Critical alerts no longer sit unread
Automated detection in Defender XDR runs around the clock. Our analysts assess every alert during business hours following defined playbooks and reach out to you before you have to ask.
The ODCUS Security Operations Center is built for Swiss SMEs with 20 to 150 employees that don't need a 24/7 SOC: Microsoft automation watches your tenant around the clock, our analysts assess and respond during business hours with contractual response times. You get a monthly report your leadership team understands.
30 minutes, free. Afterwards, you'll know what goes unwatched in your M365 today and how to answer your cyber insurer's monitoring questions.
The Problem
Teams, SharePoint, Exchange, and OneDrive carry your daily business. That's exactly where phishing and compromised identities strike. Microsoft Defender detects much of it and raises alerts. But in many SMEs, nobody assesses those alerts, and in our experience incidents often go unnoticed for weeks.
Until now your choice was between two extremes: a 24/7 SOC with an enterprise price tag, built for banks and hospitals, and nothing at all. For a company with 20 to 150 employees, neither fits. The ODCUS Security Operations Center fills that gap.
Services
We connect to your Defender XDR tenant and take ownership of monitoring and incident response in Microsoft 365.
Automated detection in Defender XDR runs around the clock. Our analysts assess every alert during business hours following defined playbooks and reach out to you before you have to ask.
During business hours our analysts take over within the contractual response time and contain the spread. At night, automated playbooks stop the attack until we take over in the morning. The response times are in the contract.
You define during onboarding which immediate actions we may execute directly, such as blocking a compromised account. Everything else reaches you or your IT partner as concrete, prioritized recommendations. Control over your tenant stays with you.
Monthly service delivery report plus quarterly service meeting. A report you can show your leadership team and use as monitoring evidence for your cyber insurer.
Technology
The Security Operations Center is built on the native Microsoft security stack. Your security data stays in the Microsoft stack, without a third-party SIEM and without additional data flows.
Central monitoring platform for endpoints, identities, email, and cloud apps.
Log aggregation, threat intelligence, and automated responses based on analytics rules.
Identity signals, Conditional Access, and risk detection for user accounts.
Protection for devices and email. Anti-phishing, safe links, EDR, ASR rules.
Security Operations Center data flow
Who it's for
We tell you openly whether this model fits your operation. That saves you time, and us too.
In those cases you need a 24/7 SOC. We tell you that openly in the first call and point you to suitable alternatives.
Onboarding
Structured onboarding ensures the Security Operations Center is tuned to your M365 environment before going live.
2 Weeks
M365 tenant review and risk assessment. Establishing the cross-tenant connection between your environment and the ODCUS Security Operations Center.
1 Month
Incident monitoring functionality testing. We get to know your organization and start working with your IT team.
1 Month
Configuration adjustments and Defender detection tuning specific to your M365 environment.
From Month 3
Full SOC operations with monthly reporting, quarterly service meetings, and ongoing optimization.
Pricing
You pay for your risk profile, not for a night shift. The risk level is determined by an M365 tenant review. A lower risk level means a lower monthly price, achievable through configuration improvements.
All prices in CHF, excl. VAT. Minimum term 12 months. Risk level determined by tenant review (CHF 990). Questions about pricing? Contact ODCUS.
Operated by ODCUS AG
The Security Operations Center for Microsoft 365 is a service by ODCUS AG, a Swiss IT security advisory specialized in cybersecurity, ISMS, and compliance for small and medium-sized businesses.
Learn more about ODCUSFAQ
Because few SMEs need one. A 24/7 SOC is built for operations where every minute of downtime causes direct damage: hospitals or shift-based manufacturing. An office-based SME ends up paying for a human night shift it rarely needs. Our model therefore separates two layers. Automated detection and defense in Microsoft Defender XDR and Sentinel run around the clock, for example automatically interrupting a risky sign-in. Our analysts assess the situation during business hours (Mon–Fri 08:00–17:30) with contractual response times and take over remediation. If your operation needs human response around the clock, we tell you so openly in the first call. In that case this SOC is not the right service for you.
The one-time onboarding fee starts at CHF 8,230 and is waived if you sign a 4-year minimum contract term. The full onboarding process takes 2 to 3 months across four phases. During technical onboarding (2 weeks) we run the M365 Tenant Review, determine your risk level, and set up the cross-tenant synchronization between your Microsoft Defender XDR and our Security Operations Center. In the Crawl Phase (1 month) we test incident monitoring in live operations and start the collaboration workflow with your internal IT team. In the Walk Phase (a further month) we fine-tune the Defender detection rules to your specific Microsoft 365 environment. From month three onwards, the Security Operations Center runs in full operations (Run Phase) with monthly Service Delivery Reports and quarterly service meetings.
Microsoft Defender XDR detects and blocks at night and on weekends too. Automated defenses such as interrupting a risky sign-in or isolating a suspicious device run in your tenant regardless of business hours. Our analysts take over the next working day from 08:00 with full context, review the automation's decisions, investigate the incident, and start remediation. During business hours the contractual response times apply: 30 minutes for critical incidents, 2 hours for high, 4 hours for medium severity. If you spot something at night yourself, we set up an escalation chain with your internal emergency contact so the morning handover runs smoothly.
Via an M365 Tenant Review (CHF 990 one-time). We analyze your Microsoft 365 tenant's configuration across all relevant security domains: identities in Microsoft Entra ID (MFA, Conditional Access, privileged accounts), endpoint protection (Defender for Endpoint, Intune Device Management), email security (Defender for Office 365, DLP), data classification (Microsoft Purview), and cloud app activity (Defender for Cloud Apps). Based on that analysis we classify your tenant into one of three risk levels: Low (CHF 1,850/month), Moderate (CHF 2,450/month), or High (CHF 3,650/month). A lower level means a lower monthly price and is often achievable through configuration improvements alone, without buying additional licenses. The review is a snapshot of your current configuration, not a verdict on your IT team's work. The review report stays useful even if you decide against the SOC engagement.
Microsoft 365 Business Standard minimum. Low and Moderate risk levels work with Business Standard plus the native Defender features (Defender for Office 365, Microsoft Entra ID with MFA and Conditional Access, Microsoft Purview baseline policies). The High risk level requires Microsoft 365 Business Premium or an equivalent E5 license, because Intune Device Management and Defender for Endpoint (the EDR agent on devices) are deployed there and are not included in Business Standard. If you currently run Microsoft 365 Apps for Business or Microsoft 365 Business Basic, the license upgrade is planned for the Run Phase, jointly with your Microsoft reseller. The tenant review also assesses license fit and tells you the minimum needed.
No, not your business data. The connection runs through a cross-tenant synchronization between your Microsoft Defender XDR and our Security Operations Center. What we see: security signals, incident metadata, anomaly detections, and telemetry from Defender for Endpoint, Defender for Office 365, Microsoft Entra ID, and Defender for Cloud Apps. What we don't see: the contents of your files in OneDrive or SharePoint, the body of your emails, or your Teams chat history. When an incident requires examining mail content (phishing forensics, for example), it always happens inside your tenant and with your explicit approval. The contract is governed by Swiss law, and all data stays in your Microsoft 365 tenant. We don't extract anything into our own infrastructure.
The standard minimum term is 12 months, starting from the beginning of the Run Phase. The contract then auto-renews in 12-month periods, with 3 months' notice required for termination at the end of a period. For contracts of 4 years or longer, the one-time onboarding fee of CHF 8,230 is waived. The 4-year option pays off because the onboarding (tenant review, configuration hardening, cross-tenant setup) is a substantial up-front investment. If your security needs grow during the contract (through company growth or new regulatory requirements), the risk level can be adjusted at any time without a new contract.
The Security Operations Center runs on Microsoft Cloud, not on ODCUS-owned infrastructure. Microsoft Defender XDR and Microsoft Sentinel monitor your tenant continuously, without any action from ODCUS. What we deliver is the continuous interpretation and response to those signals. If an individual ODCUS team member is unavailable, an agreed deputy takes over with a documented onboarding handover. In the rare event that ODCUS as a company became unavailable (extended business interruption), your Microsoft 365 tenant remains entirely in your ownership and under your control. You can sever the cross-tenant connection yourself at any time, and all SOC configurations (analytics rules, playbooks, detection logic) are documented at the tenant review and handed over so another provider could pick them up.
Next Step
30 minutes with the ODCUS team. You'll learn what's currently unmonitored in your M365 and what SOC size fits your company. Free and without obligation.
info@odcus.com · +41 43 217 86 70 · Switzerland