Key Takeaways
- A SOC is the combination of people, process and technology that monitors the environment, detects threats, investigates and responds.
- Tier model: Tier 1 (triage), Tier 2 (deeper investigation), Tier 3 (advanced threat hunting, IR). Larger SOCs add detection engineering, threat intelligence and platform teams.
- Core tooling: SIEM (data and correlation), EDR (endpoint detection), SOAR (automation), TIP (threat intelligence). The stack is more important than the individual product choice.
- In-house vs MSSP/MDR: most Indian businesses below 500 employees buy managed; mid-market often hybrid; large enterprises in-house with augmentation.
- Key metrics: MTTD (detection time), MTTR (response time), alert volume, true-positive rate. Operational discipline matters more than dashboard counts.
What a SOC Actually Does
A Security Operations Center is the function that turns security tooling into security outcomes. Detection without response is paperwork. Response without detection is firefighting. The SOC sits in the middle, taking signals from many sources and producing actions: investigations opened, alerts confirmed or dismissed, containments executed, incidents declared, hunts initiated.
Modern SOC functions span: 24x7 monitoring of detection signals, triage of alerts by tier, investigation of confirmed events, threat hunting for patterns the detections miss, incident response coordination, threat intelligence integration, detection engineering (writing and tuning rules), platform engineering (operating the SIEM and supporting tooling), and reporting to leadership. Smaller SOCs combine roles; larger SOCs specialise.
Tier 1, 2 and 3 Analyst Roles
Tier 1 (triage analyst): first response to alerts, follows defined runbooks, escalates to Tier 2 when investigation requires deeper analysis. Typical Tier 1 shift handles 50 to 200 alerts depending on environment and tooling maturity. Common entry-level role; Tier 1 burns out fast without good tooling.
Tier 2 (incident responder): deeper investigation of escalated alerts, correlation across data sources, decision on whether to declare incident. Often handles 5 to 20 investigations per shift. Requires deeper technical skill and broader understanding of attacker techniques.
Tier 3 (advanced threat hunter / IR lead): hypothesis-driven hunting for patterns existing detections miss, advanced incident response on high-impact events, malware analysis, threat intelligence integration. Typically the most senior SOC role.
Detection engineering: writes and tunes detection rules in the SIEM, often combined with Tier 3 role at smaller SOCs. Platform engineering: operates the SIEM, EDR and supporting infrastructure. Threat intelligence: ingests and curates external intel for SOC consumption.
Need Help Applying Any of This?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, SOC, compliance and incident response for Indian businesses across every sector. Named consultants, fixed-price proposals, free retest within 90 days.
See Our Services →In-House vs Managed SOC (MSSP / MDR)
In-house SOC requires meaningful investment: SIEM licensing, EDR licensing, SOAR, supporting infrastructure, and a 24x7 staffing model that takes 8 to 12 dedicated FTEs for the analyst layer alone. The annual run cost for a credible 24x7 in-house SOC at Indian rates starts around INR 2 to 4 crore and scales upward.
MSSP (Managed Security Service Provider) provides SIEM operation and SOC analyst coverage as a managed service. Older MSSP model focused on log management plus baseline alerting; modern MDR (Managed Detection and Response) adds EDR-driven detection and active response. Indian MDR market includes CrowdStrike Falcon Complete, Microsoft Defender Experts, Arctic Wolf, Trustwave, Mandiant Managed Defense, Sophos MDR, plus local providers.
Most Indian businesses below 500 employees buy MDR or co-managed SOC. Mid-market often runs hybrid (in-house analyst team plus MDR for 24x7 coverage). Large enterprises run in-house SOC with MDR augmentation for specific environments. Codesecure delivers SOC architecture design and helps clients select the right operating model.
Core SOC Tooling
SIEM (Security Information and Event Management): log aggregation, correlation and analytics. Leading platforms: Microsoft Sentinel (cloud-native, fast-growing share in India), Splunk Enterprise Security (incumbent, expensive but powerful), Elastic Security (open-source-first, cost-effective), Sumo Logic, Google Chronicle, IBM QRadar, Securonix, Exabeam. Open-source options: Wazuh (built on OpenSearch, very popular at Indian SMBs), Graylog. Our SIEM comparison blog covers selection.
EDR (Endpoint Detection and Response): deep endpoint visibility plus active response. Leaders: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, Trellix, Cybereason, Sophos Intercept X. EDR has replaced traditional antivirus for any serious security programme.
SOAR (Security Orchestration, Automation and Response): automated response playbooks. Splunk SOAR, Microsoft Sentinel Logic Apps, Palo Alto XSOAR, Tines, n8n (custom). Reduces MTTR substantially for repeatable response patterns.
TIP (Threat Intelligence Platform): ingests and curates external threat intelligence. ThreatConnect, Anomali, MISP (open source). Smaller SOCs consume threat intel through SIEM integrations without dedicated TIP.
Key SOC Metrics
MTTD (Mean Time To Detect): average elapsed time from incident start to detection. Target: minutes for endpoint-originated, hours to days for cloud or identity-originated. See our MTTD blog for detail.
MTTR (Mean Time To Respond): detection to containment / recovery. Target: minutes for automated response, hours for human-driven containment, days for full recovery.
Alert volume: alerts per analyst per shift. Healthy range: 30 to 100 for Tier 1, depending on tooling. Above 200 typically indicates noisy detections and induces alert fatigue.
True positive rate: percentage of alerts that turn out to be real incidents. Healthy range varies; high false-positive content needs tuning.
Escalation rate: percentage of Tier 1 alerts escalated to Tier 2. Too low suggests Tier 1 dismisses too aggressively; too high suggests Tier 1 lacks runbook clarity.
Detection coverage: percentage of MITRE ATT&CK techniques the detections cover. Mature SOCs measure this explicitly.
Have a Specific Question?
Whether you need a VAPT, SOC design, ISO 27001 certification, DPDP compliance or just a second opinion on a finding, our lead consultant is available for a 30-minute free scoping call. No obligation.
Talk to a Consultant →SOC Use Cases for Indian Businesses
Regulated entities (banking, NBFC, insurance, capital markets): SOC is effectively mandatory. Regulator inspections expect 24x7 monitoring with documented runbooks, named CISO, evidence of detection and response capability.
Customer-facing SaaS: enterprise customers expect SOC capability in security questionnaires. SOC operation is a prerequisite for sustained enterprise sales.
Healthcare: ransomware-prone sector; SOC detection of pre-encryption lateral movement is what separates good outcomes from bad. HIPAA and DPDP both reward documented monitoring.
Manufacturing: OT-aware SOC capability is increasingly expected; IT-only SOC misses OT-side signals. Most Indian manufacturers operate IT SOC with periodic OT engagement and grow OT visibility over time.
Startups (Series B onwards): MDR adoption typical at this stage to satisfy enterprise customer questionnaires; in-house SOC later as scale justifies.
Cost and Questions to Ask an MSSP
In-house 24x7 SOC starts at INR 2 to 4 crore per year at Indian rates (tooling, salaries, infrastructure) and scales with scope. MDR typically prices per-endpoint or per-user, ranging USD 5 to 25 per asset per month depending on tier and contract size. For a 500-employee Indian organisation, MDR lands at roughly INR 50 lakh to 1.5 crore per year.
Questions to ask an MSSP before signing: response SLA per severity, named analyst contact or pool model, EDR vendor included or BYO, custom rule support and tuning cadence, integration with your ticketing and case management, monthly reporting cadence and content, escalation path to your IR lead, exit terms and data portability. Bad answers to any of these are warning signs.
Frequently Asked Questions
Do we need a SOC if we have EDR?
EDR is a tool; SOC is the operational discipline that responds to what the tool detects. Without a SOC operating it, EDR is a high-fidelity alert generator that nobody acts on. Most organisations get EDR with managed coverage (MDR) precisely because the tool alone is not enough.
How does MDR differ from traditional MSSP?
Traditional MSSP focused on SIEM log management and baseline alerting. MDR adds active EDR-based detection and response, with the MDR provider taking containment actions on customer endpoints in real time. MDR is the modern standard.
Can we build a credible SOC at small scale?
Self-built 24x7 SOC below 200 to 500 employees rarely makes economic sense. Hybrid (small in-house analyst team plus MDR for 24x7) or fully managed MDR is more typical at that scale. Above 1000 to 2000 employees, in-house SOC becomes more justifiable.
What SIEM should we choose?
Microsoft Sentinel for Microsoft-heavy estates (best integration with Defender stack). Splunk for organisations already invested. Elastic for cost-sensitive teams comfortable with operational overhead. Wazuh for SMBs with deep cost constraints and DIY capacity. Codesecure has implemented all of these for Indian customers; see our SIEM selection blog.
How long to stand up a new SOC?
Pure MDR onboarding: 2 to 6 weeks. Hybrid co-managed SOC: 8 to 16 weeks. In-house SOC from zero: 6 to 12 months including hiring, tooling deployment, runbook design and operational maturity. Codesecure delivers SOC design and implementation engagements with fixed milestones.
Can Codesecure operate our SOC?
Yes. Codesecure offers co-managed and fully managed SOC services for Indian customers, including SIEM tuning, EDR operation, threat hunting, SOAR engineering and 24x7 analyst coverage. Engagements scale to customer environment and risk profile.
Build A SOC That Detects And Responds, Not Just Monitors
Codesecure delivers SOC architecture design, SIEM and EDR rollout, MDR services and SOAR engineering for Indian SaaS, fintech, healthcare and enterprise. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals, transparent KPIs.
