Case Study: NBFC Reduced MTTR from 6 Hours to 22 Minutes with Bachao MSSP

The situation

A mid-tier Indian NBFC (we'll call them "LendCo") came to Bachao.AI in January 2026 with a CERT-In advisory in their inbox: their existing MSSP had taken 11 hours to confirm and contain an attempted intrusion that another vendor's threat intel had flagged within minutes.

LendCo's profile:

1. 240 employees, 3 million customers across digital lending
2. AWS-only, ~640 production workloads
3. Existing MSSP: large global brand, India-shared analyst pool
4. Reported MTTR: 6 hours, but post-mortem of that incident: 11 hours from detection-available to containment
5. RBI IT Master Direction compliance audit in 9 months
6. Board was concerned the incident response posture wouldn't survive scrutiny

Discovery (week 0)

A 3-day onsite with LendCo's CISO and security team revealed three structural problems:

Problem 1 — detection signal silos. Cloudflare logs went to one pane, GuardDuty went to another, GitHub audit went to email, Okta went to a third tool. Tier 1 had to log into 4 places to confirm a credential-stuffing event. The 11-hour incident was 7 hours of cross-tool correlation.

Problem 2 — runbooks didn't exist. Tier 1 had a Confluence page from 2024 titled "Incident Response Playbook." It was 3 pages, generic, never updated. For 87% of S2 events, tier 1 had no defined containment authority and had to wait for the on-call engineering manager.

Problem 3 — purple team gap. The existing MSSP had never run a simulated attack against LendCo's environment. Detection coverage was assumed, never measured. (The coverage audit Bachao ran in week 1 showed 41% coverage, not the 80% the previous MSSP claimed.)

What Bachao changed (months 1–4)

Month 1: telemetry consolidation + detection rule library

1. Single SIEM with all 4 signal sources unified
2. 280 India-market detection rules deployed (from Bachao's library)
3. First false-positive tuning sprint: 23% FP rate down to 8.5%

1. 14 runbooks authored: credential stuffing, suspicious data access, brute force, phishing, ransomware-style behaviour, insider data export, API abuse, DDoS, cloud privilege escalation, etc.
2. Containment authority pre-approved by CISO for tier 1 + tier 2 (revoke API key, force-logout user, isolate host)
3. Tabletop walkthrough on each runbook with LendCo team

1. Bachao Red Team ran 28 simulated attacks
2. 8 attacks detected on first attempt, 12 detected after rule tuning, 8 missed entirely
3. Coverage gap closure: detection coverage 41% → 87% by month 3 end
4. Hunt engineer added 47 new rules specific to LendCo's tech stack

1. Monthly SLO report showed MTTR 22 minutes (target was 30)
2. Two S1 events handled during the quarter, both contained inside 18 minutes
3. Evidence package for RBI: every detection, every runbook, every tabletop, every purple team result documented and indexed against RBI IT Master Direction sections

The RBI audit (month 9)

The audit team reviewed:

1. SOC operational evidence (4 months by audit date)
2. Detection coverage scorecard
3. Runbook execution evidence (with the 4 actual S1+S2 cases logged in production)
4. Purple team exercise results
5. BCP/DR documentation (separate work stream)

The CISO sent the audit-clearance memo to the board with a one-line note: "Bachao's MSSP work made this possible."

What it cost

What LendCo's CISO said

"Our previous MSSP was a brand. Bachao is a team that has my back at 3am. Our incident response posture went from 'we'll figure it out' to 'we have a runbook for this' in 4 months. The RBI audit wasn't a stress event — it was a chance to show what we'd built."

Pattern this engagement followed

LendCo's situation is a common shape for Bachao.AI MSSP customers:

1. Existing MSSP that's "good enough on paper" but operationally hollow
2. Upcoming regulatory audit (RBI, SEBI, DPB) creating real consequences
3. Recent incident that exposed real MTTR
4. Decision-maker willing to switch MSSPs if the new one will measurably perform

Schedule the SOC scoping workshop →

Related: MSSP Methodology · Sample MSSP Monthly Report