What's in the monthly report
This is the actual structure of the monthly board-ready PDF report a Bachao.AI MSSP customer receives. The version below is redacted from a real April 2026 report for a mid-tier Indian fintech (workloads + names anonymised).
Section 1: SLO scorecard (1 page)
| Metric | Target | This month | Last month | YoY |
|---|---|---|---|---|
| Mean Time to Detect | < 4 min | 2.8 min | 3.1 min | -32% |
| Mean Time to Respond (S1) | < 22 min | 17 min | 19 min | -28% |
| Mean Time to Respond (S2) | < 60 min | 41 min | 44 min | -15% |
| Detection coverage (MITRE) | 90% | 91% (+1) | 90% | +6pt |
| False-positive rate | < 8% | 5.2% | 6.1% | -22% |
| S1 events | reference | 2 | 1 | +1 |
| S2 events | reference | 14 | 11 | +27% |
| S3 events | reference | 87 | 91 | -4% |
| S4 events (suppressed) | reference | 1,420 | 1,280 | +11% |
Section 2: S1 incident log (1 page per incident)
For each S1 (potential breach) event:
IR-2026-04-007 — Suspected credential stuffing on customer login > Detected: 2026-04-12 03:47 IST Detection rule: cred-stuffing-velocity-001 Source: Cloudflare logs + Okta event 0x91 Initial severity: S2 (auto-escalated to S1 at 03:51 after credential validation succeeded for 4 accounts) > Timeline:> Outcome: 4 customer accounts compromised via credential reuse from a third-party breach. No customer transaction loss. DPDP Section 8(6) notification filed precautionary; not legally required as no fiduciary breach. > Detection improvements: enriched cred-stuffing rule to factor in geo-velocity (3 customer accounts logged in from same IP within 90s); FP rate expected unchanged. > Total time-to-containment: 11 minutes. Total time-to-customer-notification: 2 hours 43 minutes.
- 03:47 — first detection (Tier 1)
- 03:51 — escalation to S1 (Tier 2 review)
- 03:54 — incident commander paged
- 03:58 — affected accounts force-logged-out, MFA forced
- 04:02 — customer security team Slack channel updated
- 04:18 — customer CTO call (vCISO joined)
- 06:30 — affected customer accounts (4) emailed
- 12:15 — DPB India notification submitted (precautionary; investigation ongoing)
S1 events get this level of detail in the monthly report. The customer's CTO and CFO read it. The board sees the abbreviated summary.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanSection 3: S2 incident log (1 page summary)
Single table of all 14 S2 events with: ID, time detected, type (cred stuffing, brute force, anomalous data access, etc.), source, time to triage, outcome.
Examples:
- IR-2026-04-022 (data access anomaly): engineer queried customer table outside normal hours. Confirmed legitimate (BCP testing). Closed in 38 min.
- IR-2026-04-031 (suspicious IAM action): contractor IAM key used from new country. Confirmed legitimate (employee on holiday). Closed in 22 min after geo-confirmation.
- IR-2026-04-039 (suspected phishing on employee): credential-grabber URL clicked but session token not exfiltrated. Force-rotated cred. Closed in 41 min.
Section 4: Detection coverage map (1 page)
MITRE ATT&CK tactics × detection rule count:
| Tactic | Rules deployed | Coverage % | Gaps to close in May |
|---|---|---|---|
| Initial Access | 23 | 95% | (none) |
| Execution | 19 | 92% | T1059.006 (Python script execution) — adding rule |
| Persistence | 31 | 89% | T1547.014 (AppCert DLLs) — Windows-only, customer is Linux/macOS — N/A |
| Privilege Escalation | 24 | 91% | T1548.005 (UAC bypass) — Windows-only — N/A |
| Defense Evasion | 38 | 87% | T1070.001 (clear Linux logs) — adding rule |
| Credential Access | 27 | 93% | (none) |
| Discovery | 19 | 95% | (none) |
| Lateral Movement | 18 | 89% | T1021.005 (VNC) — service not in use — N/A |
| Collection | 14 | 86% | T1119 (automated collection) — adding rule |
| Exfiltration | 22 | 91% | (none) |
| Impact | 17 | 88% | T1486.002 (DB-level encryption ransomware) — adding rule |
Section 5: Threat intelligence brief (1 page)
Sector-specific intel from the past month, filtered to customer's vertical:
- 3 active credential-stuffing campaigns observed against Indian fintechs this month — lists in confluence://intel/2026-04-fintech-cred-stuffing
- Indian APT group "OperationStarlight" observed targeting digital lending platforms — TTPs included in detection rule update
- New CERT-In advisory CIVN-2026-0312 (Jenkins plugin RCE) — customer environment not affected, action: confirmed at week 1
Section 6: 30-day detection roadmap (1 page)
| Week of | Detection rule | Why added |
|---|---|---|
| W1 May | T1059.006 (Python script execution) | Closing gap identified in April coverage review |
| W1 May | T1070.001 (clear Linux logs) | Same as above |
| W2 May | Customer-specific: API rate-limit abuse | Customer launching new public API; pre-emptive coverage |
| W2 May | T1119 (automated collection) | Same as above |
| W3 May | T1486.002 (DB ransomware) | Same as above |
| W3 May | Insider-threat: data export anomaly (volume) | Quarterly insider-threat sprint |
| W4 May | Purple team exercise scenarios (8) | Scheduled |
| W4 May | Customer rule review: tune cred-stuffing geo-velocity | Based on IR-2026-04-007 lesson |
Section 7: SOC team and customer feedback (half page)
Named SOC lead, hunt engineer, and incident commander assigned to the account. Customer SOC liaison name. Any escalation pattern observations.
Customer-side feedback summary from the past month (collected via post-incident surveys for S1+S2 events).
Section 8: Compliance posture summary (half page)
- DPDP Act 2023: status of obligations covered by SOC operations
- RBI cyber framework: alignment status
- CERT-In Rule 3 (6-hour reporting): 100% compliance this month
- ISO 27001 Annex A controls operationally evidenced this month
This is what a customer's CISO actually uses. Not a slide deck — an operational record.
See how Bachao.AI's MSSP works →
Related: MSSP Methodology · MSSP Case Study: NBFC MTTR
