24x7 SOC Build vs MDR in India: The True Cost in INR

A genuine 24x7 SOC build in India runs INR 3.8 to 5.6 crore per year at steady state once you stack eight to twelve analysts across three shifts, SIEM and EDR licensing, threat intel, and the CERT-In six-hour reporting workflow. A co-managed MDR engagement for the same coverage band typically costs INR 90 lakh to 1.6 crore per year, and a full MDR with India-based response runs INR 1.4 to 2.4 crore. The decision is rarely about who is cheaper this quarter; it is about which model survives an audit, a ransomware event, and a 22-month attrition cycle without becoming a board-level problem.

Most "SOC TCO" calculators an Indian CFO finds on the open web were written for a US buyer. They assume an L1 analyst at USD 75,000 to 95,000, an L2 at USD 110,000 to 140,000, and a SIEM at USD 0.50 to 1.00 per GB ingested. Multiplied at INR 83 to the dollar, the model produces numbers that look terrifying and force a "buy MDR" conclusion without examining whether the inputs even apply.

The Indian reality is different on every line item. SOC analyst salaries in Mumbai and Bengaluru sit at a fraction of US levels, but attrition is materially higher: NASSCOM and industry trackers have reported cyber talent attrition in the 25 to 35 percent range through 2024 and 2025, against roughly 13 to 18 percent in mature US SOCs. SIEM list prices are often quoted in USD globally but negotiated aggressively in INR for Indian deals, with effective discounts of 30 to 55 percent common on multi-year commits. And the regulatory clock is not the US 72-hour SEC disclosure window — it is the CERT-In 28 April 2022 directive that mandates reporting of any of 20 specified cyber incidents within six hours of "noticing or being brought to notice."

That six-hour clock alone reshapes the economics. A US-spec SOC built around an eight-hour mean-time-to-detect target is, by construction, non-compliant in India. Any honest TCO model has to price the staffing, tooling, and process maturity needed to detect, triage, decide, and file with CERT-In inside six hours — not just "monitor 24x7." Indian CFOs comparing build vs MDR with US benchmarks are answering the wrong question with the wrong numbers.

A defensible 24x7 in-house SOC needs three shifts plus weekend rotation, which is roughly 4.2 full-time equivalents per seat after factoring leave, training, and burnout buffer. A minimum credible structure is six L1 analysts, three L2 analysts, one L3 / threat hunter, one SOC manager, and a part-allocated incident response lead — twelve heads, give or take.

Based on engagements Certbar has scoped across Mumbai, Pune, Bengaluru, and Surat through 2024 and 2025, realistic fully-loaded CTC bands look like this:

• L1 SOC analyst (Mumbai/Bengaluru): INR 6 to 10 lakh per year. Surat/Ahmedabad: INR 4.5 to 7.5 lakh.
• L2 SOC analyst (Mumbai/Bengaluru): INR 12 to 20 lakh. Surat/Ahmedabad: INR 9 to 15 lakh.
• L3 threat hunter / IR lead (any metro): INR 24 to 42 lakh.
• SOC manager: INR 28 to 50 lakh.
• Loaded cost multiplier (benefits, equipment, seat, training, PF, gratuity, insurance): roughly 1.35 to 1.5x CTC.

Run the math at the midpoint with a Mumbai-heavy team and the people line lands around INR 2.3 to 2.9 crore per year before tooling. Build the same team out of Surat or a hybrid Surat-Mumbai split, and the people cost drops to roughly INR 1.7 to 2.2 crore — a 20 to 28 percent saving that compounds across a three-year window. This is one reason Certbar's own SOC delivery footprint anchors in Surat with a Mumbai response presence rather than the inverse.

Two cost lines almost every internal model under-counts. First, attrition replacement: at 30 percent annual attrition, you will hire and re-train roughly four of twelve seats every year. Loaded recruitment plus onboarding plus 90-day productivity lag is INR 3.5 to 6 lakh per replacement, or INR 14 to 24 lakh annually. Second, shift differential and on-call premium: night and weekend shift allowances of 15 to 25 percent are now standard to retain L1/L2 staff in tier-1 cities. That is another INR 25 to 40 lakh per year you will not see in a US template.

Tooling is where in-house budgets quietly double. A mid-market Indian enterprise with 800 to 2,500 endpoints and 60 to 200 GB per day of relevant log volume will spend, at India-negotiated rates:

• SIEM platform (Splunk, Sentinel, QRadar, Elastic, Securonix): INR 60 lakh to 1.4 crore per year depending on ingest model. Microsoft Sentinel pay-as-you-go pricing publicly starts around USD 2.46 per GB ingested before commitment tiers, which at 100 GB per day is roughly INR 7.4 crore per year at list and INR 1.1 to 1.6 crore after a realistic commitment-tier discount.
• EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender, Sophos): INR 40 lakh to 1.1 crore for 1,500 to 2,500 endpoints at India street pricing.
• SOAR / case management: INR 18 to 45 lakh, or "free" if bundled with SIEM (you will pay for the integration consulting either way).
• Threat intelligence feeds (Recorded Future, Mandiant, Anomali, sector ISAC subscriptions): INR 25 to 75 lakh.
• Vulnerability management, deception, NDR, DLP overlays: INR 20 to 60 lakh combined.
• Data egress, backup, and 180-day log retention storage (mandated by the CERT-In directive): INR 12 to 35 lakh.

Mid-point tooling stack: INR 1.8 to 2.6 crore per year. Add people at INR 2.0 to 2.9 crore, attrition and shift premiums at INR 0.4 to 0.65 crore, and the steady-state run rate of an honest in-house 24x7 SOC sits in the INR 4.2 to 6.1 crore per year band, before the CERT-In compliance overhead discussed next. First-year build is 15 to 25 percent higher due to recruiting ramp, tool implementation, use-case engineering, and tabletop maturity work.

Section 70B of the IT Act, operationalised by the 28 April 2022 directive, requires reporting of 20 categories of incidents within six hours. Ransomware, identity compromise, data breach, attacks on critical infrastructure, and targeted scanning of protected systems are all on that list. The Ministry of Electronics and IT has reiterated that this clock starts from "noticing" — meaning the moment any analyst, tool, or third party flags a potential incident, not the moment the SOC manager confirms it.

For an in-house SOC, that single clause has five direct cost consequences buyers rarely model:

1. L3 availability 24x7, not just business hours. You cannot rely on an L1 to make the "is this reportable?" call. Either you fund a true follow-the-sun L3 rotation (add ~INR 60 to 90 lakh) or you pay a retainer to external IR counsel and a CERT-In-experienced incident lead.
2. 180-day rolling log retention in an Indian jurisdiction, as the directive specifies. For a 100 GB/day environment, that is roughly 18 TB of hot-tier searchable storage plus warm/cold tiers — typically INR 18 to 40 lakh per year on managed cloud, not counting SIEM ingest itself.
3. KYC and registration log retention for VPN providers, data centres, and intermediaries — five years where applicable. Most enterprises inherit this through their service providers, but verifying it during an incident takes hours your six-hour clock does not have.
4. Annual tabletop and reporting drill with legal counsel and CERT-In template alignment: INR 8 to 18 lakh externally, or 80 to 120 hours of senior internal time.
5. Penalty exposure. Non-compliance with a Section 70B directive is punishable under Section 70B(7) of the IT Act with imprisonment up to one year, a fine up to one lakh rupees, or both — and the reputational and regulatory follow-on (RBI, SEBI, IRDAI, DPDPA cross-references) is the bigger number.

For a mid-market enterprise, the realistic annual cost of "doing CERT-In properly inside an in-house SOC" is INR 35 to 70 lakh layered on top of base SOC operations. Most internal business cases either miss this entirely or bury it in "compliance overhead" without quantifying it. Our CERT-In empanelled audit and incident response retainer engagements consistently surface this as the line that flips a build-vs-buy decision.

"MDR" in the Indian market spans three commercial models, and buyers conflate them at their peril.

Full MDR (provider owns SIEM, EDR, analysts, response playbooks, CERT-In filing support). India pricing for a 1,500 to 2,500 endpoint mid-market customer typically runs INR 1.4 to 2.4 crore per year on a 24-month commit, inclusive of tooling. The provider absorbs attrition risk and tool refresh cycles. You give up direct control over use-case engineering and detection logic, and you are exposed to the provider's incident response SLA — which for serious providers is 15 to 30 minutes for triage and one to two hours for containment guidance.

Co-managed MDR (you own the SIEM and EDR licences, provider supplies L1/L2 coverage, threat hunting, and CERT-In-aligned reporting workflow). India pricing typically lands INR 90 lakh to 1.6 crore per year. This is the model that fits most regulated mid-market enterprises in India because it keeps log custody and tool ownership in-house — important for RBI's Cyber Security Framework, SEBI CSCRF, and IRDAI cyber regulations — while transferring the 24x7 staffing problem to a provider with depth.

Hybrid / staff-augmentation MDR (provider supplies named analysts on shifts inside your tooling, you retain L3 and IR). INR 60 lakh to 1.1 crore depending on shift coverage and SLAs. Useful when you have a strong existing SOC manager and just need to fill the night and weekend gap without losing institutional knowledge.

Across all three, the underwriting questions Certbar walks every CFO through are the same: who carries SIEM licence risk, who owns detection content, what is the contractual time-to-detect and time-to-respond, who is named on the CERT-In filing, and what happens when a P1 ransomware event lands at 02:30 IST on a Sunday. If the MSA does not name the answer to all five, the price is not the price.

The table below assumes a representative Indian mid-market enterprise: 1,800 endpoints, 120 GB/day of relevant logs, RBI- or SEBI-touched, CERT-In reportable, with an existing IT team of 25 to 40. Figures are INR crore, fully loaded.

Two caveats. First, the in-house number assumes you actually achieve 24x7 coverage with sub-six-hour CERT-In reporting maturity from year one. In practice, internal SOCs typically need 18 to 30 months to hit that maturity, during which residual breach risk is materially higher — costs that should be expected-loss adjusted in any honest model. The IBM Cost of a Data Breach Report 2024 pegs the average breach cost in India at INR 19.5 crore, with mean-time-to-identify of 215 days driving most of the loss. Cutting that window is the financial argument for outsourcing during the maturity ramp.

Second, "full MDR is cheapest" is true on spreadsheet but rarely the right answer for regulated mid-market. Co-managed is usually the strategic optimum because it preserves data sovereignty, regulator-facing accountability, and detection content ownership while neutralising the attrition and shift-premium drag.

Five questions decide build vs co-managed vs full MDR for an Indian mid-market enterprise:

1. Endpoint and log scale. Below 1,000 endpoints and 40 GB/day, in-house almost never pencils — full or co-managed MDR. Above 5,000 endpoints with multi-cloud and OT, in-house or co-managed with strong L3 retention becomes defensible.
2. Sector and regulator. RBI-regulated NBFCs, scheduled commercial banks, and payment system operators carry data localisation, RBI Cyber Security Framework, and (for larger entities) the Master Direction on IT Governance — these push toward co-managed with in-region log custody, not pure offshore MDR. SEBI CSCRF MIIs face similar constraints. Insurers under IRDAI cyber regulations and DPDPA-significant data fiduciaries should treat full offshore MDR with deep scepticism.
3. Existing security leadership depth. No full-time CISO and no L3 hunter on staff? Full MDR or co-managed with provider-supplied L3 is the only credible path. Strong CISO with a tested IR plan? Co-managed is the sweet spot.
4. Tolerance for breach exposure during ramp. If your board cannot accept 18 to 30 months of sub-mature detection during build, you are buying MDR whether the spreadsheet says so or not.
5. Three-year strategic intent. Are you building a security business unit (cyber-insurance, fintech, healthtech offerings) where SOC IP is a moat? Build, but co-manage during ramp. Are you a manufacturer, retailer, or services firm where security is a cost centre? Co-managed MDR almost always wins.

Every Certbar SOC engagement opens with this five-question audit before a single price is quoted. We will tell you to build in-house if that is what the numbers and the strategy say — the answer that maximises long-term security posture is rarely the answer that maximises any single quarter's invoice.

The honest answer to "build vs MDR in India" is not a number — it is a discipline. Price the people at Mumbai or Surat reality, not US benchmarks. Price the SIEM at India-negotiated tiers, not list. Price the CERT-In six-hour clock as a line item, not a footnote. Then compare against a co-managed MDR proposal that names SIEM ownership, detection content rights, time-to-detect SLA, CERT-In filing accountability, and weekend P1 response. The model that wins on that scorecard is the one your CFO and CISO can both defend at the next board meeting.

Certbar's 24x7 SOC monitoring practice is built around co-managed delivery from our Surat and Mumbai centres, with CERT-In reporting workflows mapped to your sector regulator. We will model both paths against your real log volume, endpoint count, and compliance regime, and walk your board through the three-year TCO before any contract conversation. If you want the spreadsheet behind this post applied to your numbers, request a TCO workshop with our SOC monitoring team or read our companion analysis on CERT-In incident reporting playbooks.