SOC as a Service the Evernow way
Brazilian analysts 24x7
Tier 1, Tier 2 and Tier 3 in São Paulo and Rio, with L2+ certifications (GCIA, GCIH, CHFI). Handoff in Portuguese, escalation in English when needed.
Contractual SLA with teeth
Critical: first response in 15 min, containment in 60 min. High: 30/120 min. Medium/Low: 4h/8h. Miss → financial penalty.
Cloud-native coverage
AWS GuardDuty, Azure Sentinel, GCP Chronicle, Kubernetes runtime, SaaS APIs (M365, Google Workspace, Okta). Not just endpoint.
Runbook by play (MITRE ATT&CK)
For each ATT&CK TTP relevant to your context, there is a specific runbook with actions, approvers, forensic evidence and report.
Weekly tuning, not "set and forget"
Weekly review to add detections, retire noisy rules and calibrate thresholds. False-positive rate drops 60% in 90 days.
Monthly executive report
MTTD, MTTR, volume by severity, top attackers, biggest risks and roadmap of next detections to implement.
Live in 30 days, not 9 months
Days 1-7: Connectors
Integration with EDR/XDR, cloud, identity, network and critical apps. Standard connectors: CrowdStrike, SentinelOne, Darktrace, Sentinel, Defender, Okta, Zscaler.
Days 8-14: Use cases
Top 20 detections by MITRE ATT&CK mapped to your stack (e.g., impossible-travel on Okta, suspicious PS on CrowdStrike, exfil on Zscaler).
Days 15-21: Parallel run
SOC operates in shadow-mode with your current team, validating playbooks and minimizing false positives before taking over.
Days 22-30: Go-live
Full cutover with SLA active, handoff documentation, escalation matrix approved, quarterly tabletop exercise scheduled.
Frequent questions about SOC as a Service
How much does a managed SOC cost in Brazil?
Investment ranges from R$ 35k/month (small environment, 500 endpoints, cloud light) to R$ 180k+/month (enterprise with hybrid multi-cloud, 5k+ endpoints, SaaS sprawl). Includes analysts, tuning, tooling license and executive reporting.
What's the difference vs. a traditional MSSP?
Traditional MSSP opens ticket and passes back; Evernow acts — contains the incident, validates, and hands over only after resolved or escalated. We keep the same team assigned to you — no ticket roulette.
Can you use my existing SIEM/EDR?
Yes, platform-agnostic. We operate with Sentinel, Splunk, Chronicle, QRadar, Sumo Logic; EDR with CrowdStrike, SentinelOne, Defender; cloud with native tooling. We also license when needed.
Does it cover incident response on the ground?
The standard package covers remote response. For CSIRT-in-person (forensic imaging, in-office investigation, ANPD/authority communication) we activate the specialist response squad with separate SLA.
Is there LGPD / ISO 27001 compliance in SOC operations?
Yes. Evernow operates ISO 27001 certified environment, DPA contract with LGPD clauses, logging of each analyst action, evidence ready for audits and data-subject requests.
