidents generated by those products. And alongside that I will develop and work on keeping those products up to date and relevant for the clients.”

Unlike traditional IT support, a SOC operates with specialist expertise focused exclusively on security. “We are the guys responsible for responding to incidents and cyber security events from the cyber security sector that it’s separated from the normal live desk, due to the kind of expertise that’s needed and due to the nature of the incidents that come in,” Martin notes.

This separation is crucial. According to the UK Government’s Cyber Security Breaches Survey 2024, 50% of UK businesses and 32% of charities reported having cybersecurity breaches or attacks in the last 12 months. Having dedicated security professionals monitoring your environment 24×7 can dramatically reduce both the likelihood and impact of successful attacks.

The evolution of cyber threats

The threat landscape that necessitates a modern SOC has evolved dramatically, particularly over the past year. Martin observes a significant shift in attack sophistication: “This year was, I’d say phishing has changed. You used to get this email once in a while from like a Nigerian prince. Bad grammar. Just nonsense. It feels like now with the advent of AI, especially over this year, what’s happening is… these AI models are very good at creating convincing spear phishing campaigns.”

The ease with which attackers can gather intelligence compounds this problem. Company structures, key personnel, and organisational relationships are readily available on platforms like LinkedIn. As Martin points out: “It’s not hard for a tool or a person to go through LinkedIn and scrape all of the company data in regards to positions, people of importance, roles, things coming up.”

This intelligence gathering enables highly targeted attacks. Martin shares a concerning example: “The attacker was pretending to be the CFO and the attacker was getting in contact and they were not doing it through work devices. They were reaching out to users through personal devices, through email addresses and mobile numbers that they obviously got them from somewhere like LinkedIn or another source… there was AI involved to simulate the voice of the CFO and it sounded very convincing.”

The National Cyber Security Centre (NCSC) has warned repeatedly about the increasing sophistication of social engineering attacks, with their 2024 Annual Review highlighting AI-enhanced phishing as one of the most significant emerging threats facing UK organisations.

ERGOS Shield: real-world protection in 2025

The statistics from ERGOS’s Security Operations Centre in 2025 demonstrate the very real and constant nature of these threats:

324 endpoint security incidents were investigated by the ERGOS SOC
99 suspicious activities were proactively analysed
53 confirmed cyberattacks were identified and stopped before impact
225 dark web credential leaks were identified and analysed to reduce account compromise risk

Critically, every incident was reviewed by a real, expert human analyst—not just automation. This human element, guided by intelligence from industry-leading threat intelligence platforms, ensures nuanced decision-making that purely automated systems cannot provide.

Beyond basic antivirus: what is EDR and MDR?

Understanding what a SOC does requires understanding the technology it manages. Traditional antivirus software—whilst still having a role—is no longer sufficient. “That was good for a while. It’s not enough anymore,” Martin explains.

Modern Endpoint Detection and Response (EDR) solutions use behavioural analysis rather than just signature-based detection. “It’s going to look at how it’s acting in connection to other processes occurring on the computer,” Martin describes. This allows EDR to identify threats that have never been seen before—so-called zero-day attacks.

EDR platforms offer crucial capabilities including:

Automated isolation: When a threat is detected, the system can immediately separate the affected device from the network, preventing lateral movement
Rollback functionality: EDR keeps shadow copies of files, meaning that if ransomware encrypts data, “it will roll back all the files the event touched. So if it encrypts 20 files, it rolls back 20 files back to the last shadow copy”
Forensic capabilities: Detailed logging allows security teams to understand exactly what happened during an incident

However, EDR alone isn’t enough. This is where Managed Detection and Response (MDR) becomes critical. “MDR is the response side of it,” Martin explains. Whilst EDR provides the technology to detect and contain threats, MDR provides the human expertise to investigate, contextualise, and respond appropriately.

The ERGOS SOC doesn’t just monitor alerts – the team actively tunes detection systems, investigates suspicious activity, conducts threat hunting, and provides actionable recommendations. “We help tune, make it not as noisy,” Martin notes, ensuring that security teams focus on genuine threats rather than drowning in false positives.

Building your security stack

Martin emphasises that cybersecurity isn’t about a single product – it’s about layers. “This is kind of what I want to drive home to our clients. It’s a stack, a security stack is something they need to consider along with a security plan.”

A comprehensive security stack typically includes:

Endpoint Protection (EDR): Modern EDR platforms that can detect, contain, and remediate threats at the device level
Email Security: Advanced filtering to catch sophisticated phishing attempts before they reach users. The Government’s Cyber Security Breaches Survey found that phishing remains the most common attack vector, affecting 84% of businesses that identified attacks.
Multi-Factor Authentication (MFA): Essential for protecting accounts, particularly following changes to Cyber Essentials requirements that now mandate MFA rather than regular password changes
Enterprise Application Control: Monitoring and controlling what third-party applications users connect to corporate resources – particularly important with the proliferation of AI tools
Dark Web Monitoring: Identifying compromised credentials before attackers can exploit them. “It’s one of those no brainer products that you never want to hear from,” Martin observes, but notes: “even when clients come in and they’ve added products to their arsenal… there’s been leaks from before they did that, even if it’s like a year ago and it’s still good to know.”
Security Information and Event Management (SIEM): Aggregating logs from across the environment to provide visibility and enable threat detection. “I liken it to a burglar alarm and all of these sensors that could be tripped,” Martin explains.
Vulnerability Management: Regular scanning and remediation of security weaknesses. At ERGOS, “we do a monthly review of critical third party application vulnerabilities and we will make intent to send them, obviously working with the customer if needed.”

The human layer: user awareness training

Technology alone cannot solve cybersecurity challenges. According to the NCSC’s guidance, humans remain both the strongest and weakest link in cybersecurity, with most successful attacks relying on human error at some point in the attack chain.

User awareness training has become critical, with ERGOS seeing growth of 400% in user awareness, phishing simulations, and training services during 2025. “That comes down to businesses knowing that something’s up. They know that they’ve got to do something,” Martin observes.

However, Martin is keen to emphasise that training shouldn’t be viewed as the primary defence: “The technologies like the awareness training and the endpoint defence, that people tend to use as their tick boxes… they’re meant to be your last defence. You shouldn’t need it if your EDR options are clean because you’ve managed your vulnerabilities, your users are trained not to go to the right website, your environment is secure.”

The Government’s survey revealed that only 20% of UK businesses have a formal cybersecurity training programme, despite the clear evidence that educated users are significantly less likely to fall victim to attacks.

Working with an MSP’s SOC

One of the key advantages of working with an MSP like ERGOS is the breadth of experience the team brings. security, Managing Director at ERGOS, notes: “As someone running a help desk in the way that we do, the events that happen… we had to look at our processes and how we handle those.”

This experience translates into proactive protection. When major security incidents occur in the industry, such as attacks on large retailers – ERGOS’s SOC team immediately reviews its processes and implements additional controls across all client environments.

Martin describes one such response: “One of the things we did immediately, when those events… happened was we went through all of our clients’ 365 tenants and we introduced controlled third party applications.” This proactive approach means that when new threats emerge, ERGOS’s customers benefit from collective learning across hundreds of protected networks.

The consultancy element is equally valuable. “We will have a decent idea of best practice. We will be able to at least frame these discussions,” Stuart explains. With experience supporting organisations through Cyber Essentials, ISO 27001, and sector-specific frameworks like DORA (Digital Operational Resilience Act), ERGOS’s SOC team can guide businesses through complex compliance requirements.

The cost of not having SOC protection

The decision not to invest in SOC services isn’t neutral, it’s a calculated risk. Martin shares his perspective: “Without a patch, without awareness in the industry, people are going to get caught up and my concern is we need to bring it down to the business level.”

The drivers for SOC adoption are mounting:

Customer Requirements: “Clients have come in and they’ve said things like well we want to be Cyber Essentials plus or what does DORA mean for us?” Martin explains. Business partners and customers increasingly demand evidence of robust cybersecurity practices.

Insurance Requirements: Cyber insurance has become essential, but “insurance providers have posed these difficult questions and have caught some clients out. Things like MFA for example… the insurer is going to say well you know, your accounting software doesn’t have MFA.”

Regulatory Pressure: With evolving legislation and compliance requirements, including NIS2 regulations affecting UK businesses, organisations need expert guidance to navigate complex requirements.

Reputational Risk: A single security incident can destroy years of reputation building, particularly for businesses handling sensitive customer data.

According to research by the Department for Science, Innovation and Technology, UK businesses lose an estimated £87 billion annually to cybercrime, with small and medium-sized enterprises disproportionately affected due to limited security resources.

ERGOS’s approach: continuous assurance

Martin emphasises that cybersecurity is a journey, not a destination: “Anything’s better than nothing. And so the basics of starting with multi factor authentication, encryption, they’re essential these days as we start to progress into that hardening journey.”

In his January newsletter, Martin reinforced this message: “Cybersecurity has been a major focus throughout 2025, reinforcing a clear message: it’s not just an enterprise issue, every business needs to stay protected.”

To support businesses at all stages of their security journey, ERGOS has introduced a free Security Posture Review for small and medium-sized customers. These reviews deliver a clear, cloud-focused snapshot of your current IT security landscape, along with practical recommendations and hardening plans.

The ERGOS SOC operates 24×7, providing:

Continuous monitoring of security events across your environment
Expert analysis by qualified security professionals
Proactive threat hunting to identify risks before they become incidents
Compliance support for Cyber Essentials, ISO 27001, and sector-specific frameworks
Regular reporting on your security posture and emerging threats

ERGOS’s automated Cyber Essentials compliance monitoring generated over 1,000 alerts in 2025, helping customers avoid compliance drift and maintain continuous assurance—particularly important given the NCSC’s warning that configuration drift is one of the most common causes of security vulnerabilities.

Looking ahead: AI and emerging threats

The rapid adoption of AI presents both opportunities and risks. “One of the really interesting developments… is actually how the rise of AI now and people bringing their own AI to work,” Stuart notes. The proliferation of AI tools creates data leakage risks that traditional security controls may miss.

Martin explains how ERGOS addresses this: “Since putting that in and with AI coming in the way it has in the past year we’ve seen a lot of end users try and integrate AI products with the 365 tenants where otherwise that would have just gone through and you could have had data going left, right and centre.”

The SOC team now monitors for unauthorised AI tool connections and works with businesses to establish policies around acceptable use, balancing productivity benefits against data protection requirements. This is particularly important given the Information Commissioner’s Office (ICO) guidance on AI and data protection, which emphasises organisations’ responsibilities when using AI tools that process personal data.

The reality of modern threats

Martin’s day-to-day experience provides sobering insight into the frequency of attacks. When asked about the pace of incidents, he responds: “I’ve seen at least two today before this, before this chat.” This isn’t hyperbole, it’s the reality of the modern threat landscape.

The patterns are clear. “You see patterns as well start to come in. But as well it’s knowing how to identify those patterns and knowing what is the false positive and what is the true positive,” Martin explains. This expertise is what separates an effective SOC from simple automated monitoring.

To maintain this level of expertise, ERGOS invests heavily in training. “We’re partnered, for example with Sentinel One because we’ve got access to Sentinel One University, which is allowing me to put our team through the Sentinel One University courses. Something we’re doing on the side. Allows them to do proper incident response and threat analysis at a very competent level.”

Taking the next step

“These aren’t enterprise problems anymore, they’re business problems,” Martin emphasises. With threats evolving daily and attacks becoming increasingly sophisticated, every business needs to consider how they’re protecting their digital assets, customer data, and intellectual property.

The UK Government’s Cyber Security Breaches Survey found that businesses with a basic cybersecurity approach are far more likely to suffer breaches than those with formal policies and monitoring in place. A Security Operations Centre provides the expertise, technology, and continuous vigilance needed to stay ahead of threats.

As Martin puts it: “You don’t want your company data stolen, do you? It’s not just about ticking a box and saving some money. You want to be a business that is trustworthy and thinking about these things is important.”

Martin’s closing message from the January newsletter resonates: “We’ve loved the discussions these reviews have already opened up and look forward to supporting even more of our customers on their journey to a safer, more secure 2026.”

Whether you’re just beginning your cybersecurity journey or looking to enhance your existing protections, ERGOS’s SOC team can help you build a security strategy that’s appropriate for your business, your budget, and your risk profile.

To learn more about ERGOS Shield Managed Services, our cybersecurity services, or to arrange your free Security Posture Review, contact our team today.

You can also watch the full video here: https://youtu.be/xD2LlvKdBTs

A shortened video highlighting the main points around our Security Operations Centre can be viewed here: https://youtu.be/ueGDH_EpEFw

Let ERGOS take the stress out of IT for you

Contact us now to get six months of IT Support for free

Discuss stress-free IT

Recent Posts

GDPR in 2026: What Sussex businesses must update to stay compliant

VIDEO: ERGOS SOC – What does a Security Operations Centre do?

Cyber insurance in the UK: What’s changing in 2026 and why it matters for your business

Why ERGOS Technologies ticks every box on the NCSC’s MSP checklist

VIDEO: Behind the cybercrime with the South East Cyber Resilience Centre

How to protect your small business from cyber attacks: Essential cyber security steps for UK SMEs in 2026

VIDEO: SECRC and ERGOS – Being Cybersafe from the people who understand best (Full Interview)

Who are ERGOS Technologies Limited?

5 cybersecurity red flags you’re probably ignoring in your business

The business owner’s checklist for AI adoption