Incident response approach of in-house IT team and outsourced IT support

Incident response approach of in-house IT team and outsourced IT support

The Security Orchestration, Automation and Response (SOAR) market is rapidly growing as automation and orchestration are being seen as valuable technologies by security and IT support teams. Security operations teams can customize a range of incident response solutions and security programs in collaboration with the in-house or outsource managed security service providers. Many vendors offer such security programs at much low cost.

SOAR or Security Orchestration, Automation and Response is generally defined as technologies that allow organizations to collect security threats data and alerts from different sources. Incident analysis and triage, at those sources, is performed by leveraging a mix of human and machine power to help efficiently define, prioritize and drive standardized incident response activities as per a standard workflow. SOAR technology basically lets organizations implement  incident analysis and response procedure workflows that are primarily machine-driven, to automate repetitive security tasks until a human intervenes, that too, if needed.

Companies are now choosing and implementing security operations automation and orchestration technologies enthusiastically. According to a recent ESG research, 19 percent of organizations have adopted security operations automation orchestration and response or SOAR technologies extensively whereas 39 percent have done so on a limited basis, and about 26 percent are part of a project of automating or orchestrating security operations.

Now the dilemma is, organizations that want to implement SOAR technologies are often tangled in questions like- should they do it themselves, or hire a separate team or outsource that to a managed service provider?

Both the options have their advantages and challenges. To name a few, here is a list of pros and challenges of both options.

In-House Approach


  • It allows a company the complete control of SOAR and integration with existing security infrastructure. SOC staff can customize APIs and other settings to meet the needs of the organization in the best way and the strengths of the IT staff.
  • It also lets you maintain system and data privacy while eliminating the risks associated with third-party security breaches.
  • Companies will technically avoid the risk of being locked with a service provider, if the vendor fails to deliver the agreed service and performance.


  • It may require experts in your It team. If the organization is not equipped with the necessary resources, selecting an outsourcer or vendor is a better option as it will be able to provide an easy to implement solution and cater for all of your security and integration tools and needs.
  • For the companies that have less mature security programs, the expenses of curating one and everything associated with DIY SOAR can exceed the expenses of a service provider, so outsourcing this service is recommended.

Outsourced Approach


  • There’s no need for an in-house team of experts. By going for the outsourced model or the on-demand services, companies are not required to recruit and train additional employees, nor do they have to spend extra on the benefits and supplies for that workforce.
  • For an outsourcer, additional resources are not needed for implementation, management, and maintenance of SOAR technology. A cloud-based SOAR solution does it all from delivering turnkey to automated services.


  • The organization must ensure that the chosen service provider is able to provide security of systems and data suitable to avoid the risk of third-party breaches.
  • Organizations are generally subjected to a particular duration of contract which may not work for some companies.
  • Some outsourcers or service providers try to slide in some hidden or unanticipated costs. If not monitored carefully, some outsourcers may subject you to the cost of an unanticipated on-site visit for example and that would result in additional, unforeseen expenses.
  • Some MSSPs do not treat all their customers equally. Larger companies that usually represent a greater part of a service provider’s revenue are likely to be their first priority in comparison with the other smaller or mid-size customers.
  • Deciding between implementing SOAR technology in-house or approaching a managed security service provider for this means you have to take several variables into consideration before making this decision.

First and foremost, is to analyse the maturity level of a company’s security program along with the existing IT security infrastructure with the experience and expertise of security personnel and resources to train and/or recruit new staff to support it.

By analyzing the pros and challenges of in-house and outsourced SOAR from this perspective, organizations are able to choose the model that is best suited to their individual needs and expectations.

John Norwood
John Norwood is best known as a technology journalist, currently at Ziddu where he focuses on tech startups, companies, and products.