Updated: May 25, 2026
For most mid-market organisations in India, buying MDR is more rational than building an in-house SOC. A genuine 24/7 SOC needs ten or more analysts, enterprise tooling, and a starting investment of ?4 to 7 crore a year. MDR delivers the same monitoring and response as a predictable subscription, live in weeks, with the staffing problem carried by the provider.
The decision is no longer optional. CERT-In requires Indian organisations to report a cyber incident within six hours of noticing it. The DPDP Act adds breach-reporting duties and penalties reaching ?250 crore. The RBI mandates real-time monitoring for regulated entities. None of that is possible if no one is watching at 3 AM. The question is not whether to run security operations around the clock. It is whether to build that capability or buy it.
A security operations centre, or SOC, is the team, tools and processes that monitor an organisation around the clock, detect threats, investigate them and respond. An in-house SOC means building all of that yourself: hiring analysts, licensing a SIEM and detection tools, running shifts and writing playbooks.
Managed Detection and Response, or MDR, is the same capability delivered as a service. A provider supplies the analysts, the platform and the 24/7 coverage. The question is not what gets done. It is who builds and runs it.
The SIEM licence is the visible cost. It is not the largest one.
A genuine three-shift operation needs ten to fifteen analysts, plus a manager, a threat intelligence analyst and a detection engineer. At Indian rates, a certified SOC analyst costs ?15 to 25 lakh a year and a SOC lead ?30 to 50 lakh. Add enterprise SIEM licensing at ?60 lakh to ?1.2 crore, plus XDR, threat feeds and SOAR. A credible in-house SOC starts at ?4 to 7 crore a year.
Money is only half of it. India has over a million unfilled cybersecurity roles. Even funded teams struggle to keep people: 71% of SOC analysts report burnout and 64% expect to leave within a year. And the build takes 12 to 18 months to mature. You pay for all of it while it learns.
MDR removes the three hardest parts of the build.
Staffing becomes the provider's problem. They run the shifts, absorb the attrition, and hold the senior expertise mid-market firms struggle to attract.
Cost becomes predictable. Instead of a multi-crore payroll and capital spend, MDR is a subscription that scales with your estate. Independent comparisons put the saving against an in-house SOC at 50% or more.
Time compresses. MDR reaches full 24/7 coverage in weeks, not the 12 to 18 months a build needs. This is why, by Deloitte's count, more than 65% of Indian mid-sized enterprises already outsource some or all of their security operations.
MDR vs in-house SOC: the trade-offs at a glance
| In-house SOC | MDR | |
|---|---|---|
| Starting cost | ?4 to 7 crore a year | Predictable subscription, scales with estate |
| Time to operational | 12 to 18 months | Weeks |
| 24/7 coverage | Needs 10+ specialists across shifts | Included |
| Staffing risk | Yours to hire and retain | Carried by the provider |
| Threat visibility | Your environment only | Patterns across many environments |
| Best suited to | Large enterprises with scale and deep context needs | Most mid-market organisations |
The right answer depends on scale, the sensitivity of what you protect, and how much security context you need to keep in-house.
MDR is not a single, standard service. Four questions separate a strong provider from a weak one.
Can they respond, or only alert? A provider that raises a ticket and waits is monitoring, not MDR. Confirm what they are authorised to contain.
Where does your data sit? Under the DPDP Act, the location of log and telemetry data matters. Ask for data residency in India where your obligations require it.
How well will they learn your environment, and what are the exit terms? You should be able to leave with your data, detections and history intact.
For most mid-market organisations, MDR is the rational choice. The scale that justifies a ?4 to 7 crore in-house SOC, and the talent market to staff it, usually arrive only at large-enterprise size.
That does not mean owning nothing. The strongest model for many firms is hybrid: a small internal team that holds context, ownership and vendor management, with MDR providing 24/7 monitoring, triage and response. You keep the judgement in-house and buy the coverage.
The outcome to avoid is the half-built SOC: the tooling bought, the headcount never filled, the alerts never truly watched.
Build versus buy comes down to one honest question: can you hire and hold a 24/7 team in the tightest talent market in the country? Most mid-market firms cannot, and there is no failure in saying so.
Proactive Data Systems delivers managed detection and response built on Cisco XDR and the Cisco Secure portfolio, and holds Cisco Preferred Partner status under the Cisco 360 Partner Program for Security.
Request an MDR readiness review. We assess your current detection coverage and map the gap to 24/7.
We'll get back to you shortly.
