Shortlist fit
Microsoft-aligned enterprises or public-sector buyers that want Sentinel operated by an external SOC
Provider handles
Service investigates and gives response guidance. Your team owns the action.Check before buying
Maintaining Azure, Microsoft Sentinel and required Microsoft licencesAlso fits
- Teams that need SIEM monitoring and investigation but want to keep remediation authority internal
- Buyers that need public procurement signals and named support paths
- Security teams that can provide Azure, licensing, log sources and business context
Can replace
- Some tier 1 Sentinel monitoring and incident triage
- Routine Sentinel rule build, tuning and operational reporting work
- After hours review and escalation for in-scope Sentinel incidents
Coverage
Provider covers
- Microsoft Sentinel monitoring for events from cloud and physical networks
- Microsoft 365 Defender incident synchronization into Sentinel
- SOC analyst triage, investigation and advice by severity
Your team still owns
- Configuring log-source devices and network connectivity so logs reach the service
- Taking remediation and containment actions after BT advises on the incident
- Paying for extended log retention, platform usage or professional services outside the base order
Tradeoffs
Works well
- Clear fit for buyers that specifically want Microsoft Sentinel managed
- Public G-Cloud listing exposes a starting price, support model and offboarding process
- BT documents buyer prerequisites and log-source responsibilities more clearly than many managed SIEM pages
Watch out for
- Not MDR or full SOC outsourcing by default
- Buyer still owns remediation and containment unless another service covers it
- Microsoft licensing, ingestion, retention and professional services can add cost beyond the public starting signal
Pricing
- Price
- Public G-Cloud price from £6,275 per instance
- Billing
- Flat-fee, Custom
Questions to ask
- Which incidents receive analyst investigation versus alert forwarding, and what are the notification targets by severity?
- Which remediation or response actions, if any, can BT execute without a separate XDR or professional-services scope?
- How much of the final cost sits in Microsoft licensing, data ingestion, retention, onboarding and professional services?
Integrations
- SIEM
- Microsoft Sentinel
- EDR / Endpoint
- Microsoft 365 Defender
- Microsoft Defender suite
- Cloud
- Other
- CEF
- Syslog
- Microsoft 365 security incidents
- Third-party data connectors
Editorial notes
Why investigate-and-advise lane
BT's service definition says SOC analysts conduct incident investigation so they can advise the buyer on the course of action. That is more than monitoring, but public evidence does not show base-scope direct containment.
Microsoft-first boundary
The service fits buyers that want Microsoft Sentinel operated by an external SOC. Buyers without Azure, Sentinel or the required Microsoft licences should treat those prerequisites as part of the buying decision.
XDR boundary
BT sells Managed Sentinel and XDR language together in some materials. This profile keeps the label to Managed Sentinel because the core public service is Sentinel monitoring, triage, tuning and advice.
Pricing boundary
The public G-Cloud listing gives a useful starting signal, but it is not the full operating cost. Microsoft platform charges, log retention, onboarding, onsite support and professional services can change the real budget.