Modern SOC Series - From Fragmented to Focused: evolving the SOC for better outcomes (2/4)

Today’s challenge: a fragmented legacy is holding SOCs back

Today’s security operations centers are often weighed down by years of patchwork decisions. Over time, many organizations have layered best-of-breed, point solutions on top of one another, hoping to build a best-in-class detection and response function. But the result has often been the opposite: inefficiencies, high costs, and insufficient response time to meet business objectives.

"We still see customers struggling with sprawling toolsets," explains Niklas Klotz. "Limited interoperability, redundant capabilities, and a lack of unified processes make it difficult to hit core KPIs like Mean Time to Respond (MTTR). And that’s not just a technical issue, it's a business risk." MTTR is more than a metric — it’s increasingly tied to broader organizational goals: “We’re seeing CISOs and security leaders being held accountable for KPIs that directly map to business performance. Failing to meet them means failing to meet strategic business objectives.”

In an increasingly KPI-driven landscape, SOCs are under pressure to tie security performance directly to business outcomes. Complex, disconnected environments make this a not-so-easy task.

So what does a modern SOC really look like?

Niklas doesn’t hesitate: "It’s a full transformation. People, process, and technology. You can’t modernize one without the others."

The modern SOC starts with platform consolidation. Most enterprises manage dozens of tools, each covering a narrow slice of risk. Modernization means moving toward unified, state-of-the-art detection capabilities with a central pane of glass. But it doesn’t stop at tooling.

"Orchestration and automation are key," he continues. "We work with our customers to rebuild processes around efficiency and consistency. Then we automate what we can to reduce the load on their teams to enable them to use their time more efficiently and focus on helping their business to meet objectives."

This transformation empowers people as much as it streamlines process. By filtering noise and repetitive tasks through automation, SOC analysts can go deeper, faster — investigating real threats and continuously tuning and improving automation and detection capabilities while dynamically adopting them to the ever-changing threat landscape. Analysts shift from triage to insight – “so they’re finally able to go from a reactive work posture to embracing a more strategic (and I’m sure, more thrilling) expert role”.

Niklas sees this evolution as a fundamental shift in the way security teams operate. “In the past, we threw more tools or more people at the problem. Now, it’s about building smarter systems that support fewer, better-informed decisions.”

And the impact of a modern SOC model isn’t just internal. With better alignment between exposure management and detection, organizations gain a clearer picture of risk, enabling faster, more precise action.

Better results, at a lower cost

The benefits of a modern SOC model are both strategic and operational. Security performance improves, but so does the bottom line.

“You simplify your architecture and reduce the number of vendors involved, which naturally lowers your total cost of ownership (TCO),” Niklas explains. “At the same time, your team gets deeper expertise with fewer tools, improving both speed and outcomes.”

More importantly, these efficiencies translate into real-world results. Reduced time to respond. Smarter use of internal resources. And crucially, a security function that aligns with business expectations.

“CISOs today aren’t measured on technical success; they’re measured on business risk. The modern SOC is designed to deliver on that.”

Seeing what attackers see

When asked about External Attack Surface Management (EASM), Niklas makes the point clear: visibility is non-negotiable.

“You can’t protect what you can’t see — and unfortunately, many organizations still don’t know what their external footprint really looks like.”

From untracked cloud assets to shadow IT spun up by non-technical teams, blind spots are everywhere. EASM tools allow SOCs to gain that outside-in perspective: what an attacker might find, exploit, or target. And with that insight, defenders can act faster and with more context.

“It’s not just about known assets anymore,” says Niklas. “It’s about uncovering the unknowns before they become entry points.” 

A shift in mindset

But to fully embrace the modern SOC, a cultural shift is needed.

“Trust is a big one,” Niklas notes. “You need to trust your technology, your partners, and your process.” In practice, this means letting go of the belief that internal teams must own every piece of the puzzle. It means focusing on outcomes, not control. It also means embracing automation and AI as essential to scaling security operations.

“You don’t need 80 tools and 10 service providers. You need the right partners and the right architecture. And the willingness to evolve.”

For some organizations, that may also mean abandoning outdated fears around vendor consolidation. “We hear concerns like ‘I don’t want to put all my eggs in one basket.’ But the truth is, the gains in visibility, speed, and cost far outweigh the risks.”

Avoiding common missteps

One of the biggest mistakes organizations make? Treating SOC modernization as a lift-and-shift.

“Swapping out tools without changing processes or roles doesn’t work,” Niklas warns. “This is a full-on transformation. You need a strategy that touches every layer.”

Another common pitfall: failing to align SOC goals with business objectives.

“The companies that succeed are the ones that know their KPIs and can tie them back to broader business outcomes. Otherwise, you’re modernizing without direction.”

Final thoughts: Start with a vision, and seal it with a plan

So what’s Niklas’s advice for security leaders who wish to transition to a modern SOC?

“Have a three-to-five-year vision. Define your objectives, set your KPIs, and share them with your partners and other relevant stakeholders.”

That vision becomes the compass for transformation. Without it, efforts become disjointed. But with it, organizations can build a SOC that’s flexible, future-ready, and focused on outcomes.

But vision alone isn’t enough: planning is everything. “Transformation isn’t a one-time switch,” Niklas emphasizes. “It’s a phased evolution. It requires close collaboration between the customer and the provider, and an understanding that SOC maturity is a journey.”

Ultimately, the modern SOC is not a product to be bought or a tool to be installed. It’s a long-term transformation that must be continuously refined and aligned to the business.

“The modern SOC isn’t a destination – it’s a continuous journey. And it’s one we’re ready to take with our customers.”