Hey đź‘‹, it’s Amy here, the Community Manager at D3 Security and host of the “Let’s SOC About It” podcast. In the most recent episode, I sat down with Johannes Kresse, an MSSP and SOC expert from Germany, for a discussion on the state of cybersecurity in German SOCs.
Diving into AI adoption, automation trends, NIS2 compliance challenges, and Kresse’s new SOC mapping resource, this conversation offers a fresh perspective for cybersecurity professionals curious about the SOC landscape in EMEA.
Growing AI and Automation Trends in German SOCs
Kresse is closely watching AI and automation adoption and has seen a sharp acceleration across German SOCs over the past year. He traces most of that pressure back to the adversary side. Attackers are already using AI to move faster, and defenders are having to catch up on automation just to keep pace.
By his account, the biggest shift in the last twelve months has been in playbook automation, automated response, and detection verification. The manual steps analysts once took to work through a given alert have been almost entirely automated. SOC teams are now applying AI beyond the alert queue too, into reporting, compliance, and attack surface monitoring, which puts pressure on analysts to make faster, more decisive calls.
Compliance Pressures and Adhering to NIS2
The NIS2 Directive is one of the biggest forces reshaping the German cybersecurity market right now. It demands stricter security measures and, for the first time, puts direct liability on company leadership. As Kresse put it:
“The biggest thing in NIS2 is that management, especially CEOs, have to take care of it. They’re responsible… for a good way of handling security inside their companies, and they’re liable.”
The directive went into effect six months ago, and the lead-up to it was tense. Kresse recalled:
“Actually, the panic started beforehand. Everyone is… running around like crazy. ‘Oh, what do I have to do? What’s it all about?’”
Many organizations are still finding that their existing tools and processes don’t hold up under NIS2’s requirements, and the added compliance workload has stretched SOC teams thin. That gap is a big part of why automation has become non-negotiable.
Outsourcing vs. Insourcing: Trends in SOC Management
A particularly compelling comparison was drawn between North American and European SOC management strategies. Anecdotally, I’ve noticed a subset of mid-sized businesses in North America that are pulling some security functions in-house, aided by advances in AI. Gartner’s The Impact of AI on MDR Services also suggests that SOCs will consider insourcing low-tier SOC functions.
Germany’s picture looks more mixed. Kresse pointed to a growing sovereignty debate across Europe that’s pushing some companies to reconsider keeping security services in-house. But he was quick to add that MSSPs still play an essential role, especially for smaller organizations that don’t have the headcount to handle security alone. Companies across Mid-Europe, he said, are increasingly concluding they need more support, not less.
Risks of Sole Experts and Need for Institutional Knowledge
The conversation also touched on the potential risks of relying too heavily on individual experts in SOCs. In the episode, I pointed out the vulnerabilities this can create:
“This is the exact same thing that we experience with building playbooks… the one guy has all of the playbook knowledge, and then he leaves. And then what are you supposed to do?”
Kresse agreed, and put it best:
“Your playbook is your biggest asset. It’s your bible for how to react to attacks and what to do when certain alerts fire.”
The SOC/MSSP Map: Bringing Transparency to the German Market
One of the most practical outcomes of Kresse’s work is his new SOC map, a curated resource built to help companies navigate Germany’s crowded field of Managed Security Service Providers. He built it after realizing there was no good starting point for a mid-sized company trying to find the right fit. Most just Google it, with nothing reliable to guide the search.
The map now covers more than 155 MSSPs operating in or near Germany, categorized by technology stack, operational approach, and specialization, so companies can match providers to their actual needs. Fit matters in both directions, Kresse noted: not every customer is right for every MSSP, and vice versa. The map exists to make that matching process more transparent for everyone.
For companies struggling to find an MSSP that aligns with their needs in Germany, this map serves as a valuable resource to streamline the decision-making process.
Understanding the Cybersecurity SOC Market in Germany
Germany’s SOC market is being reshaped from two directions at once. NIS2 is forcing management to own security outcomes and adding compliance workload SOC teams weren’t built for, and AI-driven adversaries are forcing faster automation just to keep pace. That pressure is pushing some companies to reconsider what they insource versus outsource, driven in part by Europe’s broader sovereignty debate, even as MSSPs remain essential for the many organizations too small to go it alone. Kresse’s SOC map is a direct response to that shift: a way to bring transparency to a market where finding the right partner has mostly come down to guesswork. The throughline across all of it is the same one Kresse hit on with playbooks: knowledge that lives in one person’s head, or in one under-documented process, doesn’t survive contact with a market moving this fast.
Keep an eye on Johannes Kresse and his contributions to the MSSP community for future updates. His SOC map provides a unique resource for companies grappling with these changes. For more insights from the podcast, visit his website, JohannesKresse.com, or follow D3 Security on LinkedIn to stay engaged with industry developments.

