Blog post

Use the Gartner SOC HIT Model

By Pete Shoard | October 21, 2021 | 0 Comments

Security Operations

The Gartner Security Operations Centre (SOC) Hybrid-Internal-Tiered (HIT) Model is something we have been working on for a while. It provides a foundational guide for organizations to determine a pertinent SOC model that aligns to their security operations needs and requirements. Contrary to popular belief, choosing a SOC model is not complex. There are three main types of SOC model:

SOC HIT model Example chart, plotting expected issues and how they might effect model choice
SOC HIT Model Decision Matrix


This is the most common of the three core SOC models, and some may even say “every SOC is a hybrid SOC”. A hybrid SOC is a combination of internal and external resources that delivers a combined function to meet organizational needs. There is no framework for a hybrid model, nor is there a “right” or “wrong” way to implement it. 

A hybrid model usually employs; a managed security service (MSS), managed detection and response (MDR) or a managed/co-managed SIEM (COMSIEM) provider. Many choose to go this route because the hybrid SOC model is often a key driver in 24/7 operations cost reduction (No Cyber Never Sleeps, Yes you do need to do it 24/7). Therefore, it is well-suited not only for small to midsize enterprises, but also for larger organizations and mature SOCs that can selectively outsource some security services.

Hybrid SOCs can address a shortage and gap in the availability of skills and expertise. The considerable cost of 24/7 security operations is also a driver. It provides a speed to maturity that can rarely be achieved independently.


An internal SOC generally means your organisation owns and staffs a 24/7 centralized threat detection and response function, they have implemented robust processes and workflows to cope with the vast throughputs required. Even with internal SOCs some specialized functions may occasionally be outsourced — for example: technical testing (penetration test/red teams).

Internal SOCs are expensive and usually only well-funded organizations. Few can afford the numbers of personnel required for 24/7 coverage and the large array of security tool licenses. Sometimes circumstances force the hand of organisations in this regard; they may have sensitive environments, bespoke or complex needs, or regulatory requirements.

Some other factors that drive organizations to choose to build, implement and run their own SOCs are: concerns about a specific/targeted threat, the chosen internal technology stacks are not supported by third-party security services.


A tiered SOC model has multiple independently operated SOCs within the same organization. Synchronized by a top-tier (command or parent) SOC, to deliver unified threat detection and response. This is a hallmark of the needs of very large and/or distributed organizations, service providers, and those providing shared services (for example, government agencies).

Complex organisations with semi-independent sub organisations sometimes run multiple SOCs independently. This can be for various reasons, generally complex variations on the needs for an internal SOC. Its common for Tiered SOCs to work in unison, but managed hierarchically with one designated as the parent/command SOC.

The top-tier/parent or command SOC is responsible for functions such as: Leading and coordinating threat intelligence operations and reporting, and defining standard operating procedure for SOC processes and playbooks.

Want to learn more?

John Collins and Mitch Schneider and I recently released a brand new: SOC Model Guide on

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment