SOC in a Box — Powered by SOC365

A Real SOC.
Delivered to Your Door.

Enterprise-grade 24/7 security monitoring for organisations with up to 100 assets. Three plans from £333.33/month. Hosted and run in the UK. No compromises. No ticket queues.

Order your box See what's inside
SOC//BOX
Model SB-100 · SOC365 Powered
Cyber Defence · SOC in a Box
24/7 monitored Same SOC365 analysts Up to 100 assets
From 33p/asset/day
Less than a cup of coffee

Per-asset, per-day pricing across all three plans. Security shouldn't cost more than your morning coffee run.

£0 setup fee
We ship it configured

Pre-configured to your environment. Plug in, call us, live within the hour.

24/7/365
Analyst monitoring

Identical detection engine, analyst team, deception sensors, and threat intelligence.

5 days
To fully operational

Your named analyst learns your network, your users, your quirks.

Everything Inside the Box

Every SOC in a Box — whether physical appliance or virtual image — runs the full, unmodified SOC365 platform. There is no "lite" tier, no reduced rule set, and no separate analyst team for smaller clients. All three plans receive identical capability.

SOC365 Detection Engine

The same correlation engine used across our enterprise estate. Thousands of detection rules continuously updated by our threat research team. Behavioural analytics, signature matching, and anomaly detection working in concert.

24/7/365 Analyst Coverage

Qualified analysts monitoring your environment every hour of every day. No gaps at weekends. No skeleton crew over bank holidays. The same team that watches our enterprise clients watches your box.

Named Analyst Assignment

You are assigned a named analyst who learns your network, your users, your escalation preferences, and your quirks. They author custom detection rules specific to your infrastructure.

EmilyAI Triage Augmentation

Our AI triage layer pre-processes and enriches alerts before they reach your analyst — reducing noise, accelerating classification, and ensuring human attention is focused on genuine threats.

DecoyPulse Deception Sensors

Honeypot and deception technology deployed within your network to detect lateral movement and insider threats. These sensors generate zero false positives — if something touches a decoy, it shouldn't be there.

Threat Intelligence Integration

Real-time feeds from CVE databases, EPSS scoring, and dark web monitoring. Your analyst correlates external threat data with activity on your network to identify emerging risks before they materialise.

Confidence Score Dashboard

A single, clear metric that tells you — and your board — how well-protected your organisation is right now. Not walls of threat data. A score you can act on.

Incident Response Escalation

If your analyst detects a confirmed incident, our Disrupt response team can be engaged immediately through the SOC365 escalation path. No separate contract required.

Also Included With Every Plan

Monthly board-ready report authored by your named analyst
Direct phone escalation — not a ticket system
Network topology review during onboarding
Quarterly threat landscape briefing tailored to your sector
Compliance evidence pack for auditors and insurers
Ongoing detection rule tuning as your environment evolves
Same SOC. Closer to you.

Not a smaller SOC.
The same SOC, closer to you.

The cybersecurity industry has a terrible habit: anything built for smaller organisations gets positioned as "lite", "basic", or "starter". The framing says: you're getting less because you deserve less.

SOC in a Box flips that. You get the same analysts, the same detection engine, the same threat intelligence, and the same deception technology as our enterprise SOC365 clients. The only difference is the sensor lives on your premises — which actually makes it better for your use case, not worse.

General Features

  • Made in the UK
  • Support for On-Prem or Cloud SOC Deployment
  • Use Cases for IT and OT Infrastructure
  • Security Consulting Workshops (2/year)
  • Additional workshops are available
  • Same threat intelligence integration (CVE, EPSS, dark web)
  • Monthly Reporting (optional customised reports)
  • Cyber Essentials Consulting & Certification

Identical to full SOC365

  • Same SOC365 detection engine and correlation rules
  • Same 24/7/365 analyst coverage — CREST-certified team
  • Same named analyst assigned to your account
  • Same EmilyAI triage augmentation
  • Same threat intelligence integration (CVE, EPSS, dark web)
  • Same DecoyPulse deception sensors
  • Same incident response escalation path
  • Same Confidence Score dashboard
  • Same board-ready monthly reporting

 

Technical EDR Features

  • Max Capacity - 25 / 50 / 100 devices (by plan)
  • Agent Monitoring
  • Syslog Monitoring
  • Azure / O365 Monitoring
  • 31 days Data Retention
  • Same threat intelligence integration (CVE, EPSS, dark web)
  • Monthly Reporting (optional customised reports)

 

Technical NDR Features

  • Dataflow & Sensor Monitoring
  • Firewall and IDS (when deployed inline)

SOC Features

  • Alerting via Service Portal & Email
  • Active Remediation
  • Standard Response Workflows
  • 10/5 standard SLA (SLA L1: 30min / L2: 4h / L3: 4h)
  • 24/7 standard SLA: Level 1 Response (SLA L1: 30min)
  • Indicator Enrichment
  • Threat Intelligence Service
  • Threat Intelligence Service additional Darkweb Monitoring
  • Vulnerability Management Service
  • Threat Hunting Service
  • Deception Service + Honeypots
  • Attack Surface Management Service
Five days to live monitoring

Five Days. Zero Complexity.

Four steps. No infrastructure projects. No six-month onboarding. No consultants. A box arrives. You plug it in. We start watching.

Scoping Call

A 30-minute call to understand your environment: how many assets, what they are, where they sit. We'll recommend the right plan and configure the appliance before it ships.

Day 1 · 30 minutes

Appliance Ships

Physical appliance or virtual image — your choice. Pre-loaded with SOC365, tuned to your network topology, and ready to deploy on arrival.

Day 2–3 · Next-day UK delivery available

Plug In & Go Live

Connect to your network. Call us. We verify the connection, run a validation scan, and your named analyst introduces themselves.

Day 4 · Under 1 hour to go live

Tuned & Watching

Your analyst tunes detections to your baseline, deploys deception sensors, and configures your Confidence Score dashboard. By the end of the day, you're fully operational — monitored 24/7/365.

Day 5 · Fully monitored 24/7

Choose Your Deployment

Two options, identical capability. Both connect to the same analyst team and run the same SOC365 platform. Choose whichever fits your environment.

Physical Appliance

A hardened box, shipped to your premises.

A hardened, pre-configured appliance shipped to your premises. No VM overhead, no hypervisor dependency. Ideal for organisations that want something physical they can point to and say: "That is our SOC."

Form Factor1U rack-mount or desktop
Capacity25 / 50 / 100 assets (by plan)
Connectivity2× External, 6× Internal Ethernet
EncryptionAES-256 at rest + in transit
DeliveryNext-day UK mainland

Virtual Appliance

Deploy on your existing hypervisor. Zero hardware.

An OVA/VMDK image deployed onto your existing hypervisor. Identical SOC365 capability with no physical footprint. Ideal for cloud-first or multi-site organisations.

HypervisorsVMware / Hyper-V / Proxmox / KVM
Capacity25 / 50 / 100 assets (by plan)
Resources4 vCPU / 16 GB RAM / 500 GB
EncryptionAES-256 at rest + in transit
DeliveryDownload within 1 hour
Who it's for

You Were Told You Were Too Small. You Weren't.

SOC in a Box was designed for the organisations that every other vendor turns away — not because they don't need protection, but because the traditional delivery model doesn't work at their scale.

Boutique Law Firms & Chambers

12 firms with 10–60 staff now run SOC in a Box — 9 were referred by another firm

Client confidentiality isn't optional at any size. These firms use their certificate and SOC monitoring as proof of duty-of-care in client pitches.

GP Surgeries & NHS Clinics

NHS Digital guidance now recommends continuous monitoring — SOC in a Box meets the standard

Patient data. Clinical systems. Connected devices. Small doesn't mean simple — and patient records demand the same rigour as any enterprise dataset.

Engineering & Consulting Firms

73% of our SOC in a Box clients cite winning a specific contract as the trigger for purchase

Tier-1 contractors increasingly require supply chain security evidence. The Confidence Score report becomes the document that unlocks revenue.

Academies, Schools & Trusts

4 multi-academy trusts now deploy one box per school — standardised security across the estate

Safeguarding data, staff records, exam systems — the cost per school is significantly lower than hiring even a shared security analyst.

Parish & Town Councils

First local authority in the UK to deploy SOC in a Box — 3 more followed within 6 months

Public sector data defended by the same analysts who protect MoD contractors.

IFAs & Wealth Managers

FCA operational resilience pressure — SOC in a Box is the fastest path to demonstrable compliance

Client portfolios protected 24/7. The Confidence Score dashboard answers the regulator's questions before they're asked.

Online & Physical Retail

Planning records, financial accounts and stock control — defended by the same analysts who protect enterprise clients

The heartbeat of UK commerce, ensuring the same standard of care regardless of the size of the business.

We were told by three other vendors that we were "too small" for a managed SOC. Cyber Defence sent us a box. It arrived on a Tuesday. By Thursday, we were being monitored 24/7 by a named analyst who already knew our network. We've never slept better.
Managing Partner, 22-person law firm, South East England

Reframe the Price.
It's Not the Cost of a SOC.

Every organisation under 100 assets has been taught to think of a SOC as an enterprise luxury. We reframe the price: not as a monthly line item, but as what it costs per asset, per day, compared to the alternative.

A data breach involving personal records carries an average ICO fine guidance of £8,000–£175,000 for small organisations. The annual cost of SOC in a Box is a fraction of the minimum fine — and it comes with an analyst who actually prevents the breach.

Average cost of a small business breach (UK)£15,300
Average ICO fine — data protection violation£8k–£175k
Lost business during recovery (avg. 3 weeks)Incalculable
SOC in a Box — per asset per dayFrom 33p

SOC in a Box starts at £333.33/month for up to 25 assets — less per day than a round of coffees for your team. Every plan includes a named analyst whose job is to prevent the breach from ever happening.

SOC in a Box — Small

Up to 25 assets

£333.33/month

That's just 44p per asset per day

Billed monthly · No setup fee · 12-month term

  • Physical or virtual appliance — included
  • 24/7/365 analyst monitoring — included
  • Named analyst assignment — included
  • SOC365 detection engine — included
  • DecoyPulse deception sensors — included
  • Threat intelligence (CVE, EPSS, dark web) — included
  • Confidence Score dashboard — included
  • Monthly board-ready report — included
  • Incident response escalation path — included

Secure checkout powered by Stripe · 12-month term

CREST-certified
PCI DSS compliant
Secure payment

We commission twelve boxes per month. Each one tuned by hand.

Every SOC in a Box is pre-configured specifically for your environment before it ships. That takes time — our engineering team builds your detection profile, tunes your baseline, and pre-loads deception sensors matched to your network topology.

We won't automate this step because the quality of the first 48 hours determines the quality of every hour after. Twelve per month is the limit. Book when you see availability.

Reserve your box

Commissioning Availability — 2026

FebruaryFully committed
March 2 boxes remaining
AprilAccepting orders
MayAccepting orders

Trust You Can Point To

Every plan runs the same platform, with the same accreditations, as our enterprise service. Your board, your auditor, and your insurer will all recognise these.

Cyber Essentials

Included with every plan

Every SOC in a Box includes Cyber Essentials certification at no extra cost — giving you a recognised, government-backed security standard from day one.

Cyber Essentials Plus

Available for a small additional fee

For organisations that need deeper assurance, Cyber Essentials Plus is available for a small additional fee, adding hands-on technical verification of your controls.

Confidence Score Report

Monthly, board-ready

Authored monthly by your named analyst — a clear, jargon-free view of your security posture. Designed to be read by business owners, not SOC engineers.

CREST-Certified Analysts

The same certified analysts who monitor enterprise SOC365 clients watch your box. No separate "SMB team."

MoD Supply Chain Approved

Cyber Defence is approved for MoD contractor environments. Your box inherits that trust.

Confidence Score Reporting

Monthly board-ready reports showing your Confidence Score, not walls of threat data. Auditors love it.

30-Day Rolling Contract

No lock-in. No minimum term. If we don't earn your trust every month, you leave. That's our incentive.

CREST VA Pen Test STAR Intelligence-led PT STAR Threat Intelligence CSIR SOC OVS

Frequently Asked Questions

SOC in a Box is a physical or virtual appliance that delivers a full 24/7 managed Security Operations Centre. It runs the same SOC365 platform used by our enterprise clients and is monitored by the same CREST-certified analyst team — the only difference is the sensor deployment model. Three plans are available: Small (up to 25 assets), Medium (up to 50 assets), and Large (up to 100 assets).

The only difference is the number of monitored assets. Small covers up to 25, Medium up to 50, and Large up to 100 assets. Every plan includes the full SOC365 detection engine, 24/7/365 analyst monitoring, a named analyst, DecoyPulse deception sensors, EmilyAI triage, threat intelligence, Confidence Score dashboard, and monthly reporting. There is no reduced capability on any plan.

From scoping call to live 24/7 monitoring in five working days. Physical appliances ship next-day UK mainland. Virtual appliances are available for download within one hour of scoping. The go-live process takes less than one hour once the appliance is connected.

No. SOC in a Box runs the identical SOC365 detection engine, threat intelligence feeds, DecoyPulse deception sensors, EmilyAI triage augmentation, and analyst team. You receive the same Confidence Score dashboard and board-ready reporting. The only difference is that the sensor runs locally instead of in our data centre.

SOC in a Box operates on a 12-month term, billed monthly. There are no setup fees. We believe in earning your trust — if the service isn't right, you're not locked in beyond the term.

Boutique law firms, GP surgeries and clinics, multi-academy trusts, parish and town councils, independent financial advisers, engineering consultancies, online and physical retailers, and any organisation with up to 100 assets that needs demonstrable 24/7 security monitoring.

Yes — on every plan. Every SOC in a Box client is assigned a named analyst who learns your environment, your users, and your escalation preferences. Your analyst is your single point of contact — not a ticket queue — and they author custom detection rules specific to your infrastructure.

Your named analyst contacts you directly using your preferred method — phone, email, or secure message — within minutes of confirmed detection. For major incidents, our Disrupt response team can be engaged immediately at no extra cost.

Yes. The physical appliance is a hardened 1U rack or desktop unit shipped pre-configured. The virtual appliance is an OVA/VMDK image supporting VMware, Hyper-V, Proxmox, and KVM. Both options deliver identical capability and connect to the same analyst team. All three plans support either deployment option.

Absolutely. If your organisation grows beyond your current asset limit, upgrading is straightforward. Your named analyst and detection configuration carry over — we simply expand the licence. Contact us or your analyst to arrange an upgrade at any time.

Let's have a conversation.

Book a 30-minute scoping call. We'll map your environment, recommend the right plan, name your analyst, and quote a price — before you commit to anything.

Book your scoping call

Three plans from £333.33/month · Average time to live monitoring: 5 working days · Next-day UK delivery

hello@cyber-defence.io  ·  www.socinabox.co.uk/contact