Insight

What a 24/7 SOC actually delivers (MITRE ATT&CK, SIEM, XDR explained)

· 6 min read

Almost every cybersecurity provider in the region lists a '24/7 SOC' on their capabilities page. The phrase has become so common that buyers can struggle to tell which providers actually run one and what the SOC actually delivers. This article is a plain-English walk-through of what a real 24/7 SOC does, where SIEM, XDR, and the MITRE ATT&CK framework fit, and what to ask when you are evaluating a SOC offering.

What a SOC actually delivers

A Security Operations Centre is the team, tooling, and process that watches an organisation's systems for security threats around the clock, investigates anything suspicious, and coordinates the response when a real incident occurs. The deliverable is not 'analysts in a room'. The deliverable is, in plain terms, four things: continuous visibility into what is happening across the organisation's environment; timely detection of activity that is likely to be malicious; investigation of that activity to confirm whether it is a real incident; and coordinated response to contain and recover when it is.

Everything else — the SIEM, the XDR, the SOAR, the threat-intelligence feeds, the dashboards, the ATT&CK mappings — is in service of those four outcomes.

SIEM: the central log and event view

A Security Information and Event Management (SIEM) platform is the SOC's central nervous system. It collects logs and security events from across the environment — firewalls, endpoints, identity providers, cloud platforms, business applications, network sensors — and correlates them so that an analyst can see one coherent picture instead of a hundred isolated tool views.

The SIEM is also where detection logic lives. Detection rules and analytics watch the incoming event stream for known-bad patterns and for behavioural anomalies, and surface alerts to the analyst queue. A SOC is only as good as its detection content; a SIEM with stock rules and no tuning will generate enormous volumes of false positives and miss the things that matter. Detection engineering — the discipline of writing, tuning, and retiring detection rules — is one of the things that separates a real SOC from a logo-on-a-slide SOC.

XDR: cross-domain detection and response

Extended Detection and Response (XDR) is the next generation of the older Endpoint Detection and Response (EDR) model. Where EDR watched endpoints, XDR watches across endpoints, networks, identities, email, and cloud workloads as a single connected system. The point is that real attacks rarely stay in one domain — an attacker compromises an identity via phishing, uses that identity to move laterally, drops malware on a server, exfiltrates data through cloud storage. EDR sees one part of that story. XDR is designed to see the whole arc.

Modern SOCs typically run SIEM and XDR as complementary tools — XDR for the high-fidelity cross-domain narrative, SIEM for the long-tail of log sources and the bespoke detection content.

MITRE ATT&CK: the shared language

MITRE ATT&CK is a globally maintained knowledge base of how real adversaries operate — the tactics they pursue (initial access, persistence, lateral movement, exfiltration, impact) and the specific techniques and sub-techniques they use to achieve them. It is, more than anything else, a shared vocabulary.

A mature SOC maps its detections, hunts, and incident reports to ATT&CK. The point of doing so is twofold. First, it makes coverage gaps visible — the SOC can look at the ATT&CK matrix and see which techniques it has good detection coverage for and which it does not. Second, it makes communication with peers, auditors, and incident-response partners enormously cleaner — everyone is using the same definitions for what happened.

How AHAT's in-house Managed SOC fits

AHAT's Managed SOC is in-house and has been operating since 2023. It provides 24/7 monitoring, threat detection, and incident response across our customers' environments. The platform is SIEM/XDR aligned with the MITRE ATT&CK framework, and the practice runs to ISO 27001 standards.

We offer the SOC in two engagement models. As a Managed Service, the SOC is delivered on a monthly retainer: AHAT owns continuous monitoring, alert triage, incident response coordination, and monthly reporting. As a One-Time Project, AHAT delivers a SIEM/XDR platform deployment — design, build, tuning, runbook handover, and training — for clients who prefer to operate the SOC themselves. The choice between the two is driven by the client's in-house security team, not by ours.

What to ask when evaluating a SOC offering

  1. Is the SOC in-house, or sub-contracted to a third party? If sub-contracted, who is the third party, and what is their accreditation status?
  2. Which SIEM and XDR platforms are in use, and what detection-engineering work has been done on top of the stock rules?
  3. How are detections, hunts, and incidents mapped to MITRE ATT&CK? Ask to see a coverage view, not a slide.
  4. What is the SOC's analyst staffing model around the clock? How are escalations handled at 3 a.m.?
  5. What does the monthly reporting look like? Ask for a redacted example before signing the SOW.
  6. Is the offering available as a managed retainer, a one-time deployment, or both? The right answer depends on your in-house team, not on the provider's preferred model.
← All insightsStart a scoping call →

Need Our Services? Let’s Connect

    What a 24/7 SOC actually delivers (MITRE ATT&CK, SIEM, XDR explained) | AHAT Insights