Nobody is watching at 3am. Here are the four honest options.
Published
A small team that cannot staff a night shift has four realistic options for out-of-hours coverage: accept the gap and document it, put your own people on call, buy a managed detection and response service with a human night shift, or automate the investigation so a human wakes up only to a decision rather than a raw alert. Each has a real cost. Only one of them is free, and it is the one that is currently failing.
Why do attackers pick 3am on a Sunday?
Because that is when nobody answers. Ransomware operators in particular time the final payload for the hours when the defending team is smallest and slowest, which turns a containable incident into a full recovery.
This is measurable, not folklore. Sophos, in its Active Adversary Report 2026, found that 88% of ransomware payloads it observed were deployed outside the victim organisation's business hours, which the report notes is an all-time high in its data. The full report is published at sophos.com and is worth reading directly rather than taking a vendor's summary of it, including ours.
The uncomfortable implication for a small team is that your coverage model and the attacker's timing model are inversely correlated. You are strongest exactly when you are least likely to be attacked, and weakest exactly when you are most likely to be.
Option 1: accept the gap, and write it down
This is what most small teams do, but they do it by accident rather than by decision, which is the problem. The alert queue simply sits from Friday evening to Monday morning and everyone hopes.
Accepting the gap is a legitimate risk decision for some organisations. What is not legitimate is failing to write it down. If out-of-hours alerts are not triaged until the next working day, that is a documented risk acceptance with an owner and a review date, not an unexamined habit.
The practical test: if your cyber insurance renewal or a SOC 2 auditor asks "do you have 24/7 security monitoring?", a dashboard nobody watches at night is not 24/7 monitoring, and answering as though it is will cost you more than answering honestly.
Option 2: put your own people on call
You can rota your existing team. It works, briefly. The cost is not the on-call allowance, it is attrition. A rota of two or three people, woken by a queue that is mostly false positives, degrades quickly, and the good ones leave first.
If you do this, the single highest-leverage change is not the rota, it is the paging threshold. Most teams page on severity, which is a property of the detection rule rather than of the situation. Paging on a high-severity alert that turns out to be a scheduled backup is how you train a team to ignore the pager.
Genuine 24/7 in-house cover, with no single point of failure, needs roughly five analysts plus a lead. That is a headcount conversation, not a rota conversation, and for most small and mid-sized teams it is not affordable.
Option 3: buy managed detection and response
MDR buys you a staffed night shift. That is a real thing that a tool cannot replicate: a human being who will act on your behalf at 3am, under an SLA.
The trade-offs are cost, contract length and visibility. MDR is typically a five- or six-figure annual commitment, often on a multi-year term, and it frequently triages a sample under an SLA rather than fully investigating everything. You are also, by design, outsourcing the judgement, so the depth of reasoning you see back varies by provider.
If out-of-hours human response is the actual requirement, MDR is the honest answer and you should buy it. We say this on our own comparison page too: an AI SOC does not put a human in your estate at 3am.
Option 4: automate the investigation, keep the human decision
The fourth option separates two things that are usually bundled: working out what happened, and deciding what to do about it. The first can run at 3am without you. The second, arguably, should not.
This is what OwlSOC does. It connects read-only to Sentinel, Defender or AWS Security Hub, and when an alert fires at 3am it investigates immediately: pulls the related logs, correlates across sources, resolves the entities, maps the technique to MITRE ATT&CK, and produces an evidence-linked timeline with a hedged verdict, typically in under two minutes. It emails the result, with digest batching so a storm does not become a hundred emails.
Be clear about what that does and does not buy you. It does not contain the threat at 3am, and it does not wake anybody up on your behalf. What it does is change the question you face in the morning, or on the phone, from "here are 40 raw alerts" to "here is what happened, here is the evidence, here is what we suggest you approve". If you do choose to get up, you get up to a decision rather than to an investigation.
How should you choose?
Start from the requirement rather than the product category, and be honest about which one you actually have.
- If you need a human to contain threats while you sleep, buy MDR. Nothing else meets that requirement.
- If your real problem is that the morning queue is unreadable and the important alert is buried in it, automated investigation addresses that directly and costs an order of magnitude less.
- If you have analysts already, the question is what they should be handed at 09:00: raw alerts, or investigated cases with the reasoning attached.
- If you are accepting the gap, accept it deliberately, in writing, with a named owner and a date to revisit it.
- Whatever you choose, make sure the evidence of what was checked is recorded. Your auditor and your insurer will both ask, and "we looked at it" is not an answer.
Frequently asked
How can a small team get 24/7 security coverage without hiring a night shift?
There are four realistic options: accept the out-of-hours gap as a documented risk decision, put your existing team on an on-call rota, buy a managed detection and response (MDR) service that provides a staffed night shift, or use automated investigation so that alerts are fully investigated overnight and a human is presented with a decision rather than a raw queue. Only MDR puts a human in your environment at 3am; the others change what a human faces when they next look.
What percentage of ransomware is deployed outside business hours?
Sophos reported in its Active Adversary Report 2026 that 88% of the ransomware payloads it observed were deployed outside the victim organisation's business hours, which it described as an all-time high in its dataset. The figure is worth reading in context in the original report at sophos.com, as the sample is drawn from Sophos incident response engagements rather than from all organisations.
Does OwlSOC respond to threats overnight?
OwlSOC investigates overnight but does not respond on your behalf. When an alert fires it runs a full investigation automatically and emails an evidence-linked timeline with a hedged verdict and recommended actions, typically in under two minutes. Any action that would change your environment still requires a human on your team to approve it, and only runs on write scopes you have granted. It tells you whether something is worth getting up for; it does not get up for you.
Is an AI SOC a replacement for MDR for out-of-hours cover?
Not if your requirement is genuinely a human responding at 3am. MDR provides a staffed night shift under an SLA and an AI SOC does not. An AI SOC replaces the investigation work rather than the human responder, so it fits teams whose real problem is an unmanageable alert queue and buried signal, rather than teams who need someone to contain an incident while they sleep.
How should we answer "do you have 24/7 security monitoring?" on an insurance questionnaire?
Answer with what you actually operate. A monitoring dashboard that nobody watches overnight is not 24/7 monitoring, and an alerting tool that emails an unstaffed inbox is not either. Describe the real arrangement: what is collected continuously, what is investigated automatically and when, who is on call and during what hours, and what your target response time is out of hours. Insurers and auditors will generally want evidence that alerts were reviewed and dispositioned, not just that a tool was switched on.
Start with a 30-day refundable pilot. £495, one environment, every alert investigated, a full report at week four. Read-only, live within 48 hours of access.