SOC built from scratch: 12 FTE team for government organisation
About the organisation
Large executive agency of the Dutch central government with 6,000 employees and 4 million citizens as end users. Processes BSN (citizen service number) data and classifies data up to Departmental Confidential. After a security incident at a sister organisation, the board decided to insource the SOC.
The Challenge
The organisation had outsourced their SOC entirely to a managed security service provider (MSSP) for 7 years. After a serious incident at a comparable government organisation — where the MSSP overlooked critical alerts — the board decided to establish an in-house SOC. This required recruiting an entirely new team: SOC manager, 2 lead analysts, 4 tier-2 analysts, 3 tier-1 analysts, a SIEM engineer and a threat intelligence analyst.
The challenge was threefold. First, all candidates had to pass a certificate of good conduct and additional screening due to the government context. Second, there was no existing team to transfer knowledge from; everything had to be built from scratch. Third, the organisation had a limited salary structure compared to the market, making it difficult to attract senior SOC professionals with salary alone.
Our Solution
MVPeople Group combined three service lines to cover the full spectrum. MVPeople (interim) delivered the SOC manager and 2 lead analysts — experienced professionals who could immediately set up the blueprints, processes and playbooks. MVProfessionals (secondment) filled the 4 tier-2 positions with specialists who would stay for 12-18 months to ensure continuity.
The real innovation was MVPrentice: we recruited 3 ambitious graduates with a security affinity and placed them as tier-1 analysts in a structured 12-month training programme, including SIEM training, incident response workshops and mentoring by senior analysts. This solved the salary structure problem: junior professionals accepted a market-rate starting salary with a clear growth path. For the SIEM engineer and CTI analyst, we deployed MVProfessionals with candidates who had specific Splunk and MITRE ATT&CK experience.
Results
- Complete SOC team of 12 FTE operational within 4 months
- 24/7 monitoring achieved (3 shifts) with in-house staff
- Mean Time to Detect (MTTD) decreased from 72 hours (MSSP) to 8 hours (in-house SOC)
- Recruitment timeline 60% faster than the project office planning
- 3 MVPrentice participants progressed to tier-2 level after 12 months
“From SOC manager to tier-1 analysts, MVPeople delivered the complete spectrum. But the MVPrentice concept was the game-changer: we now have three internally trained analysts who perfectly fit our organisational culture and are growing into senior roles.”
What the team says
“The transition from MSSP to in-house SOC was an enormous project. MVPeople understood the government context — the screening requirements, the salary structure, the political sensitivity. That made the collaboration smooth.”
“Our MTTD decreased from 72 to 8 hours. That's the difference between an in-house team that knows your organisation and an MSSP serving thousands of clients.”