Our Security Operations Center Journey: Building Sustainable 24/7 Incident Response in a Complex Landscape

Building a sustainable 24/7 Security Operations Center (SOC) in higher education is far from easy. Over a seven-year period, our institution navigated multiple SOC models, including student-run, partial third-party, and fully outsourced approaches before finally arriving at a sustainable hybrid solution. Our SOC journey began with two part-time workers and a Splunk license, enough to provide basic attack visibility but far from enterprise-scale monitoring. We next partnered with an academic unit to pilot a student-run SOC. This introduced challenges such as fluctuating student availability and inexperience when responding to high-severity incidents, as these required expertise that a student only model could not reliably provide. The transition to a third-party SOC provider surfaced challenges of its own, including understanding institutional context, tuning alert noise, and integrating external investigators into our internal workflows. Ensuring consistent communication, especially for after hours escalations, has proven to be critical. Ultimately, we settled on a hybrid model: professional 24/7 monitoring, internal staff managing major incidents, and targeted use of the student SOC for lower-risk, high-learning value cases. Surprisingly, the biggest hurdles were organizational: building repeatable workflows, defining clear ownership, ensuring consistent communication, and developing trust among all involved parties.