To SOC or not to SOC ?
Summary
This NCSC blog explores whether teams launching digital services truly need a traditional Security Operations Centre (SOC) or whether cloud-native design and operational changes can reduce or replace that need. It explains how SOCs work, why they were historically mandated (GPG13), and how the move to cloud and ‘cloud-first’ policies change the landscape. The post lists practical alternatives and patterns government projects are using—such as zero-touch production, strict environment separation, cloud-native logging and alerting, and time-limited break-glass access—while emphasising situations where a SOC still makes sense.
Key Points
- A SOC provides separation of duties, centralised log collection, triage by security analysts and tooling such as SIEMs, but it can be costly and slow to set up.
- GPG13 (the older NCSC guidance) led to checkbox approaches; the NCSC now recommends thinking in terms of security monitoring for cloud-native services.
- Simply moving to cloud IaaS (lift-and-shift) does not remove the need for SOC functions unless you adopt cloud-native patterns and shared responsibility properly.
- Alternatives used in government projects include fully cloud-native architectures, zero-touch production, strict environment separation, simplified log collection and canary tokens to validate logging.
- Some departments replace SIEMs by extending cloud-provider logging and alerting (e.g. CloudTrail, GuardDuty, Security Hub) when architectures are simple and secure by design.
- Break-glass procedures with tight auditing and time-limited access let operations investigate incidents without full-time SOC analysts.
- Decide based on functions you need a SOC for: log retention and integrity, real-time detection, and incident management – and whether cloud tools and operations teams can cover those.
- SOCs remain valuable for enterprise and higher-classification systems, endpoint monitoring, and detecting broad attacks across many services.
Why should I read this?
Short and blunt: if you’re about to go live with a cloud service and someone insists you must have a SOC, read this first. It saves you time and money by explaining when a SOC is overkill, what cloud-native monitoring can cover, and exactly which functions you should actually be worried about. Handy if you want to avoid buying a huge SIEM licence just to tick a box.