← gociux.comall insights

Detection engineering

SIEM for a mid-sized regulated company: build, buy, or managed?

Gociux · June 2026 · 6 min read

Every regulated company arrives at the same requirement from a different direction — PCI DSS's daily log review, NIS2's 24-hour incident clock, an insurer's questionnaire, or one bad Tuesday. The requirement is a SIEM: centralized logs, detection rules, and someone who reacts. The decision that follows — build it, buy it, or have it run for you — is mostly decided by one underestimated fact.

The fact: software is the small cost

Whether the license is commercial (priced per gigabyte, per event rate, or per seat) or open source (priced at zero), the dominant cost of a working SIEM is engineering attention: integrating log sources, normalizing fields, writing and — endlessly — tuning detection rules, maintaining the cluster, and actually triaging what fires. A SIEM that ingests everything and alerts on nothing useful is the most common deployment outcome in the industry, and it costs the same as a working one.

Build (in-house, often open source)

Right when: you have at least one engineer with genuine detection experience and the organizational patience to give them time. The trap: the proof of concept works in a fortnight, the team declares victory, and eighteen months later the cluster is unpatched, the rules are defaults, and nobody has looked at an alert since spring. Open source stacks are excellent technology — we run them at PCI DSS Level 1 scale — but "free license" plus "no owner" equals expensive shelfware.

Buy (commercial SaaS SIEM)

Right when: budget is easier to find than headcount and your log sources are mainstream. The traps: volume-based pricing quietly punishes you for logging more — the opposite incentive of good security — and the tuning work doesn't disappear, it just happens in someone else's interface. Ask any vendor two questions: what does the price do when our volume doubles, and who writes the detections for our environment?

Managed (someone operates it for you)

Right when: you need outcomes faster than you can hire. The real differentiator between managed offerings is dedication: a shared multi-tenant SOC processing your alerts in a queue with a hundred other clients behaves very differently from a dedicated stack run for you specifically. The questions that expose the difference: Is the detection content tuned to our environment or generic? Do we own the platform and the data — and what does leaving look like? Who exactly looks at our alerts, and what are their response commitments in writing?

A decision shortcut: no security engineer and no urgency → buy. A capable engineer with protected time → build, with executive patience in writing. Regulatory clock ticking and no team → managed, but only a model where you own the data and the exit. And in all three: the rule-tuning budget is real even when it's invisible — plan it or inherit the shelfware statistic.

The criterion that outranks features

Vendor matrices compare dashboards. Incidents compare something else: when an alert fires at 02:00, how many minutes until a competent human with context acts on it? Score every option — including your own in-house plan — on that single number, honestly projected for month eighteen rather than the demo. It predicts your outcome better than any feature list.

Weighing SIEM options right now?

We deploy and operate dedicated detection stacks for regulated companies — your data, your environment, our engineering — and we'll tell you honestly if a different model fits you better.

Book a free assessment call