Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
16 KiB
Retained Capability: What to Keep In-House When You Outsource Security
"Outsourcing your SOC does not outsource your risk. It outsources your alert triage. The thinking—the detection engineering, the threat modeling, the business-context awareness—must stay inside your walls. Otherwise you are paying for someone else's generic playbook applied to your specific threat landscape."
This document addresses one of the most common and expensive misconceptions in enterprise security: the belief that outsourcing a security function means outsourcing the expertise required to make that function effective. It is designed for clients who have engaged an MSSP (Managed Security Service Provider) or outsourced SOC, who feel the service underperforms, and who do not realize that the performance gap is largely within their own control.
The MSSP Illusion
What the Client Believes
"We pay a SOC provider €50,000 per month. They have 200 analysts and advanced tools. Our security is handled."
What Is Actually Happening
| Client Assumption | MSSP Reality |
|---|---|
| "They monitor our environment 24/7" | They monitor the alerts their generic rules generate. Rules tuned to their entire client base, not to your environment. |
| "They have threat intelligence" | They consume commercial threat feeds. They do not have intelligence about your specific adversaries, your industry's TTPs, or your proprietary attack surface. |
| "They investigate incidents" | They triage alerts based on severity. True investigation—understanding why an anomaly matters to your business—is rarely within scope. |
| "They improve over time" | They improve their own margins by standardizing. Customization for your environment costs them money. |
| "We can hold them accountable" | Your SLA measures ticket volume and response time, not detection quality, mean-time-to-contain, or adversary emulation success rate. |
The hard truth: Most MSSP underperformance is not the MSSP's fault. It is the client's fault for outsourcing the execution and the thinking.
The Retained Capability Model
When you outsource a security function, you should retain three capabilities internally:
| Retained Capability | Why It Cannot Be Outsourced | What It Produces |
|---|---|---|
| Detection Engineering | Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours. | Custom detection rules (KQL, Sigma, YARA) that catch threats generic rules miss |
| Threat Context & Prioritization | Only you know which assets are crown jewels. Only you can prioritize a vulnerability on your payment gateway over a vulnerability on your marketing blog. | Risk-ranked remediation that aligns with business impact |
| Integration & Orchestration | Only you can connect the SOC to your change management, your identity team, your OT engineers, and your executives. | Closed-loop incident response that produces structural improvement |
The analogy:
"An MSSP is like a security guard in your building. They watch the cameras, patrol the halls, and call the police when they see something. But they do not design the building's security architecture. They do not know which rooms contain the crown jewels. They do not decide whether a new wing needs stronger locks. Those decisions require someone who understands the building, its occupants, and its valuables. That someone must be you."
The Detection Engineering Gap (SOC-Specific)
What Generic MSSP Rules Detect
- Known malware signatures
- Common phishing indicators
- Brute-force login attempts
- Known-bad IP addresses and domains
- Standard persistence techniques
What Generic MSSP Rules Miss
| Threat | Why Generic Rules Miss It | What Custom Detection Would Catch |
|---|---|---|
| Insider threat: Employee exfiltrating data via sanctioned cloud storage | The activity looks like normal business use | Unusual volume, timing, or destination for that specific user role |
| Living-off-the-land: Attacker using native tools (WMIC, net.exe, PowerShell) | These are legitimate administrative tools | Execution context, parent-child process relationships, and command-line arguments specific to your environment |
| Compromised service account: Non-interactive account suddenly interactive | Service accounts are rarely monitored individually | Any interactive login from a known service account |
| Supply chain compromise: Vendor VPN used at 3 AM from new geography | Vendor access is pre-authorized | Time-of-day and geo anomalies for specific vendor accounts |
| OT reconnaissance: IT network scanning targeting OT VLANs | Standard IT scanning is normal | Scanning traffic crossing the IT/OT boundary |
| AI-enabled fraud: Deepfake voice call authorizing wire transfer | Traditional fraud controls do not detect synthetic media | Anomaly in voice authentication + financial authorization workflow |
The insight: Every environment has a unique "attack surface fingerprint." An MSSP serving 200 clients cannot maintain 200 custom detection rulebooks. They maintain one rulebook and apply it everywhere. The gaps are yours to fill.
The Minimum Viable In-House Capability
You do not need a 20-person SOC to make an MSSP effective. You need a minimal viable retained capability:
For Outsourced SOC: The Detection Engineering Cell
| Role | FTE | Responsibility |
|---|---|---|
| Detection Engineer | 0.5-1.0 | Writes custom KQL/Sigma rules; tunes MSSP alert thresholds; validates MSSP detection coverage |
| Threat Context Analyst | 0.5-1.0 | Prioritizes MSSP findings by business impact; provides environment-specific context; hunts for gaps |
| Integration Lead | 0.25-0.5 | Ensures SOC feeds into change management, incident response, and governance; owns the MSSP relationship |
Total: 1.5-2.5 FTEs (can be part-time across existing staff or a single senior analyst)
What this cell does weekly:
- Reviews MSSP closed tickets: were they true positives? Were any missed?
- Reviews MSSP open tickets: are they stuck waiting for context the MSSP does not have?
- Reviews new threats: would our MSSP detect this? If not, what custom rule do we need?
- Conducts one hunt: proactive search for threats the MSSP is not configured to see
- Meets with MSSP: provides feedback, requests tuning, shares environment changes
How to Audit Your MSSP's Detection Coverage
The Purple Team Test for MSSPs
Most clients evaluate MSSPs on response time and ticket volume. These are the wrong metrics. Evaluate them on detection coverage.
The test:
-
Select 5 TTPs relevant to your threat model:
- One initial access vector (e.g., phishing with embedded macro)
- One persistence technique (e.g., scheduled task creation)
- One lateral movement technique (e.g., RDP hijacking)
- One data collection technique (e.g., large ZIP creation)
- One exfiltration technique (e.g., upload to personal cloud storage)
-
Execute them in a controlled environment (or simulate them with purple team tools)
-
Measure:
- Did the MSSP detect the activity?
- How long from execution to alert?
- Was the alert accurate and actionable?
- Did the MSSP understand the business impact?
-
Gap analysis: For every undetected TTP, determine:
- Is the MSSP capable of detecting this but not tuned for our environment?
- Is this beyond the MSSP's generic capability?
- What custom detection rule would close the gap?
Deliverable: Detection Coverage Matrix
| TTP | Generic MSSP Detection | Custom Rule Required | Owner | Priority |
|---|---|---|---|---|
| Phishing with macro | Yes (standard) | No | MSSP | — |
| Scheduled task persistence | Partial (noisy) | Yes: parent process + user context | Client Detection Engineer | P1 |
| RDP hijacking | No | Yes: concurrent sessions + unusual source | Client Detection Engineer | P1 |
| Large ZIP creation | No | Yes: volume threshold + destination | Client Detection Engineer | P2 |
| Personal cloud upload | Partial (known apps only) | Yes: DLP + user behaviour baseline | Client Detection Engineer | P1 |
The MSSP Relationship Redesign
Most MSSP contracts are structured as black boxes: the client sends logs; the MSSP sends tickets. This model guarantees mediocrity.
The antifragile alternative: Co-managed SOC with clear capability boundaries.
| Function | MSSP Responsibility | Client Responsibility | Collaboration Model |
|---|---|---|---|
| Log ingestion & platform ops | Own the SIEM/SOAR infrastructure | Provide logs, verify completeness | Monthly log source audit |
| Alert triage (Tier 1) | Initial assessment, enrichment, false positive closure | Provide context, approve escalations | Shared Slack/Teams channel |
| Investigation (Tier 2) | Technical analysis, scope assessment | Business impact assessment, stakeholder notification | Joint incident bridge |
| Detection engineering | Maintain generic rulebook | Write custom rules, tune thresholds, validate coverage | Bi-weekly detection review |
| Threat hunting | Hunt on MSSP-wide intelligence | Hunt on client-specific intelligence and anomalies | Monthly hunt hypothesis workshop |
| Incident response | Contain and eradicate (with approval) | Strategic decisions, regulatory notification, communications | Pre-approved containment playbooks |
| Reporting & metrics | Ticket volume, response time, closed alerts | Detection coverage, mean-time-to-contain, business impact | Joint monthly metrics review |
| Continuous improvement | Platform updates, threat feed integration | Architecture changes, detection gap closure, purple team | Quarterly capability review |
The contract amendment:
"Your MSSP contract currently measures response time and ticket volume. We propose adding two metrics: (1) Detection Coverage Rate—the percentage of emulated TTPs your MSSP detects in our environment, and (2) Custom Rule Integration Time—the days between us submitting a detection rule and your team deploying it. These metrics align your incentives with our actual security outcomes."
Generalizing Beyond SOC
The retained capability principle applies to any outsourced security function:
Outsourced Penetration Testing
| What the Vendor Does Well | What You Must Retain |
|---|---|
| Execute standardized test methodology | Define scope based on your actual threat model |
| Find common vulnerabilities | Prioritize findings by business impact |
| Write exploit proof-of-concepts | Validate whether a finding is truly exploitable in your architecture |
| Produce a report | Convert findings into a structural improvement roadmap |
The gap: Most pentest reports sit unread. Without internal capability to validate, prioritize, and remediate, the test is theater.
Outsourced Compliance Auditing
| What the Vendor Does Well | What You Must Retain |
|---|---|
| Check control existence against framework | Define which controls actually reduce your risk |
| Sample evidence | Ensure evidence represents operational reality, not audit-day fiction |
| Write findings | Convert findings into actionable remediation with business justification |
| Provide certification | Maintain continuous compliance between audits |
The gap: Compliance auditors check boxes. They do not know which boxes matter most to your survival.
Outsourced Cloud Security Posture Management
| What the Vendor Does Well | What You Must Retain |
|---|---|
| Scan cloud resources against benchmarks | Define which misconfigurations are actually exploitable in your network topology |
| Generate remediation scripts | Validate that remediation does not break production workloads |
| Track drift over time | Understand why drift occurs (process failure, shadow IT, emergency change) |
The gap: CSPM tools find thousands of "violations." Without internal context, every violation is treated as equally urgent.
Outsourced Incident Response Retainer
| What the Vendor Does Well | What You Must Retain |
|---|---|
| Respond to active incidents with specialized expertise | Know your environment well enough to guide the responders to critical systems |
| Forensic acquisition and analysis | Preserve chain of custody and business continuity during investigation |
| Eradication and recovery | Make strategic decisions about containment scope and communication |
The gap: External IR firms arrive blind. Without internal documentation and a pre-established relationship, they spend the first 48 hours learning your network.
The Business Case for Retained Capability
Cost of the Current Model
| Cost Category | Typical Annual Impact |
|---|---|
| MSSP subscription (underperforming) | €500K-€2M |
| Missed detections leading to breach | €4.5M average (rare but catastrophic) |
| Alert fatigue: analyst turnover and burnout | €150K per replaced analyst |
| Compliance penalties from undetected control failures | €100K-€2M (regulated industries) |
| Total risk-adjusted cost | €600K-€8M+ |
Cost of Retained Capability
| Investment | Annual Cost |
|---|---|
| 1.5-2.5 FTE detection engineering cell | €150K-€300K |
| Detection engineering tooling (free/open-source + Azure) | €10K-€30K |
| Purple team exercises (quarterly) | €20K-€40K |
| Consultant support (detection engineering mentor, quarterly) | €30K-€60K |
| Total retained capability investment | €210K-€430K |
ROI: For a mid-sized organization, retained capability reduces breach probability, improves MSSP effectiveness, and prevents compliance failures. The investment pays for itself if it prevents one missed detection per year.
The Consultant's Role
As an antifragile consultant, you do not replace the MSSP. You make the MSSP effective by:
- Auditing detection coverage (Purple team test for MSSPs)
- Building the detection engineering cell (hiring, training, tooling, process)
- Redesigning the MSSP relationship (metrics, collaboration model, contract amendments)
- Writing the first custom rules (KQL, Sigma, Sentinel analytics rules)
- Training internal staff to sustain and extend the capability
- Establishing the operating rhythm (weekly detection review, monthly hunt, quarterly capability assessment)
The pitch to the CISO:
"Your MSSP is not failing you. You are failing to give them the context and custom detection rules they need to succeed in your environment. We do not fire the MSSP. We build a 2-person detection engineering cell inside your organization that makes the MSSP 3x more effective. For the cost of one senior analyst, you transform a €600K annual MSSP spend from insurance theater into actual protection."
The pitch to the CFO:
"You are spending €600K per year on a SOC provider that runs generic rules. Generic rules catch generic threats. Your adversaries are not generic. A €200K investment in retained detection engineering makes your existing €600K SOC investment actually work. That is not additional spend. That is making current spend effective."
Integration With Existing Frameworks
| Document | Integration |
|---|---|
| Blue/Purple Team Foundation | Detection engineering is the core of blue team capability; this document adds the MSSP co-management layer |
| Modular Engagements | Retained capability audit can be delivered as a standalone 30-day module; detection engineering cell build is a 60-90 day module |
| Antifragile Risk Register | "Outsourced SOC with no retained detection engineering" is a T1 risk with extreme optionality impact |
| Business Case Template | Retained capability ROI calculation |
For building blue team capability from scratch, see Blue/Purple Team Foundation. For the modular engagement menu, see Modular Engagements.