Co-Managed Security Services: Why Australian Companies Choose Hybrid
Co-managed security services combine your internal IT team with a managed security provider. Learn why Australian mid-market companies choose this hybrid approach, what is included, and how it reduces risk and cost.
Co-Managed Security Services: Why Australian Companies Choose Hybrid
Quick Summary
Co-managed security services combine your internal IT team with a managed security service provider (MSSP). You keep control of your environment and maintain internal expertise, while the MSSP provides 24/7 monitoring, specialist skills, and advanced tools that you cannot afford to build in-house. "Co-managed security services" is a BREAKOUT search term in Australia – companies are actively looking for this hybrid model. This guide covers what co-managed security includes, why companies choose it, how it differs from fully managed or fully in-house, and how to structure the right partnership.
Key fact: 69 per cent of Australian businesses were attacked by ransomware in 2024-25. Companies need 24/7 security monitoring, specialist cybersecurity skills, and advanced tools – but cannot afford to build all three in-house.
Table of Contents
- What Is Co-Managed Security?
- Fully In-House vs Fully Managed vs Co-Managed
- What Is Included
- Why Companies Choose Co-Managed
- How to Structure the Partnership
- Cost Comparison
- Common Pitfalls to Avoid
- Frequently Asked Questions
What Is Co-Managed Security?
Co-managed security is a partnership model where your internal IT team and an external managed security service provider (MSSP) share responsibility for your cybersecurity posture.
Your internal team handles:
- Day-to-day IT operations and user support
- First-line incident triage and response
- Internal stakeholder communication
- Policy development and enforcement
- On-site security tasks (hardware, physical access)
The MSSP handles:
- 24/7 security monitoring (SIEM/XDR)
- Threat detection and response
- Vulnerability scanning and patch management
- Essential Eight maturity assessment and monitoring
- Backup monitoring and restore testing
- Security awareness training
- Compliance evidence collection
Together, you share:
- Strategic security planning
- Incident response planning and testing
- Security tool evaluation and procurement
- Board-level security reporting
- Vendor management (for security tools)
Fully In-House vs Fully Managed vs Co-Managed
| Dimension | Fully In-House | Fully Managed (MSSP) | Co-Managed (Hybrid) |
|---|---|---|---|
| Control | Full control | MSSP controls security operations | Shared control – you retain strategic control |
| 24/7 coverage | No (on-call only) | Yes (MSSP NOC/SOC) | Yes (MSSP NOC/SOC) |
| Specialist skills | Limited to what you can hire | Full MSSP team of specialists | MSSP specialists + your internal generalist |
| Tool cost | You buy all tools | MSSP provides tools | Shared – MSSP provides advanced tools, you manage basic tools |
| Business context | Deep internal knowledge | Limited business context | Deep internal knowledge + MSSP expertise |
| Cost | $150K-$300K+ for full team | $60K-$150K/year | $80K-$200K/year |
| Single point of failure | HIGH (if key person leaves) | LOW (MSSP team redundancy) | MEDIUM (your team + MSSP team) |
| Scalability | Limited by hiring | Highly scalable | Scalable via MSSP |
| Knowledge retention | At risk if staff leave | Retained by MSSP | Shared between your team and MSSP |
What Is Included
A typical co-managed security engagement includes:
MSSP-Provided Services
| Service | Detail |
|---|---|
| 24/7 SIEM/XDR monitoring | Security event correlation, threat detection, automated response playbooks |
| Vulnerability scanning | Monthly automated scans with remediation tracking and trend analysis |
| Patch management | Automated patching with prioritisation for critical and extreme-risk vulnerabilities |
| Essential Eight monitoring | Continuous maturity assessment with real-time dashboard and evidence collection |
| Backup monitoring | Automated monitoring of backup completion, integrity, and restore readiness |
| Threat intelligence | Industry-specific threat feeds, alerting on relevant campaigns and indicators |
| Security awareness training | Phishing simulations, ongoing training modules, measured click-through rate improvement |
| Incident response support | On-call security engineer, containment playbooks, forensic investigation, recovery |
| Quarterly security reviews | Security posture assessment, trend analysis, recommendations, and roadmap updates |
Your Internal Team Responsibilities
| Responsibility | Detail |
|---|---|
| First-line triage | Initial assessment of security alerts, routing to MSSP for deep analysis if needed |
| Internal communication | Notifying stakeholders of security events, coordinating response actions |
| Policy development | Developing and enforcing security policies, procedures, and standards |
| On-site tasks | Physical security, hardware installation, device procurement and deployment |
| User support | Password resets, account provisioning, security-related helpdesk tickets |
| Compliance coordination | Coordinating with auditors, collecting internal evidence, managing compliance timelines |
Why Companies Choose Co-Managed
Reason 1: Cannot Afford Full In-House Team
| Specialist Role | Annual Cost | Why Co-Managed Solves This |
|---|---|---|
| SOC analyst (24/7 coverage = 4-5 people) | $400K-$600K | MSSP provides 24/7 SOC at a fraction of the cost |
| Security engineer | $130K-$180K | MSSP provides security engineering as part of the service |
| Threat intelligence analyst | $120K-$160K | MSSP provides threat intelligence feeds and analysis |
| Incident response specialist | $140K-$200K | MSSP provides on-call IR support |
| Total in-house team cost | $790K-$1,140K | Co-managed cost: $80K-$200K/year |
Reason 2: Wants to Retain Internal Control
Some companies do not want to fully outsource security because:
- They have deep institutional knowledge that an MSSP cannot replicate
- They have specific compliance obligations that require internal oversight
- They want to build internal security capability for the long term
- They have had bad experiences with fully managed providers in the past
Co-managed security gives them the best of both: internal control + external expertise.
Reason 3: Needs 24/7 Coverage
| Time Period | In-House Coverage | Co-Managed Coverage |
|---|---|---|
| Business hours (Mon-Fri, 8am-6pm) | Full coverage | Full coverage (internal team + MSSP) |
| After-hours (Mon-Fri, 6pm-8am) | On-call phone (may not answer) | 24/7 SOC monitoring and response |
| Weekends | No coverage | 24/7 SOC monitoring and response |
| Public holidays | No coverage | 24/7 SOC monitoring and response |
Reason 4: Needs Advanced Tools
| Security Tool | Annual Cost (In-House) | Included in Co-Managed |
|---|---|---|
| SIEM/XDR platform | $30K-$80K | Yes |
| Vulnerability scanner | $5K-$15K | Yes |
| Threat intelligence feeds | $10K-$30K | Yes |
| Security awareness training platform | $3K-$8K | Yes |
| Backup monitoring and testing | $2K-$5K | Yes |
| Total tool cost | $50K-$138K | Included in co-managed fee |
How to Structure the Partnership
Step 1: Define the Division of Responsibilities
Create a RACI matrix (Responsible, Accountable, Consulted, Informed) for each security function:
| Security Function | Internal Team | MSSP |
|---|---|---|
| 24/7 monitoring | Informed | Responsible + Accountable |
| Vulnerability scanning | Consulted | Responsible |
| Patch deployment | Responsible | Consulted |
| Essential Eight assessment | Consulted | Responsible |
| Incident response (first line) | Responsible | Consulted |
| Incident response (deep analysis) | Consulted | Responsible |
| Security awareness training | Consulted | Responsible |
| Policy development | Responsible + Accountable | Consulted |
| Board-level reporting | Responsible | Consulted |
| Tool procurement | Accountable | Consulted |
Step 2: Establish Communication Protocols
| Protocol | Detail |
|---|---|
| Daily | MSSP sends daily security summary (alerts, actions, trends) |
| Weekly | 30-minute call between internal team and MSSP engineer |
| Monthly | Monthly security dashboard review with internal team and MSSP |
| Quarterly | Formal security posture review with leadership, MSSP, and internal team |
| Incident | MSSP notifies internal team within 15 minutes for critical incidents, 1 hour for high incidents |
Step 3: Define Escalation Paths
Security alert detected by MSSP SIEM/XDR
↓
MSSP analyst triages and assesses severity
↓
If Critical: Page internal team on-call + MSSP senior engineer (15 minutes)
If High: Notify internal team via ticket + email (1 hour)
If Medium: Create ticket for internal team next business day
If Low: Log and monitor
↓
Internal team coordinates response with MSSP
↓
Post-incident: MSSP produces incident report, internal team implements lessons learned
Step 4: Set Performance Metrics
| Metric | Target | Measurement |
|---|---|---|
| Mean time to detect (MTTD) | <5 minutes for critical threats | MSSP SIEM logs |
| Mean time to respond (MTTR) | <30 minutes for critical threats | MSSP incident logs |
| Vulnerability patching time | <48 hours for extreme-risk vulnerabilities | Patch management dashboard |
| Essential Eight maturity level | Target Maturity Level 2 within 6-12 months | Quarterly maturity assessment |
| Backup restore test | Quarterly, with documented results | Restore test reports |
| Phishing click-through rate | <5% (after 6 months of training) | Phishing simulation results |
Cost Comparison
| Model | Annual Cost (100-User Company) | What You Get |
|---|---|---|
| Fully in-house | $150K-$300K+ (salaries + tools + training) | Full control, but limited specialist skills and no 24/7 coverage |
| Fully managed (MSSP) | $60K-$150K | 24/7 coverage, full specialist team, but less internal control |
| Co-managed (hybrid) | $80K-$200K | 24/7 coverage, specialist skills, internal control retained |
The Co-Managed Value Equation
| Component | Cost | Value |
|---|---|---|
| MSSP fee | $80K-$200K/year | 24/7 SOC, specialist team, advanced tools, Essential Eight monitoring |
| Internal team (incremental cost) | $0-$30K (existing team handles first-line tasks) | Business context, stakeholder communication, policy development |
| Total | $80K-$230K | Comprehensive security with internal control |
| vs fully in-house equivalent | $150K-$300K+ | Saves $70K-$70K+ with better coverage |
Common Pitfalls to Avoid
Pitfall 1: Unclear Responsibility Boundaries
The problem: Both the internal team and MSSP assume the other is handling a critical security function, and nobody does it.
The fix: Document a clear RACI matrix for every security function. Review it quarterly and update as responsibilities shift.
Pitfall 2: Poor Communication
The problem: The MSSP detects a threat, creates a ticket, and the internal team does not see it for hours.
The fix: Establish communication protocols with defined response times. Use a shared ticketing system. Conduct weekly calls between teams.
Pitfall 3: Tool Overlap
The problem: The internal team already has antivirus and the MSSP deploys their own – now you are paying for two tools that conflict.
The fix: Conduct a tool inventory assessment before engagement. Decide which tools the MSSP will replace and which the internal team will retain.
Pitfall 4: Knowledge Silos
The problem: The MSSP knows the security environment but not the business context. The internal team knows the business but not the security tools.
The fix: Conduct joint onboarding sessions. Have the MSSP document everything in a shared knowledge base. Include the MSSP in quarterly business reviews.
Pitfall 5: No Exit Plan
The problem: If the relationship ends, the internal team does not know how to operate the MSSP's tools independently.
The fix: Require the MSSP to document all configurations, playbooks, and procedures. Include free knowledge transfer in the contract.
Frequently Asked Questions
How is co-managed different from fully managed security?
In fully managed security, the MSSP handles everything – you have little to no involvement. In co-managed security, your internal team retains responsibility for first-line tasks, policy development, and stakeholder communication, while the MSSP handles 24/7 monitoring, specialist analysis, and advanced tool operation. Co-managed gives you control + expertise; fully managed gives you convenience but less visibility.
Do I need an internal IT team for co-managed security?
Yes, you need at least one internal IT coordinator who can handle first-line triage, internal communication, and on-site tasks. The coordinator does not need to be a cybersecurity specialist – the MSSP provides the specialist skills. The coordinator needs basic IT knowledge, communication skills, and the authority to escalate incidents to leadership.
How quickly can co-managed security be set up?
Typically 4-6 weeks. Week 1-2: tool deployment and integration. Week 3-4: baseline assessment and policy alignment. Week 5-6: testing and handover. Full 24/7 monitoring begins at the end of week 6.
What happens if the MSSP misses a threat?
The MSSP should have SLAs for detection and response times with financial penalties for breach. Additionally, your internal team should conduct periodic "purple team" exercises (simulated attacks) to test the MSSP's detection capability. If the MSSP consistently misses threats, it is time to renegotiate or switch providers.
Can I start with co-managed and move to fully managed later?
Yes. Many companies start co-managed to build internal understanding and trust, then transition to fully managed once they are confident in the MSSP's capability. The transition takes 4-6 weeks during which the MSSP assumes additional responsibilities from the internal team.
Ready to Explore Co-Managed Security?
SyncBricks provides co-managed security services that combine 24/7 SIEM/XDR monitoring, Essential Eight compliance, and incident response with your internal team's business knowledge and stakeholder relationships.
What you get on a 30-minute scoping call:
- Assessment of your current security posture and gaps
- Recommended division of responsibilities between your team and ours
- Indicative pricing for co-managed security
- No obligation, no pressure
About the Author: Amjid Ali is CIO and AI Automation Engineer at SyncBricks Technologies, with 25+ years of IT experience. He has led cybersecurity compliance programs for APRA-regulated entities and government suppliers, and managed co-managed security engagements for Australian mid-market businesses.