Skip to main content

Cyber Security Operations Centre (CSOC)

CSOC is a world class cyber security service provider in healthcare.

Page contents

Learn how your organisation can take action to make use of CSOC’s support. You can also speak to your cyber regional lead.

Your CSOC for health and social care 

CSOC is part of the central cyber security team for the NHS. We provide the services needed to enable cyber security within the NHS and wider health and social care sector. 

We monitor for new threats 24 hours a day, 7 days a week, and provide real-time protection for over 2 million devices across the NHS network. We respond rapidly to cyber incidents to protect healthcare systems and reduce the harm they cause.

CSOC enables leaders and employees across the system to deliver better cyber security within their health and care organisations.

We proactively inform the system of cyber security threats, providing expert knowledge and practical guidance to mitigate risks. Our cyber expertise keeps healthcare systems available, and our team includes sophisticated analysts, threat-hunters and intelligence gatherers.  

We help to establish a cyber aware and educated workforce through nationally delivered training services and guidance.

You can read about the cyber security strategy for health and adult social care to 2030.

Why we're here

Cyber crime threatens patient safety. It can be a matter of life or death.

That’s why our mission is to support healthcare and keep vital digital systems and services running.

We’re also here because central investment makes the best use of scarce NHS resources; leveraging centrally funded products and services releases local funding to be addressed to meet your other priorities.

Benefits

Value
Value

Health and social care organisations signing up to CSOC services will benefit from free healthcare specific services and support. Our services are procured and developed at scale to deliver at a national level, meaning better value for money for the Department of Health and Social Care (DHSC).

Threat-led
Threat-led

CSOC is a threat-led security operations centre developed in partnership with the National Cyber Security Centre (NCSC) and specialising in threats to healthcare. Our proactive and advanced teams are dedicated to threat hunting and intelligence gathering - our analysts are world class. 

CSOC’s monitoring and threat intelligence act as an early warning system for potential threats, to help strengthen defences and deter attacks on healthcare organisations before they happen.

Available 24/7
Available 24/7

We’re available 24 hours a day, 7 days a week, 365 days a year to offer support. When a situation escalates, our dedicated incident management team can deploy response teams when deep dive forensic analysis is required.

Defend as one
Defend as one

As a central NHS team, we have deep insight into the healthcare specific cyber threat landscape and we work closely with clinicians and the wider cyber security profession committed to supporting healthcare. 

Our diverse team, developed through specialist recruitment and graduate schemes, ensures we bring a wide range of perspectives to emerging threats.

How CSOC helps defend you

What we do How it helps you
Security monitoring   Monitoring NHS systems and services 24/7/365.

Identifies suspicious activity and flags for investigation. 

Identifies organisations exposed to threats with CSOC providing remediation actions.
Incident response and coordination   On hand support for organisations experiencing a cyber incident – advice on identification, containment and recovery.

Addresses local resourcing gaps 

Provides a consistent approach to incident handling. 

Helps to identify large scale impacts.
Threat hunting   Proactive search for indications of threats on the network. Provides early detection of sophisticated attacker activities, reducing your exposure to malicious activity and cutting attacks short.
Threat intelligence   Share intelligence on new threats, vulnerabilities and exploits. Proactively informs you of vulnerabilities and emerging attacks, helping you to mitigate these threats before they cause harm.
Support   Provides access and support to CSOC services. Informs you about CSOC services and how they can support your cyber security posture.

 

CSOC services and support

Onboarding to our centrally funded security management products helps us to achieve greater visibility and defend as one, at no direct cost to people and organisations in the NHS.

1. Improve CSOC’s visibility of your organisation’s network

24 hours, 7 days of the week, 365 days of the year, CSOC monitors the NHS system for security incidents, using tools such as NHSmail, the Microsoft XDR suite including Microsoft Defender for Endpoints (MDE) Secure Boundary, The Health and Social Care Network (HSCN), and NHS England’s nationally hosted services.

As part of this work we monitor a range of feeds, triage alerts, collate intelligence, and raise incidents as needed.

Your organisation’s local deployment of Microsoft Defender for Endpoints (MDE) and Secure Boundary is key to this work and elevates the protection CSOC can offer.

These tools enhance the visibility CSOC needs to help protect your organisation locally as well as the NHS system as a whole.

By using NHSmail, your organisation benefits from the Microsoft XDR suite, where your Endpoints, Identity, Office 365 and email workloads are security monitored by CSOC.

Action for your organisation

Review your organisation’s use of our centrally funded security management products. More information about NHS Secure Boundary Microsoft Defender for Endpoint is available on our website. 
Or you can speak with your cyber regional lead.

2. Respond with our incident management specialists

CSOC provides support for organisations experiencing a cyber security incident.

We’ll lead the response, standing up a team of specialists including the impacted organisations, dedicated incident handlers, clinical leads, cyber regional leads, information governance, and communication specialists; while also coordinating with healthcare departments, Department of Health and Social Care (DHSC), NHS England, UK government and national agencies.

We may also deploy centrally funded NCSC Level 1 assured Cyber Incident Response (CIR) teams to major incidents. This support will be offered where appropriate during an incident.

Action for your organisation

  • report incidents directly to CSOC by phoning 0300 303 5222
  • develop a robust incident management plan so your organisation is always ready to respond. Speak with your cyber regional lead for support
3. Register for cyber alerts and threat intelligence

CSOC centrally injects intelligence feeds into our security tools, generated from commercial, curated open source, and our own bespoke threat intelligence insights. We also provide darknet and credential compromise monitoring.

We analyse a range of threat intelligence sources to identify new and developing threats, and use that intelligence to undertake threat hunting, develop detections and issue High Severity Alerts (HSAs).

Our dedicated threat hunting team investigate over 2000+ queries each day to safeguard healthcare and fortify our systems.

We also create custom detections and analytics honed specifically for threats targeting our healthcare systems and environments, ensuring tailored precision in our defence strategy.

Action for your organisation

Additional support available

We offer a range of centrally funded products and services to support your cyber security strategy.

These services align to the Cyber Assurance Framework (CAF), and can help you achieve the standards set out in the Data Security and Protection Toolkit (DSPT).

Learn more on our website: Cyber and data security services and resources.

Or speak to your cyber regional lead.

Hear directly from CSOC

The Cyber Associates Network (CAN) is available to NHS and social care organisations. Among many benefits, the network offers opportunities to hear directly from CSOC about a wide range of cyber security topics and technical expertise.

Last edited: 4 June 2025 8:34 am