Managed SOC Operations

Mansfeld-Südharz, Germany - October 20, 2025

Sovereign, shared and pay-as-you-grow: the Alliance's blueprint for continuous monitoring that respects both budget and data-sovereignty lines

The clock inside the shared Security Operations Centre ticks to UTC+1, but the daylight outside the glass wall still belongs to a Thuringian winter afternoon, pale and quiet. Quiet is good; quiet means the purple indicators on the wall-sized Grafana canvas are holding steady at 0.97 anomalies per hour, well below the 2.0 threshold that would send the on-call engineer reaching for the red handset. That engineer is not an employee of the chemical supplier whose PLCs are being watched; she is a staff member of the Cyber Resilience Alliance, and the supplier pays only for the hours her eyes are actually on glass. This is the Managed SOC promise distilled: continuous coverage without continuous payroll, sovereign infrastructure without sovereign debt, and incident response that arrives faster than a local technician can find the car keys.

Most small and mid-size firms already grasp that absence of monitoring is absence of insurance; what stops them is not will but math. A single 24×7 shift roster requires at least 8.2 full-time equivalents once leave, illness and certification hours are factored in. At German labour rates that is a 650 000 € annual line item before tooling, before SIEM licence, before the two-factor coffee machine. The Alliance reverses the equation by distributing the fixed cost across a federation whose current membership spans 127 entities ranging from eight-person law firms to 1 200-bed hospitals. The telemetry of all members is normalised into a single data lake that resides on encrypted disks in the county’s former civil-defence bunker—an air-gapped hall 18 metres underground, cooled by groundwater and powered by two separate substations. Because the cost of the bunker, the racks, the licences and the shift team is amortised across the federation, a participant with fifty endpoints pays 1 200 € per month for coverage that would otherwise require a seven-figure capital budget.

Technical design begins with data-sovereignty defaults. Every log record is classified at ingestion: Category A (personal data or critical infrastructure telemetry) must stay on German soil; Category B (anonymised network metadata) may be mirrored to partner nodes in Brno or Bari for correlation; Category C (public IoCs) is pushed to the Alliance’s MISP server and licensed Creative Commons. The classification is enforced by a policy-as-code hook written in Rego and evaluated inside the Kubernetes admission controller, so a mis-labelled payload never leaves the jurisdiction. The same controller appends a cryptographic signature that chains back to the county’s root HSM, meaning any downstream partner can verify provenance without trusting a human operator. This is not marketing folklore; the Rego file is public, the HSM public key is published in the Bundesanzeiger, and the admission controller source compiles to a 3.2 MB binary that can be inspected by any member’s auditors.

Once data residency is satisfied, the next design pillar is noise reduction. SMEs rarely generate enough events to train statistical models, so the Alliance ingests an open feed of 1.4 million IoCs daily from the European Union Agency for Cybersecurity, enriches them with local context and then uses a lightweight transformer model fine-tuned on German language incident reports to predict which 0.3 % of alerts actually warrant human eyes. The model runs on a quartet of AMD Milan CPUs that sit in the same subterranean hall but on a separate VLAN with no outbound route, ensuring that even a rogue inference container cannot exfiltrate raw logs. False positives are logged back into the training set during the weekly model-retrain window, a feedback loop that has driven the mean-time-to-surface-wheat from 18 minutes to 97 seconds over the past six months, a figure we publish every Friday at 16:00 CET whether it rises or falls.

"Continuous coverage should invoice like electricity: you pay for the light, not for the power station."

Human escalation follows a playbook that is both shared and customisable. The Alliance maintains a golden run-book library—57 procedures mapped to NIS2 articles—which every member receives as Ansible tasks that can be dropped into their own ticketing system. When the transformer model flags an anomaly, the SOC engineer on duty does not open a blank screen; she lands inside a pre-populated run-book that already knows whether the affected asset is a nurse’s workstation or a hydrogen compressor and therefore whether the first call goes to the IT help-desk or the plant safety officer. The run-book is translated into German, Czech and Italian, but the shell commands remain in English to avoid locale-related typos when seconds count. If the incident crosses jurisdictional borders—say, a ransomware sample that speaks to command-and-control in Moldova—the playbook automatically invites the relevant national CSIRT via a pre-established ROSI API key, so notification obligations that once consumed hours of legal back-and-forth are discharged in the time it takes to acknowledge an alert.

Cost elasticity is the final hinge. Members can move between three tiers without re-engineering their networks. Tier 0 is purely communal: you send logs, you receive threat intel, you attend quarterly tabletop exercises, and you pay nothing. Tier 1 adds 24×7 monitoring and incident triage priced per asset per day—currently 0.19 € for a Windows workstation, 1.40 € for an OPC-UA gateway. Tier 2 wraps insurance into the fee: a 5-million-euro cyber policy underwritten by a Hannover-based carrier that uses the same transformer score as its actuarial input, cutting premiums by 35 % compared with market averages because the carrier knows the monitoring quality in real time. Moving between tiers is a one-line change in the member portal; the licence server simply adjusts the daily draw-down from the pre-paid escrow account held at the county development bank. No sales calls, no purchase orders, no nine-month procurement cycles that would still be asking for quotations while the ransomware letter is already on the managing director’s desk.

The outcome is coverage that feels internal but invoices like a utility. Last month a 46-person accounting firm in Köthen experienced a brute-force burst against its Remote-Desktop gateway at 02:13 on a Sunday. The Alliance SOC detected the spike at 02:14, locked the account, triggered a snapshot restore and had a forensic image ready before the first employee poured coffee at 07:30. Total elapsed time: 12 minutes. The firm’s monthly invoice for Tier 1 service is 278 €—less than the managing partner spends on espresso pods. Stories like that travel fast in county WhatsApp groups, which is why membership doubled between August and October without a single billboard or newspaper advertisement. When resilience costs less than coffee, even the most skeptical finance director stops asking why and starts asking how soon.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.