MSSP for Indian SMBs — Bachao.AI 24×7 SOC Methodology

The MSSP your CISO actually wants

Most Indian MSSPs sell endpoint count and SIEM licence. The CISO buying it gets a monthly invoice and a quarterly executive summary deck. What they don't get is operational SOC truth: how fast did we detect things, what did we catch that we wouldn't have caught alone, what's the false-positive rate, what's our coverage map.

Bachao.AI's MSSP delivery is built around four operational SLOs and a transparency dashboard your team accesses live. Here's how it works.

The four SLOs

The 24×7 staffing model

Bachao.AI runs a 24×7 SOC out of two India locations + one APAC backup site, with the following rota:

Tier 1 analyst — 24×7 coverage, triages every detection within 4 minutes. Responsible for: confirm signal, escalate or close, document in ticket.

Tier 2 analyst — 24×7 coverage, handles S2+ escalations. Responsible for: deeper investigation, lateral movement check, containment recommendation, customer notification draft.

Tier 3 / incident commander — on-call 24×7, paged for S1 events. Responsible for: incident command, customer call lead, regulatory notification, forensic preservation.

Hunt engineer — daytime IST. Responsible for: proactive hunting (not just reacting to detections), detection rule tuning, MITRE coverage gap analysis.

Dedicated lead — your account's named SOC lead, attends monthly reviews and shapes the detection strategy specific to your business.

This is not a "shared analyst across 50 customers" model. Bachao.AI staffs tier 1 + tier 2 at a ratio that allows real human investigation, not just rubber-stamp triage.

Onboarding: weeks 1–6

A new MSSP engagement runs a 6-week onboarding. Most other MSSPs go live faster, but the cost is months of false positives until tuning catches up.

Week 1: discovery and connectors

1. Asset inventory (workloads, identities, network segments)
2. Telemetry connector setup: CloudTrail, GuardDuty, GitHub, Okta/Workspace, EDR, k8s audit logs
3. Initial detection rule deployment from Bachao's India-market library (~280 rules)

1. "What's a normal Tuesday at 9am?" workshops
2. Critical asset designation (which 5 systems are the company crown jewels?)
3. Customer notification preferences (Slack channel, email DL, SMS escalation tree)

1. Run all rules in alert-only mode
2. False-positive review (every single alert reviewed with you)
3. Rule disable / threshold adjustment / context enrichment

1. 8–12 runbooks for the most likely incidents in your stack
2. Each runbook gets a tabletop walkthrough with your team
3. Containment authority pre-approved for specific actions (revoke key, isolate host, disable user)

1. Bachao Red Team runs 12 simulated attacks against your environment
2. SOC tier 1 must detect them in production
3. Gaps logged and detection rules added

1. Full production paging enabled
2. First weekly digest goes out
3. Monthly review cadence locked in calendar

Pricing: per-workload, not per-endpoint

Most MSSPs charge per endpoint or per GB ingested. Both incentivize the wrong behaviour (under-instrument to keep cost down).

Bachao.AI charges per workload tier:

There is no per-event surcharge. No "ingestion overage." No surprise invoice in month 4.

What you receive operationally

Real-time:

1. Slack/Teams channel with severity-tagged detections (S1 → @here, S2 → no ping, S3+S4 → digest)
2. Live SOC dashboard (auth via Okta/Workspace)
3. Incident war-room channel auto-spun for S1 events

1. Detection digest (PDF) summarising all S2+ events of the week
2. New detections added this week
3. Tuning changes proposed
4. Coverage status against MITRE ATT&CK

1. Board-pack security report (8 pages)
2. SLO scorecard (MTTD, MTTR, coverage, FP rate)
3. Detection roadmap for the next 30 days
4. Threat intelligence brief (sector-specific to BFSI, SaaS, healthtech, etc.)

1. Purple team exercise (separate from monthly hunts)
2. Risk register update with the vCISO if engaged
3. Threat landscape brief for the board

When MSSP and vCISO bundle

Most Bachao.AI MSSP customers also retain a vCISO at a lower-tier (10–15 hours/month) for governance, compliance, and customer-facing security work. The MSSP is operational, the vCISO is strategic. Bundling them means the SOC understands the regulatory context and the vCISO has direct visibility into operational reality.

How to start

The first step is a 90-minute SOC scoping workshop. We walk through your existing telemetry, current incident history, regulatory obligations, and the right tier. Quote within 5 working days. Onboarding can start within 2 weeks of contract signature.

Schedule the SOC scoping workshop →

Related: Sample MSSP Monthly Report · MSSP Case Study: NBFC MTTR