antifragile/antifragile-consulting/core/retained-capability.md

Retained Capability: What to Keep In-House When You Outsource Security

"Outsourcing your SOC does not outsource your risk. It outsources your alert triage. The thinking—the detection engineering, the threat modeling, the business-context awareness—must stay inside your walls. Otherwise you are paying for someone else's generic playbook applied to your specific threat landscape."

This document addresses one of the most common and expensive misconceptions in enterprise security: the belief that outsourcing a security function means outsourcing the expertise required to make that function effective. It is designed for clients who have engaged an MSSP (Managed Security Service Provider) or outsourced SOC, who feel the service underperforms, and who do not realize that the performance gap is largely within their own control.

---

The MSSP Illusion

What the Client Believes

"We pay a SOC provider €50,000 per month. They have 200 analysts and advanced tools. Our security is handled."

What Is Actually Happening

Client Assumption	MSSP Reality
"They monitor our environment 24/7"	They monitor the alerts their generic rules generate. Rules tuned to their entire client base, not to your environment.
"They have threat intelligence"	They consume commercial threat feeds. They do not have intelligence about your specific adversaries, your industry's TTPs, or your proprietary attack surface.
"They investigate incidents"	They triage alerts based on severity. True investigation—understanding why an anomaly matters to your business—is rarely within scope.
"They improve over time"	They improve their own margins by standardizing. Customization for your environment costs them money.
"We can hold them accountable"	Your SLA measures ticket volume and response time, not detection quality, mean-time-to-contain, or adversary emulation success rate.

The hard truth: Most MSSP underperformance is not the MSSP's fault. It is the client's fault for outsourcing the execution and the thinking.

---

The Retained Capability Model

When you outsource a security function, you should retain three capabilities internally:

Retained Capability	Why It Cannot Be Outsourced	What It Produces
Detection Engineering	Only you know what "normal" looks like in your environment. Only you can write rules that detect anomalies specific to your architecture, your applications, and your user behaviours.	Custom detection rules (KQL, Sigma, YARA, Wazuh) and M365-specific detections via AOC that catch threats generic rules miss
Threat Context & Prioritization	Only you know which assets are crown jewels. Only you can prioritize a vulnerability on your payment gateway over a vulnerability on your marketing blog.	Risk-ranked remediation that aligns with business impact
Integration & Orchestration	Only you can connect the SOC to your change management, your identity team, your OT engineers, and your executives.	Closed-loop incident response that produces structural improvement

The analogy:

"An MSSP is like a security guard in your building. They watch the cameras, patrol the halls, and call the police when they see something. But they do not design the building's security architecture. They do not know which rooms contain the crown jewels. They do not decide whether a new wing needs stronger locks. Those decisions require someone who understands the building, its occupants, and its valuables. That someone must be you."

---

The Detection Engineering Gap (SOC-Specific)

What Generic MSSP Rules Detect

• Known malware signatures
• Common phishing indicators
• Brute-force login attempts
• Known-bad IP addresses and domains
• Standard persistence techniques

What Generic MSSP Rules Miss

Threat	Why Generic Rules Miss It	What Custom Detection Would Catch
Insider threat: Employee exfiltrating data via sanctioned cloud storage	The activity looks like normal business use	Unusual volume, timing, or destination for that specific user role
Living-off-the-land: Attacker using native tools (WMIC, net.exe, PowerShell)	These are legitimate administrative tools	Execution context, parent-child process relationships, and command-line arguments specific to your environment
Compromised service account: Non-interactive account suddenly interactive	Service accounts are rarely monitored individually	Any interactive login from a known service account
Supply chain compromise: Vendor VPN used at 3 AM from new geography	Vendor access is pre-authorized	Time-of-day and geo anomalies for specific vendor accounts
OT reconnaissance: IT network scanning targeting OT VLANs	Standard IT scanning is normal	Scanning traffic crossing the IT/OT boundary
AI-enabled fraud: Deepfake voice call authorizing wire transfer	Traditional fraud controls do not detect synthetic media	Anomaly in voice authentication + financial authorization workflow

The insight: Every environment has a unique "attack surface fingerprint." An MSSP serving 200 clients cannot maintain 200 custom detection rulebooks. They maintain one rulebook and apply it everywhere. The gaps are yours to fill.

---

The Minimum Viable In-House Capability

You do not need a 20-person SOC to make an MSSP effective. You need a minimal viable retained capability:

For Outsourced SOC: The Detection Engineering Cell

Role	FTE	Responsibility
Detection Engineer	0.5-1.0	Writes custom KQL/Sigma rules; tunes MSSP alert thresholds; validates MSSP detection coverage
Threat Context Analyst	0.5-1.0	Prioritizes MSSP findings by business impact; provides environment-specific context; hunts for gaps
Integration Lead	0.25-0.5	Ensures SOC feeds into change management, incident response, and governance; owns the MSSP relationship

Total: 1.5-2.5 FTEs (can be part-time across existing staff or a single senior analyst)

What this cell does weekly:

• Reviews MSSP closed tickets: were they true positives? Were any missed?
• Reviews MSSP open tickets: are they stuck waiting for context the MSSP does not have?
• Reviews new threats: would our MSSP detect this? If not, what custom rule do we need?
• Conducts one hunt: proactive search for threats the MSSP is not configured to see
• Meets with MSSP: provides feedback, requests tuning, shares environment changes

---

How to Audit Your MSSP's Detection Coverage

The Purple Team Test for MSSPs

Most clients evaluate MSSPs on response time and ticket volume. These are the wrong metrics. Evaluate them on detection coverage.

The test:

1. Select 5 TTPs relevant to your threat model:

   • One initial access vector (e.g., phishing with embedded macro)
   • One persistence technique (e.g., scheduled task creation)
   • One lateral movement technique (e.g., RDP hijacking)
   • One data collection technique (e.g., large ZIP creation)
   • One exfiltration technique (e.g., upload to personal cloud storage)

2. Execute them in a controlled environment (or simulate them with purple team tools)

3. Measure:

   • Did the MSSP detect the activity?
   • How long from execution to alert?
   • Was the alert accurate and actionable?
   • Did the MSSP understand the business impact?

4. Gap analysis: For every undetected TTP, determine:

   • Is the MSSP capable of detecting this but not tuned for our environment?
   • Is this beyond the MSSP's generic capability?
   • What custom detection rule would close the gap?

Deliverable: Detection Coverage Matrix

TTP	Generic MSSP Detection	Custom Rule Required	Owner	Priority
Phishing with macro	Yes (standard)	No	MSSP	—
Scheduled task persistence	Partial (noisy)	Yes: parent process + user context	Client Detection Engineer	P1
RDP hijacking	No	Yes: concurrent sessions + unusual source	Client Detection Engineer	P1
Large ZIP creation	No	Yes: volume threshold + destination	Client Detection Engineer	P2
Personal cloud upload	Partial (known apps only)	Yes: DLP + user behaviour baseline	Client Detection Engineer	P1

---

The MSSP Relationship Redesign

Most MSSP contracts are structured as black boxes: the client sends logs; the MSSP sends tickets. This model guarantees mediocrity.

The antifragile alternative: Co-managed SOC with clear capability boundaries.

Function	MSSP Responsibility	Client Responsibility	Collaboration Model
Log ingestion & platform ops	Own the SIEM/SOAR infrastructure	Provide logs, verify completeness	Monthly log source audit
Alert triage (Tier 1)	Initial assessment, enrichment, false positive closure	Provide context, approve escalations	Shared Slack/Teams channel
Investigation (Tier 2)	Technical analysis, scope assessment	Business impact assessment, stakeholder notification	Joint incident bridge
Detection engineering	Maintain generic rulebook	Write custom rules, tune thresholds, validate coverage	Bi-weekly detection review
Threat hunting	Hunt on MSSP-wide intelligence	Hunt on client-specific intelligence and anomalies	Monthly hunt hypothesis workshop
Incident response	Contain and eradicate (with approval)	Strategic decisions, regulatory notification, communications	Pre-approved containment playbooks
Reporting & metrics	Ticket volume, response time, closed alerts	Detection coverage, mean-time-to-contain, business impact	Joint monthly metrics review
Continuous improvement	Platform updates, threat feed integration	Architecture changes, detection gap closure, purple team	Quarterly capability review

The contract amendment:

"Your MSSP contract currently measures response time and ticket volume. We propose adding two metrics: (1) Detection Coverage Rate—the percentage of emulated TTPs your MSSP detects in our environment, and (2) Custom Rule Integration Time—the days between us submitting a detection rule and your team deploying it. These metrics align your incentives with our actual security outcomes."

---

Generalizing Beyond SOC

The retained capability principle applies to any outsourced security function:

Outsourced Penetration Testing

What the Vendor Does Well	What You Must Retain
Execute standardized test methodology	Define scope based on your actual threat model
Find common vulnerabilities	Prioritize findings by business impact
Write exploit proof-of-concepts	Validate whether a finding is truly exploitable in your architecture
Produce a report	Convert findings into a structural improvement roadmap

The gap: Most pentest reports sit unread. Without internal capability to validate, prioritize, and remediate, the test is theater.

Outsourced Compliance Auditing

What the Vendor Does Well	What You Must Retain
Check control existence against framework	Define which controls actually reduce your risk
Sample evidence	Ensure evidence represents operational reality, not audit-day fiction
Write findings	Convert findings into actionable remediation with business justification
Provide certification	Maintain continuous compliance between audits

The gap: Compliance auditors check boxes. They do not know which boxes matter most to your survival.

Outsourced Cloud Security Posture Management

What the Vendor Does Well	What You Must Retain
Scan cloud resources against benchmarks	Define which misconfigurations are actually exploitable in your network topology
Generate remediation scripts	Validate that remediation does not break production workloads
Track drift over time	Understand why drift occurs (process failure, shadow IT, emergency change)

The gap: CSPM tools find thousands of "violations." Without internal context, every violation is treated as equally urgent.

Outsourced Incident Response Retainer

What the Vendor Does Well	What You Must Retain
Respond to active incidents with specialized expertise	Know your environment well enough to guide the responders to critical systems
Forensic acquisition and analysis	Preserve chain of custody and business continuity during investigation
Eradication and recovery	Make strategic decisions about containment scope and communication

The gap: External IR firms arrive blind. Without internal documentation and a pre-established relationship, they spend the first 48 hours learning your network.

---

The Business Case for Retained Capability

Cost of the Current Model

Cost Category	Typical Annual Impact
MSSP subscription (underperforming)	€500K-€2M
Missed detections leading to breach	€4.5M average (rare but catastrophic)
Alert fatigue: analyst turnover and burnout	€150K per replaced analyst
Compliance penalties from undetected control failures	€100K-€2M (regulated industries)
Total risk-adjusted cost	€600K-€8M+

Cost of Retained Capability

Investment	Annual Cost
1.5-2.5 FTE detection engineering cell	€150K-€300K
Detection engineering tooling (free/open-source + Azure)	€10K-€30K
Purple team exercises (quarterly)	€20K-€40K
Consultant support (detection engineering mentor, quarterly)	€30K-€60K
Total retained capability investment	€210K-€430K

ROI: For a mid-sized organization, retained capability reduces breach probability, improves MSSP effectiveness, and prevents compliance failures. The investment pays for itself if it prevents one missed detection per year.

---

The Consultant's Role

As an antifragile consultant, you do not replace the MSSP. You make the MSSP effective by:

1. Auditing detection coverage (Purple team test for MSSPs)
2. Building the detection engineering cell (hiring, training, tooling, process)
3. Redesigning the MSSP relationship (metrics, collaboration model, contract amendments)
4. Writing the first custom rules (KQL, Sigma, Sentinel analytics rules)
5. Training internal staff to sustain and extend the capability
6. Establishing the operating rhythm (weekly detection review, monthly hunt, quarterly capability assessment)

The pitch to the CISO:

"Your MSSP is not failing you. You are failing to give them the context and custom detection rules they need to succeed in your environment. We do not fire the MSSP. We build a 2-person detection engineering cell inside your organization that makes the MSSP 3x more effective. For the cost of one senior analyst, you transform a €600K annual MSSP spend from insurance theater into actual protection."

The pitch to the CFO:

"You are spending €600K per year on a SOC provider that runs generic rules. Generic rules catch generic threats. Your adversaries are not generic. A €200K investment in retained detection engineering makes your existing €600K SOC investment actually work. That is not additional spend. That is making current spend effective."

---

Integration With Existing Frameworks

Document	Integration
Blue/Purple Team Foundation	Detection engineering is the core of blue team capability; this document adds the MSSP co-management layer
Modular Engagements	Retained capability audit can be delivered as a standalone 30-day module; detection engineering cell build is a 60-90 day module
Antifragile Risk Register	"Outsourced SOC with no retained detection engineering" is a T1 risk with extreme optionality impact
Business Case Template	Retained capability ROI calculation

---

For building blue team capability from scratch, see Blue/Purple Team Foundation. For the modular engagement menu, see Modular Engagements.