SOC red flags that CISOs can’t afford to ignore

By Rob Demain, CEO of e2e-assure

 

Regardless of sector, chances are you’ve heard some version of these lines from a SOC or MDR provider. They might sound harmless at first, but they often point to deeper issues that could leave your organisation exposed when it matters most.

Let’s break down what these red flags really mean, why they’re showing up more often, and what you can do to avoid falling into the trap of a “security partnership” that’s anything but.

 

1. “Our detection rules are our IPR, so you can’t see them.”

This is a classic case of hiding behind intellectual property to avoid scrutiny. If your provider won’t show you how they’re detecting threats, you can’t validate whether those rules actually align with your environment. For regulated sectors like government and CNI, this lack of transparency can create compliance headaches and erode trust.

Outcome: Push for visibility. If your SOC won’t share detection logic, it’s time to question whether they’re truly invested in your security outcomes or just protecting their own processes.

 

2. “We use the same rules for all our clients.”

This one’s surprisingly common. But let’s be clear: a retail chain and a national water utility do not face the same threat landscape. Attackers tailor their tactics to the sector, and your SOC should be doing the same.

Outcome: Demand contextualisation. Your provider should be adapting detection logic to your industry, your assets, and your risk profile. Anything less is generic and ineffective.

 

3. “We don’t do fixed response times, but we’ll get to it ASAP.”

This is a polite way of saying “we’ll get to it when we can.” In manufacturing, where downtime hits the bottom line, or in public services where delays can affect lives, vague SLAs are unacceptable.

Outcome: Insist on clear, measurable response commitments. If your SOC can’t guarantee timely action, they’re not equipped to support your operational resilience.

 

4. “You can’t talk to analysts directly – just check ticket updates.”

Security is a human-led discipline. Analysts aren’t just alert processors; they’re investigators and advisors. Blocking direct access slows everything down and creates gaps in understanding.

Outcome: Choose providers who offer direct analyst engagement. Real-time collaboration improves clarity, speeds up resolution, and builds trust across your teams.

 

5. “We only alert on critical or high alerts – lower priority ones aren’t important.”

This approach ignores the early signs of compromise. Many advanced threats start small – failed logins, unusual lateral movement, odd data transfers. These are the breadcrumbs that lead to bigger problems.

Outcome: Look for providers who surface all relevant signals, not just the loud ones. Early detection is the key to prevention, and that means monitoring the full spectrum of activity.

 

6. “We don’t take those logs – they don’t provide value.”

This one’s particularly alarming. Host logs, domain controller logs, firewall telemetry – these are essential for both detection and investigation. Without them, your SOC is flying blind.

Outcome: Prioritise depth of telemetry. A robust ingestion pipeline is critical for threat hunting, incident response, and aligning with frameworks like MITRE ATT&CK. If your provider can’t handle diverse data sources, they’re not ready for modern threats.

 

What’s really going on in the market?

These red flags aren’t just isolated incidents. They reflect a broader trend in the SOC/MDR space:

• Over-reliance on automation without human insight
• Generic service models that ignore sector-specific risks
• Opaque delivery that limits accountability
• Minimal investment in proactive threat hunting and IR readiness

For CISOs and IT leaders, especially in high-risk sectors, this signals a need to rethink how SOC partnerships are evaluated. You need to know that your provider understands your environment, communicates clearly, and acts fast when it counts.

 

What good looks like

A modern SOC should offer:

• Full visibility into detection logic and playbooks
• Collaborative workshops to align internal and external capabilities
• Clear SLAs with guaranteed response times
• Direct access to analysts for real-time insight
• Comprehensive telemetry ingestion across endpoints, networks, and cloud
• Alerting across all priority levels, with context and escalation paths

These aren’t optional extras. They’re the foundation of a service that actually protects you.

 

Final Thoughts

In today’s environment, where threats evolve daily and reputational damage is just one breach away, your security partner must be more than a vendor. They need to be an extension of your team – transparent, responsive, and aligned to your mission.

Let’s raise the standard. Because when you’re defending critical services, livelihoods, and public trust, “good enough” just isn’t.

— Rob Demain
CEO, e2e-assure