Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
Splitting the bill without splitting hairs.
Mansfeld-Südharz, Germany - November 21, 2025
The hardest part of building a Security Operations Centre is not writing the detection rules or even finding analysts willing to work night shifts; it is persuading a twelve-person valve manufacturer that a service it cannot see is worth more than the machining centre it can touch. In Anhalt-Bitterfeld we solved the visibility problem by making the cost visible first. Every member of the Cyber Resilience Alliance receives an annual invoice that fits on half a page: one line for baseline access, one line for optional add-ons, and a footnote that shows exactly how much county grant money was used to keep the average cost per employee below 1.2 € per month. That footnote is the secret ingredient—it turns the SOC from a mystical black box into a line item the finance director can benchmark against coffee supplies.
The formula itself is embarrassingly simple. We start with the total cost of running the SOC for one year: salaries of twelve analysts, software licences, power, cooling, and depreciation of the physical range. That sum is fixed in advance and published each October in the official county gazette, effectively capping the year-one budget at 2.38 million €. We then divide the total by the number of employees who will be protected, because headcount is the only metric that correlates linearly with log volume, incident count and therefore analyst workload. The result is the Universal Cost Factor (UCF), expressed in euros per employee per year. For 2026 the UCF is 14.50 €, which means a bakery with eight staff pays 116 € a year while a chemical plant with 400 staff pays 5 800 €. No hidden tiers, no minimum spend, no cross-subsidies—just primary-school arithmetic applied to enterprise-grade defence.
Yet raw proportionality would still punish the smallest firms, so we graft a county grant straight into the formula. The regional economic-development fund has ring-fenced 600 000 € annually for the first four years, money that originates from EFRE and must be spent on digital infrastructure. Instead of distributing it as project grants that require paperwork, we simply subtract the grant from the total SOC budget before calculating the UCF. The effect is instant: every participant's invoice drops by roughly 25 % without anyone filling out a form. The grant is time-limited—after 2029 it phases out in 25 % steps—so the model contains its own sunset clause and forces the SOC to reach market price by 2032. That built-in expiry date reassured auditors who otherwise fear perpetual subsidy addiction, and it gives SMEs six clear years to plan for the true economic cost of resilience.
Optional services are priced at marginal cost plus 8 %, the latter being the statutory reserve the county requires for emergency upgrades. If a member wants full packet capture for 90 days instead of the default seven, the additional storage and processing power are metered monthly and invoiced quarterly. The metering is automated: NetFlow records are sampled every five minutes, hashed with a county-controlled key, and the byte count is pushed to a smart contract that issues a payment claim in euros. Because the hash is collision-resistant and the county holds the salt, even the SOC staff cannot reconstruct actual traffic from the meter, which satisfies both data-protection officers and CFOs who distrust vendor honour systems. The first year showed that only 12 % of members opted for extras, yet the 8 % surcharge generated enough surplus to fund a sudden Log4Shell mitigation sprint without touching reserves—proof that marginal-cost pricing can absorb black-swan patches.
"When the price of security fits on a coffee receipt, finance directors stop asking ‘why’ and start asking ‘how fast’."
Public-sector participants—hospitals, schools, municipal utilities—are treated under the same formula but pay in local currency plus a sovereign-top-up that the federal interior ministry refunds directly to the county. That reimbursement is fixed at 50 % of the public-body invoice, effectively halving the burden on local taxpayers while still forcing the institution to internalise the other half, a split designed to prevent the “zero-budget” mentality that often undermines government cyber spending. The ministry’s refund is conditional on the public body meeting the same incident-response SLAs as private members, so a city library cannot slack on patching and still claim the subsidy. The symmetry keeps the playing field level and avoids the moral hazard that usually plagues state-financed SOCs.
Transparency does not end at the invoice. Every quarter the Alliance publishes a cost report that lists, down to the cent, what was spent on salaries, licences, power, training and travel. The document is hashed into the county blockchain, time-stamped and made immutable, so any member can verify that her 14.50 € was not quietly diverted to coffee machines or political pet projects. The first audit, performed by the regional court of auditors in summer 2025, found a variance of 0.07 % between ledger and bank statements—well inside the 1 % tolerance required for EU grant compliance. That outcome turned the shared SOC from a “trust us” proposition into a “verify yourself” utility, a shift that convinced even the most sceptical plant managers to sign up.
Perhaps the most elegant feature is the exit window. Any member may leave at the end of a fiscal year by giving six months’ notice; the departing organisation receives a pro-rata refund of its contribution minus the actual marginal cost of deleting its data and re-tuning detection rules. Because the refund formula is written into the original membership deed, there is no room for haggling or hidden penalties. The clause acts as a permanent market test: if the quality-per-euro ratio drops, members dissolve their contracts and the SOC loses revenue immediately. That threat keeps the engineering team honest far more effectively than a hundred-page SLA ever could. After twelve months of operation not a single member has triggered the exit clause, an empirical endorsement that the cost model is not only fair but sticky.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
