The Mid-Market Security Gap
Mid-market companies — 100 to 500 employees — live in the worst security position in the industry. They're large enough to be targeted deliberately by threat actors, but too small to afford a dedicated security operations center. They don't get the enterprise discounts that Fortune 500 companies negotiate, and they don't have the simplicity of a 20-person shop where one IT generalist can cover everything.
I've built security programs for dozens of companies in this range. The budget conversation always starts the same way: "We know we need to do something, but we don't know where to start, and we can't spend like a bank." Fair enough. Here's exactly how I'd allocate $50,000 in annual security spend for a 200-person company running Microsoft 365 and Azure.
Assumption: This stack assumes you're already paying for Microsoft 365 Business Premium ($22/user/month). That license includes Entra ID P1, Intune, Defender for Office 365 Plan 1, and Conditional Access. If you're on a lower M365 tier, upgrade first — dollar for dollar, it's the highest-impact security investment you can make.
The Allocation
| Priority | Category | Annual Cost | Risk Addressed |
|---|---|---|---|
| 1 | Identity & Access Management | $8,000 | Account takeover, lateral movement |
| 2 | Endpoint Protection | $12,000 | Malware, ransomware, data exfil |
| 3 | Email Security | $6,000 | Phishing, BEC, credential theft |
| 4 | Network Monitoring | $10,000 | Lateral movement, C2 traffic, anomalies |
| 5 | Backup & Recovery | $8,000 | Ransomware recovery, data loss |
| 6 | Security Operations | $6,000 | Alert fatigue, unmonitored gaps |
| Total | $50,000 |
Let me walk through each layer and explain exactly what I'd buy, what I wouldn't, and why the priority order matters.
Priority 1: Identity & Access Management — $8,000
Identity is the perimeter. I don't say that because it's a conference slide — I say it because every breach I've investigated in the last five years started with a compromised identity. Phished credentials, password reuse, a service account with no MFA. The attack surface is the login prompt.
Where the $8,000 goes:
- Entra ID P2 upgrade ($6/user/month for 50 privileged users) — ~$3,600/year — gives you Privileged Identity Management (PIM) for just-in-time admin access, Identity Protection with risk-based conditional access, and access reviews. You don't need P2 for all 200 users. You need it for every account that can do damage: admins, finance, HR, exec team.
- Hardware security keys for all admins — ~$1,200 — buy YubiKeys for every global admin, billing admin, and privileged role holder. Phishing-resistant MFA is the single most effective control against account takeover. The authenticator app is good. FIDO2 keys are better.
- Conditional Access policy design and tuning — $3,200 — this is where your consulting budget goes. Hire someone (or allocate internal time) to design a complete Conditional Access policy set: device compliance requirements, location-based restrictions, session timeouts, legacy auth blocking, and sign-in risk policies. A well-designed CA policy set is worth more than any tool you'll buy.
The mistake I see most often: Companies enable MFA for everyone and consider identity "done." MFA is necessary but not sufficient. Without Conditional Access policies enforcing device compliance, you've got fully authenticated users on compromised personal devices accessing your most sensitive data. MFA proves identity. Conditional Access enforces context.
Priority 2: Endpoint Protection — $12,000
Endpoint protection gets the largest allocation because it covers the most attack surface. Every laptop, every workstation, every server is a potential entry point, lateral movement hop, and data exfiltration channel.
- Microsoft Defender for Endpoint P2 ($5.20/user/month × 200 users) — ~$12,480/year — yes, this technically exceeds the $12K allocation. In practice, you'll negotiate this down with your Microsoft partner or bundle it into an E5 Security add-on. What you get: EDR with full investigation capabilities, automated investigation and response, threat analytics, attack surface reduction rules, and web content filtering.
Why Defender for Endpoint and not a third-party EDR? Because at this budget level, you cannot afford the integration overhead. The Microsoft stack talks to itself — Defender for Endpoint feeds signals into Sentinel, correlates with Entra ID Protection risk scores, and triggers Conditional Access policies automatically. That signal chain is what turns a collection of tools into a security program.
What I'd configure immediately after deployment:
- Attack Surface Reduction (ASR) rules in block mode for Office macro execution, credential stealing from LSASS, and untrusted process execution from USB
- Automated investigation set to "full" — let the platform handle commodity alerts so your team can focus on the alerts that matter
- Device compliance policies in Intune tied to Conditional Access — no device that fails a health check gets access to corporate resources
Priority 3: Email Security — $6,000
Email is still the number one initial access vector. It's not close. Every year the reports say the same thing, and every year organizations under-invest in email security because they think their spam filter is enough.
- Defender for Office 365 Plan 2 (included in M365 E5 Security add-on, or $5/user for 200 users if standalone) — budget $4,000 — this adds attack simulation training, automated investigation for phishing, campaign views, and threat trackers. Plan 1 (included in Business Premium) gives you Safe Attachments and Safe Links. Plan 2 gives you the investigation and training capabilities that actually reduce phish-click rates over time.
- DMARC, DKIM, SPF configuration and monitoring — $2,000 — allocate consulting time to properly configure email authentication for all sending domains. Deploy DMARC in enforcement mode (reject). Monitor DMARC reports monthly to catch misconfigurations. This prevents your domain from being spoofed in phishing campaigns targeting your employees, customers, and partners.
Priority 4: Network Monitoring — $10,000
At a 200-person company, you're not building a SOC. You're building visibility. The goal is to have enough telemetry to detect an active intrusion and enough context to respond to it — even if "respond" means calling an incident response retainer.
- Microsoft Sentinel (consumption-based) — ~$7,000/year — deploy Sentinel with data connectors for Entra ID sign-in logs, Defender for Endpoint alerts, Office 365 audit logs, and Azure activity logs. Use the built-in analytics rules for the top 20 detection scenarios. Don't try to build custom detections on day one — get the fundamentals working first.
- Log retention configuration — $1,000 — configure 90-day hot retention in Sentinel and 365-day archive in Azure Monitor. Most compliance frameworks require 12-month log retention. This is cheap and non-negotiable.
- Alert routing and initial response playbooks — $2,000 — build three Logic App playbooks: high-severity alert → Teams notification to security team, identity compromise alert → automated Conditional Access block + manager notification, suspicious email → automated submission to Defender for investigation. These won't replace a SOC, but they'll make sure critical alerts don't sit in a queue over the weekend.
Priority 5: Backup & Recovery — $8,000
Backup is your insurance policy. Everything else in this stack tries to prevent a breach. Backup is what keeps you in business when prevention fails — and prevention will fail eventually.
- Azure Backup for servers and Azure resources — ~$3,000/year — back up every production VM, SQL database, and file share to Azure Recovery Services vaults. Configure 30-day daily retention, 12-month monthly retention.
- Microsoft 365 backup (third-party) — ~$4,000/year — M365 native retention policies are not backup. Use a dedicated M365 backup solution (Veeam, AvePoint, or similar) to back up Exchange, SharePoint, OneDrive, and Teams data with point-in-time recovery. This is your ransomware recovery capability for cloud data.
- Recovery testing — $1,000 — quarterly recovery test for one critical system. Restore to an isolated environment, verify data integrity, document recovery time. If you haven't tested your backup, you don't have a backup.
Non-negotiable rule: Backup accounts must be isolated from your primary Entra ID tenant. Use break-glass accounts with FIDO2 keys stored in a physical safe. If an attacker compromises your admin accounts and can also delete your backups, you have zero recovery capability.
Priority 6: Security Operations — $6,000
This is the piece most small companies skip entirely, and it's the reason the rest of the stack underperforms. Tools without operations is just shelfware generating unread alerts.
- Incident response retainer — $4,000/year — contract with a security firm for an annual retainer that includes a guaranteed response SLA (typically 4 hours), a defined number of incident response hours, and an annual tabletop exercise. You will not build an IR capability internally at this company size. Outsource it, but have the contract before you need it.
- Monthly security review — $2,000 — allocate 8 hours per month (internal or external) for a structured security review: Sentinel alert triage, Secure Score review, Conditional Access policy validation, backup verification, and outstanding vulnerability remediation. This is not glamorous work. It's the work that keeps the program alive.
What I'd Cut If the Budget Got Halved
If someone told me I had $25,000 instead of $50,000, here's what survives:
- Keep: Identity (all of it), Endpoint Protection, Email Security, Backup. These four layers cover the attack chain from initial access through recovery.
- Cut: Network monitoring (Sentinel) and Security Operations retainer. This hurts — it means slower detection and response — but the alternative is skimping on prevention, which is worse. At $25K, you're betting on prevention and recovery rather than detection and response.
- Downgrade: Move from Defender for Endpoint P2 to P1 (saves ~$5K). You lose automated investigation and some advanced hunting capabilities, but you keep the core EDR.
Final Thoughts
Security spending is risk management, not checkbox completion. Every dollar in this stack is tied to a specific risk that has a defined likelihood and impact for a 200-person company. Identity first, because it's where breaches start. Endpoint and email next, because they're the highest-volume attack surfaces. Monitoring and operations last — not because they're unimportant, but because prevention buys you more risk reduction per dollar at this budget level.
If you're a mid-market CISO staring at a limited budget and an expanding threat landscape, stop trying to build a miniature enterprise SOC. Build a focused, integrated stack that covers the critical path from initial access to data exfiltration, test your backups, and have an IR retainer on speed dial. That's a security program.
— Jamel A. Housen, Melhousen Solutions