The Problem

Your Microsoft 365 already warns you. Someone has to read the alerts and act.

Teams, SharePoint, Exchange, and OneDrive carry your daily business. That's exactly where phishing and compromised identities strike. Microsoft Defender detects much of it and raises alerts. But in many SMEs, nobody assesses those alerts, and in our experience incidents often go unnoticed for weeks.


Until now your choice was between two extremes: a 24/7 SOC with an enterprise price tag, built for banks and hospitals, and nothing at all. For a company with 20 to 150 employees, neither fits. The ODCUS Security Operations Center fills that gap.

Paid for
Defender is already part of your Microsoft 365 licenses. The tools are in place.
Unread
Without a defined process, nobody assesses the alerts piling up there.
Your M365 keeps generating security alerts. Who reads them?
Without a SOC that owns them, critical Defender alerts sit unanswered.

Services

What the Microsoft 365 Security Operations Center handles

We connect to your Defender XDR tenant and take ownership of monitoring and incident response in Microsoft 365.

Critical alerts no longer sit unread

Automated detection in Defender XDR runs around the clock. Our analysts assess every alert during business hours following defined playbooks and reach out to you before you have to ask.

We respond to critical incidents within 30 minutes (business-hours SLA)

During business hours our analysts take over within the contractual response time and contain the spread. At night, automated playbooks stop the attack until we take over in the morning. The response times are in the contract.

You get concrete actions for every incident

You define during onboarding which immediate actions we may execute directly, such as blocking a compromised account. Everything else reaches you or your IT partner as concrete, prioritized recommendations. Control over your tenant stays with you.

You see what's happening in your M365 every month

Monthly service delivery report plus quarterly service meeting. A report you can show your leadership team and use as monitoring evidence for your cyber insurer.

Technology

Defender XDR and Sentinel: your data stays in the Microsoft stack

The Security Operations Center is built on the native Microsoft security stack. Your security data stays in the Microsoft stack, without a third-party SIEM and without additional data flows.


Microsoft Defender XDR

Central monitoring platform for endpoints, identities, email, and cloud apps.

Microsoft Sentinel (SIEM/SOAR)

Log aggregation, threat intelligence, and automated responses based on analytics rules.

Microsoft Entra ID

Identity signals, Conditional Access, and risk detection for user accounts.

Defender for Endpoint & Office 365

Protection for devices and email. Anti-phishing, safe links, EDR, ASR rules.

Security Operations Center data flow

M365 Tenant (Teams, SharePoint, Exchange)
Defender XDR Connectors
Defender XDR Portal
SIEM
Cross-Tenant Sync
ODCUS Security Operations Center
SOC
Incident Response + Reporting
Your organization, protected
LIVE

Who it's for

A SOC without a 24/7 night shift: sized for what your company needs

We tell you openly whether this model fits your operation. That saves you time, and us too.

The SOC fits you if ...

  • your company runs on Microsoft 365 (Business Standard or Premium)
  • a single person internally or a generalist IT partner runs your IT, without a security specialization
  • your business runs without night shifts, extended day shifts included
  • your cyber insurer, customers, or board expect proof of monitoring and incident response

It's not the right fit if ...

  • your operation produces around the clock and every minute of response time counts
  • regulation requires human response around the clock
  • your environment isn't built on Microsoft 365

In those cases you need a 24/7 SOC. We tell you that openly in the first call and point you to suitable alternatives.

Onboarding

From first contact to live SOC operations in 2–3 months

Structured onboarding ensures the Security Operations Center is tuned to your M365 environment before going live.

1

2 Weeks

Technical Onboarding

M365 tenant review and risk assessment. Establishing the cross-tenant connection between your environment and the ODCUS Security Operations Center.

2

1 Month

Crawl Phase

Incident monitoring functionality testing. We get to know your organization and start working with your IT team.

3

1 Month

Walk Phase

Configuration adjustments and Defender detection tuning specific to your M365 environment.

4

From Month 3

Run Phase

Full SOC operations with monthly reporting, quarterly service meetings, and ongoing optimization.

Pricing

Transparent pricing by risk level

You pay for your risk profile, not for a night shift. The risk level is determined by an M365 tenant review. A lower risk level means a lower monthly price, achievable through configuration improvements.

Risk Level Low
1'850 CHF / mo.
excl. VAT
  • Defender XDR Monitoring
  • Incident Response
  • Monthly report
  • Quarterly service meeting
  • Data loss prevention (DLP), secured admin access (PIM), phishing-resistant sign-in (MFA)
Risk Level Moderate
2'450 CHF / mo.
excl. VAT
  • Everything in Risk Level Low
  • Separate admin accounts
  • Stricter sign-in rules (Conditional Access)
  • Defender Antivirus + Firewall Policies
  • Defender for Cloud Apps basic policies
Risk Level High
3'650 CHF / mo.
excl. VAT
  • Everything in Risk Level Moderate
  • Intune Device Management
  • Defender for Endpoint Agent Rollout
  • Requires Microsoft 365 Business Premium
  • Strictest sign-in rules (Conditional Access)
Optional Add-ons
All-In Package
Mailflow checks, Threat Protection Status, Malware/Phishing campaign checks, MDO/MDE policy maintenance, monthly Attack Surface Report
Defender for Cloud Apps
Alert monitoring for Cloud App activities
Microsoft Purview
Alert monitoring for compliance signals
Onboarding fee (one-time)
Tenant review, setup, cross-tenant connection. Waived for a 4-year term.
from CHF 8,230

All prices in CHF, excl. VAT. Minimum term 12 months. Risk level determined by tenant review (CHF 990). Questions about pricing? Contact ODCUS.

Operated by ODCUS AG

Swiss IT security advisory for SMEs

The Security Operations Center for Microsoft 365 is a service by ODCUS AG, a Swiss IT security advisory specialized in cybersecurity, ISMS, and compliance for small and medium-sized businesses.

Learn more about ODCUS
Microsoft stack specialist Defender XDR, Entra ID, Sentinel, Intune. We know the Microsoft security stack in depth.
Contractual response times SLAs with measurable response times are in the contract and reported in the monthly report.
Right-sized Automated monitoring around the clock, analyst response during business hours. You pay for what an SME needs.

FAQ

Frequently asked questions

Why doesn't ODCUS run a 24/7 SOC with night-shift analysts?

Because few SMEs need one. A 24/7 SOC is built for operations where every minute of downtime causes direct damage: hospitals or shift-based manufacturing. An office-based SME ends up paying for a human night shift it rarely needs. Our model therefore separates two layers. Automated detection and defense in Microsoft Defender XDR and Sentinel run around the clock, for example automatically interrupting a risky sign-in. Our analysts assess the situation during business hours (Mon–Fri 08:00–17:30) with contractual response times and take over remediation. If your operation needs human response around the clock, we tell you so openly in the first call. In that case this SOC is not the right service for you.

How much does onboarding cost and how long does it take?

The one-time onboarding fee starts at CHF 8,230 and is waived if you sign a 4-year minimum contract term. The full onboarding process takes 2 to 3 months across four phases. During technical onboarding (2 weeks) we run the M365 Tenant Review, determine your risk level, and set up the cross-tenant synchronization between your Microsoft Defender XDR and our Security Operations Center. In the Crawl Phase (1 month) we test incident monitoring in live operations and start the collaboration workflow with your internal IT team. In the Walk Phase (a further month) we fine-tune the Defender detection rules to your specific Microsoft 365 environment. From month three onwards, the Security Operations Center runs in full operations (Run Phase) with monthly Service Delivery Reports and quarterly service meetings.

What happens if a security incident occurs outside business hours?

Microsoft Defender XDR detects and blocks at night and on weekends too. Automated defenses such as interrupting a risky sign-in or isolating a suspicious device run in your tenant regardless of business hours. Our analysts take over the next working day from 08:00 with full context, review the automation's decisions, investigate the incident, and start remediation. During business hours the contractual response times apply: 30 minutes for critical incidents, 2 hours for high, 4 hours for medium severity. If you spot something at night yourself, we set up an escalation chain with your internal emergency contact so the morning handover runs smoothly.

How is my risk level determined?

Via an M365 Tenant Review (CHF 990 one-time). We analyze your Microsoft 365 tenant's configuration across all relevant security domains: identities in Microsoft Entra ID (MFA, Conditional Access, privileged accounts), endpoint protection (Defender for Endpoint, Intune Device Management), email security (Defender for Office 365, DLP), data classification (Microsoft Purview), and cloud app activity (Defender for Cloud Apps). Based on that analysis we classify your tenant into one of three risk levels: Low (CHF 1,850/month), Moderate (CHF 2,450/month), or High (CHF 3,650/month). A lower level means a lower monthly price and is often achievable through configuration improvements alone, without buying additional licenses. The review is a snapshot of your current configuration, not a verdict on your IT team's work. The review report stays useful even if you decide against the SOC engagement.

Which Microsoft 365 licenses are required?

Microsoft 365 Business Standard minimum. Low and Moderate risk levels work with Business Standard plus the native Defender features (Defender for Office 365, Microsoft Entra ID with MFA and Conditional Access, Microsoft Purview baseline policies). The High risk level requires Microsoft 365 Business Premium or an equivalent E5 license, because Intune Device Management and Defender for Endpoint (the EDR agent on devices) are deployed there and are not included in Business Standard. If you currently run Microsoft 365 Apps for Business or Microsoft 365 Business Basic, the license upgrade is planned for the Run Phase, jointly with your Microsoft reseller. The tenant review also assesses license fit and tells you the minimum needed.

Will you have access to our data?

No, not your business data. The connection runs through a cross-tenant synchronization between your Microsoft Defender XDR and our Security Operations Center. What we see: security signals, incident metadata, anomaly detections, and telemetry from Defender for Endpoint, Defender for Office 365, Microsoft Entra ID, and Defender for Cloud Apps. What we don't see: the contents of your files in OneDrive or SharePoint, the body of your emails, or your Teams chat history. When an incident requires examining mail content (phishing forensics, for example), it always happens inside your tenant and with your explicit approval. The contract is governed by Swiss law, and all data stays in your Microsoft 365 tenant. We don't extract anything into our own infrastructure.

What's the minimum contract term?

The standard minimum term is 12 months, starting from the beginning of the Run Phase. The contract then auto-renews in 12-month periods, with 3 months' notice required for termination at the end of a period. For contracts of 4 years or longer, the one-time onboarding fee of CHF 8,230 is waived. The 4-year option pays off because the onboarding (tenant review, configuration hardening, cross-tenant setup) is a substantial up-front investment. If your security needs grow during the contract (through company growth or new regulatory requirements), the risk level can be adjusted at any time without a new contract.

What happens if ODCUS itself is unavailable?

The Security Operations Center runs on Microsoft Cloud, not on ODCUS-owned infrastructure. Microsoft Defender XDR and Microsoft Sentinel monitor your tenant continuously, without any action from ODCUS. What we deliver is the continuous interpretation and response to those signals. If an individual ODCUS team member is unavailable, an agreed deputy takes over with a documented onboarding handover. In the rare event that ODCUS as a company became unavailable (extended business interruption), your Microsoft 365 tenant remains entirely in your ownership and under your control. You can sever the cross-tenant connection yourself at any time, and all SOC configurations (analytics rules, playbooks, detection logic) are documented at the tenant review and handed over so another provider could pick them up.

Next Step

Ready for a SOC that's the right size?

30 minutes with the ODCUS team. You'll learn what's currently unmonitored in your M365 and what SOC size fits your company. Free and without obligation.

info@odcus.com · +41 43 217 86 70 · Switzerland