24x7 SOC Build vs MDR in India: The True Cost in INR

Yash Goti
By Yash GotiMar 16, 202615 Min Read

By mid-2026, every Indian CISO building a 24x7 monitoring case is running into the same wall: a genuine in-house SOC build now costs INR 3.8 to 5.6 crore per year at steady state once you stack eight to twelve analysts across three shifts, SIEM and EDR licensing, threat intel, and the CERT-In six-hour reporting workflow. The complication is that almost every TCO calculator a CFO finds online was written for a US buyer, so the inputs are wrong before the math starts. Co-managed MDR for the same coverage band lands at INR 90 lakh to 1.6 crore. Full MDR with India-based response runs INR 1.4 to 2.4 crore. None of those are like-for-like. This post answers the question your board is actually asking: which model survives an audit, a ransomware event, and a 22-month attrition cycle without becoming a quarterly fire drill? We will price each line in INR, run a three-year TCO table, and give you a five-question decision framework you can take into the next budget review.

Why US SOC cost benchmarks lie to Indian CFOs

Most "SOC TCO" calculators an Indian CFO finds on the open web were written for a US buyer. They assume an L1 analyst at USD 75,000 to 95,000, an L2 at USD 110,000 to 140,000, and a SIEM at USD 0.50 to 1.00 per GB ingested. Multiplied at INR 83 to the dollar, the model produces numbers that look terrifying and force a "buy MDR" conclusion without examining whether the inputs even apply. The Indian reality is different on every line item. SOC analyst salaries in Mumbai and Bengaluru sit at a fraction of US levels, but attrition is materially higher. NASSCOM and industry trackers reported cyber talent attrition in the 25 to 35 percent range through 2024 and 2025, against roughly 13 to 18 percent in mature US SOCs. SIEM list prices are often quoted in USD globally but negotiated aggressively in INR for Indian deals, with effective discounts of 30 to 55 percent common on multi-year commits. And the regulatory clock is not the US 72-hour SEC disclosure window. It is the CERT-In 28 April 2022 directive that mandates reporting of any of 20 specified cyber incidents within six hours of "noticing or being brought to notice." That six-hour clock alone reshapes the economics. A US-spec SOC built around an eight-hour mean-time-to-detect target is, by construction, non-compliant in India. Any honest TCO model has to price the staffing, tooling, and process maturity needed to detect, triage, decide, and file with CERT-In inside six hours, not just "monitor 24x7." Indian CFOs comparing build vs MDR with US benchmarks are answering the wrong question with the wrong numbers.

Imported US TCO calculators overstate salary and attrition while ignoring the six-hour CERT-In clock. Every line in an I
Imported US TCO calculators overstate salary and attrition while ignoring the six-hour CERT-In clock. Every line in an Indian SOC business case has to be reset against local inputs.

True cost of a 24x7 SOC build: L1/L2/L3 salaries in Mumbai and Surat

A defensible 24x7 in-house SOC needs three shifts plus weekend rotation, which is roughly 4.2 full-time equivalents per seat after factoring leave, training, and burnout buffer. A minimum credible structure is six L1 analysts, three L2 analysts, one L3 / threat hunter, one SOC manager, and a part-allocated incident response lead. Twelve heads, give or take. Based on engagements Certbar has scoped across Mumbai, Pune, Bengaluru, and Surat through 2024 and 2025, realistic fully-loaded CTC bands look like this: L1 SOC analyst (Mumbai/Bengaluru): INR 6 to 10 lakh per year. Surat/Ahmedabad: INR 4.5 to 7.5 lakh. L2 SOC analyst (Mumbai/Bengaluru): INR 12 to 20 lakh. Surat/Ahmedabad: INR 9 to 15 lakh. L3 threat hunter / IR lead (any metro): INR 24 to 42 lakh. SOC manager: INR 28 to 50 lakh. Loaded cost multiplier (benefits, equipment, seat, training, PF, gratuity, insurance): roughly 1.35 to 1.5x CTC. Run the math at the midpoint with a Mumbai-heavy team and the people line lands around INR 2.3 to 2.9 crore per year before tooling. Build the same team out of Surat or a hybrid Surat-Mumbai split, and the people cost drops to roughly INR 1.7 to 2.2 crore. That is a 20 to 28 percent saving that compounds across a three-year window. This is one reason Certbar's own SOC delivery footprint anchors in Surat with a Mumbai response presence rather than the inverse. Two cost lines almost every internal model under-counts. First, attrition replacement: at 30 percent annual attrition, you will hire and re-train roughly four of twelve seats every year. Loaded recruitment plus onboarding plus 90-day productivity lag is INR 3.5 to 6 lakh per replacement, or INR 14 to 24 lakh annually. Second, shift differential and on-call premium: night and weekend shift allowances of 15 to 25 percent are now standard to retain L1/L2 staff in tier-1 cities. That is another INR 25 to 40 lakh per year you will not see in a US template.

Surat and Ahmedabad cut L1 and L2 cost roughly 25 to 30 percent against Mumbai-Bengaluru for the same skill grade. L3 an
Surat and Ahmedabad cut L1 and L2 cost roughly 25 to 30 percent against Mumbai-Bengaluru for the same skill grade. L3 and manager bands stay metro-flat because the talent pool is national.

Hidden costs: SIEM licensing, EDR, threat intel, on-call premiums

Tooling is where in-house budgets quietly double. A mid-market Indian enterprise with 800 to 2,500 endpoints and 60 to 200 GB per day of relevant log volume will spend, at India-negotiated rates: SIEM platform (Splunk, Sentinel, QRadar, Elastic, Securonix): INR 60 lakh to 1.4 crore per year depending on ingest model. Microsoft Sentinel pay-as-you-go pricing publicly starts around USD 2.46 per GB ingested before commitment tiers, which at 100 GB per day is roughly INR 7.4 crore per year at list and INR 1.1 to 1.6 crore after a realistic commitment-tier discount. EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender, Sophos): INR 40 lakh to 1.1 crore for 1,500 to 2,500 endpoints at India street pricing. SOAR / case management: INR 18 to 45 lakh, or "free" if bundled with SIEM (you will pay for the integration consulting either way). Threat intelligence feeds (Recorded Future, Mandiant, Anomali, sector ISAC subscriptions): INR 25 to 75 lakh. Vulnerability management, deception, NDR, DLP overlays: INR 20 to 60 lakh combined. Data egress, backup, and 180-day log retention storage (mandated by the CERT-In directive): INR 12 to 35 lakh. Mid-point tooling stack: INR 1.8 to 2.6 crore per year. Add people at INR 2.0 to 2.9 crore, attrition and shift premiums at INR 0.4 to 0.65 crore, and the steady-state run rate of an honest in-house 24x7 SOC sits in the INR 4.2 to 6.1 crore per year band, before the CERT-In compliance overhead discussed next. First-year build is 15 to 25 percent higher due to recruiting ramp, tool implementation, use-case engineering, and tabletop maturity work.

SIEM and EDR alone consume roughly 60 percent of the tooling stack. Retention storage looks small but is non-negotiable
SIEM and EDR alone consume roughly 60 percent of the tooling stack. Retention storage looks small but is non-negotiable under the 28 April 2022 CERT-In directive.

The CERT-In 6-hour reporting tax on in-house SOCs

Section 70B of the IT Act, operationalised by the 28 April 2022 directive, requires reporting of 20 categories of incidents within six hours. Ransomware, identity compromise, data breach, attacks on critical infrastructure, and targeted scanning of protected systems are all on that list. The Ministry of Electronics and IT has reiterated that this clock starts from "noticing," meaning the moment any analyst, tool, or third party flags a potential incident, not the moment the SOC manager confirms it. For an in-house SOC, that single clause has five direct cost consequences buyers rarely model: L3 availability 24x7 , not just business hours. You cannot rely on an L1 to make the "is this reportable?" call. Either you fund a true follow-the-sun L3 rotation (add roughly INR 60 to 90 lakh) or you pay a retainer to external IR counsel and a CERT-In-experienced incident lead. 180-day rolling log retention in an Indian jurisdiction, as the directive specifies. For a 100 GB/day environment, that is roughly 18 TB of hot-tier searchable storage plus warm/cold tiers, typically INR 18 to 40 lakh per year on managed cloud, not counting SIEM ingest itself. KYC and registration log retention for VPN providers, data centres, and intermediaries, five years where applicable. Most enterprises inherit this through their service providers, but verifying it during an incident takes hours your six-hour clock does not have. Annual tabletop and reporting drill with legal counsel and CERT-In template alignment: INR 8 to 18 lakh externally, or 80 to 120 hours of senior internal time. Penalty exposure. Non-compliance with a Section 70B directive is punishable under Section 70B(7) of the IT Act with imprisonment up to one year, a fine up to one lakh rupees, or both. The reputational and regulatory follow-on (RBI, SEBI, IRDAI, DPDPA cross-references) is the bigger number. For a mid-market enterprise, the realistic annual cost of "doing CERT-In properly inside an in-house SOC" is INR 35 to 70 lakh layered on top of base SOC operations. Most internal business cases either miss this entirely or bury it in "compliance overhead" without quantifying it. Our CERT-In empanelled audit and incident response retainer engagements consistently surface this as the line that flips a build-vs-buy decision.

The clock does not start when the SOC manager confirms. It starts when anyone notices. That single clause forces 24x7 L3
The clock does not start when the SOC manager confirms. It starts when anyone notices. That single clause forces 24x7 L3 cover, 18 TB of hot logs and an annual drill on top of base operations.

Co-managed MDR pricing in India: what you actually get

"MDR" in the Indian market spans three commercial models, and buyers conflate them at their peril. Full MDR (provider owns SIEM, EDR, analysts, response playbooks, CERT-In filing support). India pricing for a 1,500 to 2,500 endpoint mid-market customer typically runs INR 1.4 to 2.4 crore per year on a 24-month commit, inclusive of tooling. The provider absorbs attrition risk and tool refresh cycles. You give up direct control over use-case engineering and detection logic, and you are exposed to the provider's incident response SLA, which for serious providers is 15 to 30 minutes for triage and one to two hours for containment guidance. Co-managed MDR (you own the SIEM and EDR licences, provider supplies L1/L2 coverage, threat hunting, and CERT-In-aligned reporting workflow). India pricing typically lands INR 90 lakh to 1.6 crore per year. This is the model that fits most regulated mid-market enterprises in India because it keeps log custody and tool ownership in-house, important for RBI's Cyber Security Framework, SEBI CSCRF, and IRDAI cyber regulations, while transferring the 24x7 staffing problem to a provider with depth. Hybrid / staff-augmentation MDR (provider supplies named analysts on shifts inside your tooling, you retain L3 and IR). INR 60 lakh to 1.1 crore depending on shift coverage and SLAs. Useful when you have a strong existing SOC manager and just need to fill the night and weekend gap without losing institutional knowledge. Across all three, the underwriting questions Certbar walks every CFO through are the same: who carries SIEM licence risk, who owns detection content, what is the contractual time-to-detect and time-to-respond, who is named on the CERT-In filing, and what happens when a P1 ransomware event lands at 02:30 IST on a Sunday. If the MSA does not name the answer to all five, the price is not the price.

Co-managed sits in the middle on price and at the top on regulatory fit — log custody stays Indian, detection content st
Co-managed sits in the middle on price and at the top on regulatory fit — log custody stays Indian, detection content stays exportable, and the 24x7 staffing problem moves to the provider.

Three-year TCO comparison: build vs full MDR vs co-managed

The table below assumes a representative Indian mid-market enterprise: 1,800 endpoints, 120 GB/day of relevant logs, RBI- or SEBI-touched, CERT-In reportable, with an existing IT team of 25 to 40. Figures are INR crore, fully loaded. Cost line (3-year total) In-house build Co-managed MDR Full MDR People (L1/L2/L3/manager, 3 shifts) 6.6 to 8.4 1.2 to 1.8 (retained L3+manager) 0.4 to 0.7 (retained CISO office) SIEM + EDR + SOAR (3-yr commit) 4.8 to 6.9 4.5 to 6.4 included Threat intel, NDR, deception, DLP 1.2 to 2.1 0.6 to 1.1 (shared) included CERT-In retention, drills, IR retainer 1.2 to 2.1 0.3 to 0.6 included Attrition + shift premium 1.2 to 1.9 0.0 to 0.2 0.0 MDR service fees 0 2.7 to 4.8 4.2 to 7.2 Three-year TCO range 15.0 to 21.4 9.3 to 14.9 4.6 to 7.9 Two caveats. First, the in-house number assumes you actually achieve 24x7 coverage with sub-six-hour CERT-In reporting maturity from year one. In practice, internal SOCs typically need 18 to 30 months to hit that maturity, during which residual breach risk is materially higher. Those costs should be expected-loss adjusted in any honest model. The IBM Cost of a Data Breach Report 2024 pegs the average breach cost in India at INR 19.5 crore, with mean-time-to-identify of 215 days driving most of the loss. Cutting that window is the financial argument for outsourcing during the maturity ramp. Second, "full MDR is cheapest" is true on spreadsheet but rarely the right answer for regulated mid-market. Co-managed is usually the strategic optimum because it preserves data sovereignty, regulator-facing accountability, and detection content ownership while neutralising the attrition and shift-premium drag.

On spreadsheet, full MDR wins on headline price. Once data sovereignty, detection content ownership and the 18-30 month
On spreadsheet, full MDR wins on headline price. Once data sovereignty, detection content ownership and the 18-30 month ramp risk are priced in, co-managed almost always lands as the strategic optimum.

Decision framework: headcount, sector, compliance regime

Five questions decide build vs co-managed vs full MDR for an Indian mid-market enterprise. Endpoint and log scale. Below 1,000 endpoints and 40 GB/day, in-house almost never pencils. Pick full or co-managed MDR. Above 5,000 endpoints with multi-cloud and OT, in-house or co-managed with strong L3 retention becomes defensible. Sector and regulator. RBI-regulated NBFCs, scheduled commercial banks, and payment system operators carry data localisation, RBI Cyber Security Framework, and (for larger entities) the Master Direction on IT Governance. These push toward co-managed with in-region log custody, not pure offshore MDR. SEBI CSCRF MIIs face similar constraints. Insurers under IRDAI cyber regulations and DPDPA-significant data fiduciaries should treat full offshore MDR with deep scepticism. Existing security leadership depth. No full-time CISO and no L3 hunter on staff? Full MDR or co-managed with provider-supplied L3 is the only credible path. Strong CISO with a tested IR plan? Co-managed is the sweet spot. Tolerance for breach exposure during ramp. If your board cannot accept 18 to 30 months of sub-mature detection during build, you are buying MDR whether the spreadsheet says so or not. Three-year strategic intent. Are you building a security business unit (cyber-insurance, fintech, healthtech offerings) where SOC IP is a moat? Build, but co-manage during ramp. Are you a manufacturer, retailer, or services firm where security is a cost centre? Co-managed MDR almost always wins. Every Certbar SOC engagement opens with this five-question audit before a single price is quoted. We will tell you to build in-house if that is what the numbers and the strategy say. The answer that maximises long-term security posture is rarely the answer that maximises any single quarter's invoice.

What this means for your next budget cycle

The honest answer to "build vs MDR in India" is not a number, it is a discipline. Price the people at Mumbai or Surat reality, not US benchmarks. Price the SIEM at India-negotiated tiers, not list. Price the CERT-In six-hour clock as a line item, not a footnote. Then compare against a co-managed MDR proposal that names SIEM ownership, detection content rights, time-to-detect SLA, CERT-In filing accountability, and weekend P1 response. The model that wins on that scorecard is the one your CFO and CISO can both defend at the next board meeting. Certbar's 24x7 SOC monitoring practice is built around co-managed delivery from our Surat and Mumbai centres, with CERT-In reporting workflows mapped to your sector regulator. We will model both paths against your real log volume, endpoint count, and compliance regime, and walk your board through the three-year TCO before any contract conversation. If you want the spreadsheet behind this post applied to your numbers, request a TCO workshop with our SOC monitoring team or pair it with our work on DPDP Act compliance and attack simulation to stress-test the model against a real adversary.

Yash Goti
Yash GotiCo-Founder & Director
linkedin

Yash Goti, Certbar’s Co-Founder & Director, excels in Client Relations, Business Development, and IT leadership. With 5+ years’ experience, he’s a financial services expert, ISO 27001 Auditor, and dynamic presenter in cybersecurity.

Share

Share to Microsoft Teams

Related security services

FAQs

Frequently Asked Questions

For an 1,800-endpoint enterprise with 100 to 150 GB/day of log volume, an honest in-house 24x7 SOC runs INR 4.2 to 6.1 crore per year at steady state once you fund three-shift L1/L2/L3 coverage, SIEM/EDR/SOAR tooling, threat intel, and the CERT-In six-hour reporting workflow. First-year cost is typically 15 to 25 percent higher due to recruiting ramp and tool implementation.