The follow-the-sun SOC trap — why we chose 3×8
Most managed SOCs sold in France are follow-the-sun setups spread across multiple timezones. Why this attractive-on-paper model generates a 4-to-6× higher MTTR than an internalised 3×8.
The follow-the-sun promise
Three teams spread across three continents — typically Manila, Casablanca and a European site — covering 24 hours a day, each working local office hours. Advertised benefits: lower cost (salaries vary with geography), better geographic resilience, predictable shift handovers.
It is elegant. It is what ITIL training teaches and what most large IT service firms sell. And it doesn’t work well.
Four technical reasons
1. Information transfer degrades
At every shift change (every 8 hours, three times a day), the incoming team must absorb the context of ongoing incidents, hunts in progress, customer specificities. No written document replaces the operational knowledge of an analyst who has spent six months on your IT estate. A follow-the-sun resets this capital three times a day.
2. Skills are not portable
Knowing the day’s APT TTPs, fresh vulnerabilities, active ransomware variants — it’s a daily watch, in French, in English, sometimes in Russian or Chinese. This watch is geographically concentrated. A Manila team rarely covers the same landscape as a Paris or Montréal team.
3. The hidden cost of relay tools
To make a follow-the-sun work, you add layers — SOAR to automate playbooks, elaborate ticketing, intermediate dashboards. Each layer is a friction point. Our observation over 2024-2025 — average time from alert to human qualification is three to six times higher in follow-the-sun versus an internalised 3×8.
4. Language matters
A 3 a.m. customer call during an active incident must be taken in the customer’s native language by default. An English-speaking dispatcher talking to a panicked French executive who has to decide whether to isolate a production line — that’s risk amplification, not reduction.
The numbers we measure
Over the last twelve months (2025) at Hexceos:
- Average MTTR on qualified incidents — 11 minutes.
- Crisis cell activation — under one hour, 24/7.
- First-pass qualification accuracy — 94%.
Our customers previously with follow-the-sun providers, who migrated to us, share comparable figures from their old providers — average MTTR 35 to 90 minutes, first-pass qualification accuracy 65 to 75%.
The gap is not marginal. It makes the difference between an attack contained before exfiltration and an attack whose consequences emerge three days later.
When follow-the-sun makes sense
Honestly, there is a case for it. For low-level monitoring (passive network logs, availability monitoring, non-critical alerting), a well-tooled follow-the-sun is performant and economical. The problem starts when it’s used for critical operational cybersecurity.
Our choice
Our SOC is composed of three teams of 6 to 8 engineers, Hexceos employees, based in France and Quebec, rotating 3×8 with a structured 30-minute overlap between shifts. No outsourcing, no offshore. It costs more to run. It is also what separates an 11-minute MTTR from a one-hour MTTR.
Written by the Hexceos SOC team.