Insights > Blog

MDR: Build vs. Buy

Author: David Rickard, CTO, North America

The decision to improve your cybersecurity posture is an important one. Outsourcing the work to a vendor or handling in house is a first decision.

What is MDR?

First of all, what is Managed Detection and Response (MDR)? Cipher’s MDR is a multi-functional, turnkey, and complete security solution that reduces response times from 2020’s average of 207 days to minutes. We focus on quickly identifying risky activity via automated methods Indications of Compromise (IoC) and Indications of Attack (IoA), escalating these events by following escalation profiles that are tailored to your business, providing recommendations for remediation and even participating in Incident Response (IR) itself.

In developing our MDR solution, Cipher first proposed this problem statement:

“Most mid-size and some large businesses, despite being actively targeted by cyber criminals, do not have the budget to enable enterprise-level cybersecurity solutions.”

One may think that building our their own internal SOC is the solution, but that can be very cost-prohibitive, not to mention difficult to find appropriate skill sets. To solve that problem, Cipher’s MDR solution, CipherBox, optimizes Security Return on Investment (SROI) by providing:

  • Server, security controls and infrastructure log ingestion into Cipher’s cloud-based SIEM;
  • Provision of Network Intrusion Detection Systems (NIDS) at no additional charge;
  • Endpoint Detection and Response (EDR) agents at no additional charge;
  • Quarterly refresh of asset inventory and Quarterly Vulnerability Compliance and Management (VCM), also at no additional charge;
  • Domain Protection, providing an end-to-end solution that enables rapid detection of malicious Internet domains that impersonate your company and pose a risk to you, your customers, or the public.

This is enabled by providing Cipherbox MDR services that fall within these domains.

Identify: quarterly managed asset discovery

Protect: quarterly managed Vulnerability Compliance Management (VCM)

Detect: continuous real-time Security Incident and Event Management (SIEM) correlation; provision of Network Intrusion Detection Systems (NIDS); and provision of Endpoint Detection and Response (EDR), all of which contribute more events to the SIEM to facilitate event correlation; and retroactive security log search and reporting

Respond: 2 hours of Incident Response (IR) consultation is included at no additional charge.  If Cipher’s EDR is deployed, direct IR activities can be performed by Cipher’s SOC-as-a-Service (SaaS)

Recover: on-demand security incident reports are included, for after-actions and lessons-learned activities.

Proactive and Predictive security services from Cipher lower your risk of breach cost in a very cost-effective manner. In addition to the above, CipherBox MDR solution provides a Customer Self-Service Portal, a Security Orchestration, Automation and Response (SOAR) platform; and on-demand compliance and standard reports for any regulatory guidance you are bound by compliance and/or internal management risk tolerance.



As is human nature, we are inclined to first think that the way to stay optimally secure is to keep all Security Operations Center (SOC) activities in-house, but this is simply not true. Security companies like Cipher Security hold many certifications that are cost and labor prohibitive for most companies to afford: ISO 27001 (cybersecurity), for which Cipher is also a certification body; SOC 1 and SOC 2 certifications; PCI certification; and many others, including Accreditations and Affiliations.

Expertise in the cybersecurity field is hard to come by, and retention of those personnel can pose a problem for you in a field that is so much in-demand. But if you were to try, how much would it cost? Let us look at cost analysis in several different markets.

All options will require:


  • Minimum 5 full-time employees for 24/7
  • Talent Acquisition / Agency to find and replenish
  • Loyalty and Retention Programs


  • SOC Facilities Build-out
  • Hardware/software
  • Implementation
  • Maintenance
  • Project Management
  • Ongoing Training
  • Certs, ongoing expertise, training
  • Outside Consultation
  • 3rd Party Security Intelligence Feeds

The salary figures are from Glassdoor’s data.

New York City


Average SOC Analyst Salary: $106,298 per year
26% above national average

Core CompensationMedian% of Total
Base Salary$106,29872.3%
Value of Benefits  
Social Security$8,5145.7%
Time Off$7,9895.4%

The minimum cost for 5 employees per year will be $734,945, in addition to setup and other expenses.


Average SOC Analyst Salary: $93,682 per year
11% above national average

Core CompensationMedian% of Total
Base Salary$93,68272.5%
Value of Benefits  
Social Security$7,4345.7%
Time Off$7,0205.4%

The minimum cost for 5 employees per year will be $645,860, in addition to setup and other expenses.


Average SOC Analyst Salary: $79,293 per year
Meets national average

Core CompensationMedian% of Total
Base Salary$79,29369.93%
Value of Benefits  
Social Security$6,4485.69%
Time Off$6,9516.13%

The minimum cost for 5 employees per year will be $566,940, in addition to setup and other expenses.


Average SOC Analyst Salary: $70,336 per year
20% below national average

Core CompensationMedian% of Total
Base Salary$70,33668.5%
Value of Benefits  
Social Security$5,5725.4%
Time Off$9,5259.0%

The minimum cost for 5 employees per year will be $513,105, in addition to setup and other expenses.


Average SOC Analyst Salary: $72,500 per year
20% below national average

One might think that personnel costs in a smaller metro area might be cheaper, but that isn’t necessarily so.

Core CompensationMedian% of Total
Base Salary$72,50067.7%
Value of Benefits  
Social Security$5,7385.3%
Time Off$9,2318.6%

The minimum cost for 5 employees per year will be $535,105, in addition to setup and other expenses.

Depending on the size of your business and corresponding volume of log data ingested by our CipherBox MDR Solution, using Cipher’s service is likely to cost anywhere from a partial salary for a single security analyst to the equivalent of 2 to 3 full time hires – and the hassles of finding qualified analysts is removed from you.

What’s more, your time-to-value decreases to nearly zero, as Cipher leverages the configurations and visibilities across our installed client base to each instance of cloud-based SIEM we deploy for our customers.  The systems are already tuned and ready to go.  It can take over 6 months to get a SIEM tuned if performed in-house – we encounter many clients who have tried to deploy a SIEM for up to years without success.  Of course, once added to our roster, your unique requirements are also taken into account with a monthly reporting and tuning meeting.

In summary, why do you need the CipherBox MDR Service?

  • MDR delivers the most complete security solution for your company without the need to task your personnel;
  • Finding and retaining qualified cybersecurity personnel is difficult;
  • Choosing the right mix of security products on your own can be very time consuming;
  • You’d rather utilize your team for initiatives closely aligned with business goals as set forth by your CIO;
  • Security Return on Investment (SROI) – Cipher’s Cipherbox MDR is not only fully functional, it saves you money in hiring, training, monitoring, analysis, and infrastructure build-out.

Contact Cipher for more information about CipherBox MDR today!

What do you think about attack maps? Comment below with your feedback.


Submit a Comment

Your email address will not be published. Required fields are marked *


Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics