# A $500M manufacturer insources from MSSP to in-house SOC: what it looks like 6 months later

# A $500M manufacturer insources from MSSP to in-house SOC: what it looks like 6 months later

*After two years of missed alerts and rising SIEM costs, Rodney Stewart’s team replaced their MSSP with Radiant and insourced SOC operations without adding a single headcount.*

[Spotlighting Security Stars](#results-from-the-field)

 ![](https://radiantsecurity.ai/wp-content/uploads/2026/04/Screenshot-2026-04-30-at-17.55.54.png)

### **Challenges**

MSSP repeatedly failed to alert on malicious activity, leading to confidence issues

Pivoting across multiple tools to investigate a single alert

SIEM license hit capacity, creating monitoring gapss

[block link](#challenges)

### ****Solution****

In-house AI SOC instead of outsourced SOC

Alerts triaged in a single platform

Integrated log management at S3-level costs — ingesting 10x the previous volume

[block link](#solution)

### ****Results****

Improved threat detection

MTTR reduced to <5 minutes

Increased attack surface coverage powered by Log sources previously dropped due to SIEM costs

[block link](#results)

## **The outsourcing model: when the ROI stops adding up**

Rodney Stewart runs infrastructure engineering, systems engineering, and security at Rehrig Pacific, a manufacturer responsible for nearly half the residential waste containers outside US homes and a plethora of innovative logistics products used by millions daily. Four factories, 1,800 employees, over half a billion dollars a year. His team is lean by design and run by analysts who wear multiple hats.

For two years, they ran on an MSSP with bundled licenses: SIEM , vulnerability management, EDR and handled monitoring and escalation. On paper, it was a one-stop shop. In practice, it was a different story. The service provider oscillated between flooding their ITSM solution with low-fidelity tickets and missing activity that actually mattered in Rehrig’s environment. Adding a dashboard could take months. There was never real confidence that the right things were being watched. Small things got missed consistently enough that the team stopped trusting what was being surfaced.

The deeper problem: because the MSSP was pushing noise into their ITSM solution, Rodney’s team was handling triage work themselves across various tools. They were already doing the job, they were just paying someone else to decide what landed on their plate.

Note: Rehrig’s leadership, a strong believer in AI as the future of security operations, introduced Radiant into the stack, not as a replacement for anything, but as a focused tool to handle triage in categories that generated the most manual work for the team. Radiant wasn’t a core part of the infrastructure at that point. It was taking the load off triage in two specific areas, running alongside their MSSP.

> “*After experiencing multiple challenges with our previous MSSP, including failure to alert us about malicious activity and increasing costs associated with traditional SIEM solutions, we determined it was more advantageous to leverage an AI tool*.”
>
>
>
> **Rodney Stewart**
> Infrastructure Engineering & Security Manager

## ****Rodney Stewart****

- +20 years of experience in the IT, telecommunications, and manufacturing industries
- Leads a team of security, systems, and network engineers
- Responsible for designing, implementing, and maintaining the security network infrastructure and systems

![](https://radiantsecurity.ai/wp-content/uploads/2026/05/image-Photoroom-21-e1778075255705.webp)

![](https://radiantsecurity.ai/wp-content/uploads/2025/11/Vector-2.png)

Rehrig Pacific Company, USA

1800 employees

Leader in Supply Chain & Waste Solutions

Challenges

## **The tipping point: when the SIEM runs out of room**

The pain point accelerated when their SIEM license repeatedly hit capacity. New firewalls went in with nowhere to send their logs. A monitoring blind spot opened overnight. Closing it through the MSSP meant renegotiating costs that were already outpacing value. At exactly that moment, Radiant announced two things that reframed the conversation entirely: integrated log management at no extra cost, and support for any alert type, not just the common categories.

For Rehrig’s manufacturing environment, that meant a significant reduction in their threat surface. Radiant’s ability to triage any manufacturing-specific complex alert without pre-built playbooks meant it could grow with Rehrig’s environment rather than impose a coverage ceiling on it

## The incident that highlighted the gaps between Radiant and the MSSP

Running Radiant in parallel with the MSSP, an Impossible Travel alert fire. The MSSP flagged one compromised user and closed the ticket. Meanwhile, Radiant correlated authentication activity across the environment and identified 31 accounts, the full scope of an active credential campaign. This incident demonstrated the impact of having a tool that provides more context than any MSSP analyst could.

> “*Our MSSP generated an Impossible Travel alert for a single compromised user, but failed to identify or notify us of the broader campaign. Radiant independently detected suspicious authentication activity across 31 user accounts, immediately revealing the full scope of the incident. This allowed us to remediate all affected users in one action instead of investigating user-by-user, significantly reducing investigation time and preventing further damage*.”
>
>
>
> **Charles Kabesa**
> Security Analyst

### Goals & limitations
at a glance

- Find a solution that escalates high-fidelity alerts, not noise
- Reduce time spent pivoting across tools to investigate a single alert
- Improve speed of response and reduce MTTR

## **Charles Kabesa**

- Security Analyst | Risk, Resilience & Long-Term Security
- **IT is all about:**building redundancies, planning for worst-case scenarios, and securing critical systems
- **The goal is simple**: identify risk, anticipate failure, and build systems that protect what matters.

![](https://radiantsecurity.ai/wp-content/uploads/2026/05/image-Photoroom-20.webp)

![](https://radiantsecurity.ai/wp-content/uploads/2025/11/Vector-2.png)

Rehrig Pacific Company, USA

1800 employees

Leader in Supply Chain & Waste Solutions

Solution

## ****A buyout proposal: the practical solution to switching vendors**** mid contract

Leaving an MSSP mid-contract is not something most companies do. However, Radiant enabled Rehrig to do it seamlessly. Through their buyout program, Radiant price-matches to the existing MDR or MSSP contract, covers the remaining term of the agreement, and starts service immediately. For Rehrig, the commercial barrier that typically keeps teams locked into underperforming managed services was addressed by Radiant’s program, without breaking a legal contract.

## ****6 months into Radiant: one dashboard, no tool pivoting****

Six months after replacing their MSSP and SIEM solution , the operational change is concrete. Alerts from EDR, cloud, internal servers, password manager, email detection, and network solutions flow into Radiant, arriving enriched.

Around 70–80% of the context needed to make a decision is already assembled when the alert fires: host details, user activity, related events, and timeline. What previously required moving across three to five tools and manually stitching a picture together now lands in a single view.

> “*Before Radiant, most of my day was spent pivoting between tools — SIEM, EDR, email gateway, network logs, and ticketing — and manually stitching together context. Alerts would come in, but I’d still have to dig for host data, user activity, and historical logs to understand what was actually happening. It was very reactive and time-consuming*.”
>
>
>
> **Charles Kabesa**
> Security Analyst

MTTR dropped to minutes. Triage summaries copy directly into Jira — the documentation writes itself. Radiant’s engineers co-built automated filters for benign alerts alongside the team, so noise continues to fall rather than sit fixed. And with SIEM gone, Rehrig now ingests log sources they previously had to drop entirely. More coverage, lower cost.

> “I**nstead of going to multiple systems and getting different people with expertise in different systems — from EDR to Email to the actual Network logs — it’s all right there when we open up the alert**.”
>
>
>
> **Rodney Stewart**
> Infrastructure Engineering & Security Manager

### Solution at a glance

- Buy-back program
- Radiant implemented directly for all alert types and logging

Results

## **Why insourcing held up months later**

The three blockers that typically drive teams toward MSSPs are coverage, expertise gaps, and response speed and accuracy. Rehrig’s experience maps to each one directly.

**On coverage:** Radiant solves the coverage problem by guaranteeing that what gets escalated is actually worth acting on and that it creates urgency. A few weeks ago, a GuardDuty alert fired on a compromised AWS API key — unauthorized authentication from a residential IP in a foreign country. Radiant caught it, marked it malicious, and escalated. Rodney texted the CTO on a Saturday morning. Remediated by Monday.

**On expertise:** Radiant’s engineers didn’t hand Rehrig a platform and disappear. They worked alongside the team to build filters, troubleshoot connector issues during migration, and configure the platform to Rehrig’s specific environment.

**On speed:** With enriched alerts, unified triage, and automated response workflows, MTTR dropped from 20–30 minutes to five. The context that previously required manual investigation across multiple systems is assembled by the time the analyst opens the alert.

**On accuracy:**Radiant runs more correlation queries per alert than any human analyst could. The 31-account campaign proved the impact of Radiant’s context and triage depth.

> “*The platform’s strength lies in minimizing errors made by people and leveraging artificial intelligence to review numerous system logs simultaneously, which streamlines the assessment of potential threats*.”
>
>
>
> **Rodney Stewart**
> Infrastructure Engineering & Security Manager

Rehrig’s partnership with Radiant Security delivered what two years with a managed provider hadn’t: confidence that real threats get caught, and clarity on what the SOC is actually doing.

> “**With AI now serving as a SOC, I believe most organizations are capable of bringing their SOC operations in-house. Validating alerts as true or false has become much simpler from a data gathering perspective**.”
>
>
>
> **Rodney Stewart**
> Infrastructure Engineering & Security Manager

### Results at a glance

- 10X log sources ingested at a fraction of previous storage costs
- MTTR to ~5 minutes
- MSSP and SIEM are replaced by a single AI SOC platform
- Data-gathering effort for decision-making reduced by 70–80%
- Benign alert noise reduced via automated filters co-built with Radiant engineers