What security function(s) usually is(are) not outsourced?

Security planning is usually kept in-house because it shapes governance, policies, and the overall risk posture in a way that must reflect the organization’s specific objectives, regulatory obligations, and business processes. It requires deep, context-specific understanding of the company’s risk tolerance and strategic priorities, which is difficult for an external party to fully capture. Outsourcing planning could lead to policies and control decisions that don’t align with actual business needs and could weaken internal oversight and accountability. Intrusion detection and vulnerability testing, on the other hand, are technical, operational tasks where specialized tooling, constant monitoring, and up-to-date expertise provide clear value from external providers. Organizations often hire MSSPs and pentest firms to cover these areas because it’s cost-effective and scalable, without sacrificing security effectiveness. So, the function that is usually not outsourced is security planning.