The Security Operations Center: What It Is and Why 24/7 Matters
A Security Operations Center is a team, not a tool. It combines people, processes, and technology to monitor cloud environments continuously, detect threats in real time, and coordinate response. The distinction matters because many organisations buy a SIEM licence and assume they have "a SOC." They don't — they have a log database generating thousands of alerts that nobody is watching at 3 AM.
What a SOC Actually Does
From Opsio's 24/7 SOC/NOC operating across Karlstad (EU) and Bangalore (India), a typical operational day involves:
1. Alert triage: Filtering signal from noise. A mid-sized multi-cloud environment generates thousands of security events daily. The vast majority are informational. The SOC's job is identifying the handful that matter.
2. Correlation: Connecting a failed login in Azure Entra ID to an API call in AWS to a data exfiltration pattern in GCP. No single cloud's native tooling sees this full chain.
3. Threat intelligence enrichment: Matching observed IOCs (indicators of compromise) against threat feeds — known malicious IPs, newly published CVEs, active campaign TTPs mapped to MITRE ATT&CK.
4. Escalation and response: When a real incident is confirmed, the SOC triggers containment — isolating a compromised workload, revoking credentials, blocking a C2 domain — before the attacker completes their objective.
The Multi-Cloud Visibility Problem
Each hyperscaler has strong native security tooling for its own estate. AWS GuardDuty is excellent at detecting credential abuse within AWS. Microsoft Defender for Cloud catches Azure misconfigurations well. GCP's Security Command Center provides good coverage of Google Cloud resources.
The problem is that attackers don't respect cloud boundaries. According to Opsio's operational experience, the most dangerous incidents in multi-cloud environments involve lateral movement that starts in one provider and pivots to another — often through shared credentials, federated identity, or CI/CD pipelines that have deployment access to all three clouds. No single native tool catches this.
This is why organisations running multi-cloud architectures — increasingly common amongst Indian enterprises hosting in ap-south-1 (Mumbai) and Azure Central India simultaneously — need a unified SIEM layer (Microsoft Sentinel, Splunk, or similar) feeding into a SOC that has analyst visibility across all environments simultaneously.
SOC Reporting vs. Security Operations Center: Clearing Up the Acronym
This confusion appears in nearly every client conversation, and it is especially prevalent amongst Indian IT services firms undergoing SOC 2 certification for the first time.
SOC Reporting (System and Organization Controls) is an audit framework developed by the AICPA. There are three types:
| Report | Focus | Audience | Use Case |
|---|---|---|---|
| SOC 1 | Controls relevant to financial reporting (ICFR) | Auditors, finance teams | SaaS providers handling financial data |
| SOC 2 | Security, availability, processing integrity, confidentiality, privacy (Trust Services Criteria) | Customers, prospects, regulators | Any cloud service provider proving security posture |
| SOC 3 | Same criteria as SOC 2, but a general-use public report | General public | Marketing and public trust |
A Security Operations Center is the operational team that detects and responds to threats. You need a functioning SOC (operational) to pass a SOC 2 (audit) — specifically Trust Services Criteria CC7 (System Operations) and CC6 (Logical and Physical Access Controls) require evidence of continuous monitoring.
The relationship is symbiotic: your SOC operations produce the evidence that SOC 2 auditors review.
Managed Detection and Response: When and Why
MDR emerged because the cybersecurity talent shortage made staffing a full internal SOC unrealistic for most organisations. India, despite being a global IT talent hub, faces its own acute shortage of trained SOC analysts — particularly those with multi-cloud expertise across AWS, Azure, and GCP. The result is that even large Indian enterprises struggle to maintain round-the-clock security operations internally.
MDR vs. MSSP vs. Internal SOC
| Capability | Internal SOC | MSSP | MDR |
|---|---|---|---|
| 24/7 monitoring | Yes (if fully staffed) | Yes | Yes |
| Custom detection rules | Full control | Limited | Moderate to high |
| Active threat hunting | Depends on team maturity | Rarely | Core offering |
| Incident containment | Yes | Alert-only (typically) | Yes — active response |
| Time to value | 12-18 months | 4-8 weeks | 2-6 weeks |
| Cost (mid-market) | Highest (₹3-5 crore+ annually) | Moderate | Moderate |
The key differentiator: traditional MSSPs (Managed Security Service Providers) monitor and alert. MDR providers investigate and act. If your MSSP sends you an email saying "we detected suspicious activity on instance i-0abc123" and waits for you to respond, that's an MSSP. If they isolate that instance, capture a memory dump, and have a preliminary root-cause analysis ready when you wake up — that's MDR.
What to Expect from an MDR Engagement
A mature MDR service, like the one Opsio operates from its Bangalore SOC, includes:
- Onboarding: Deploying agents or integrating with existing SIEM/EDR, mapping your environment, understanding business context (which systems are crown jewels, what's a normal deployment window vs. anomalous).
- Continuous monitoring: 24/7 alert triage with SLAs — typically under 15 minutes to initial triage, under 1 hour to confirmed incident escalation.
- Proactive threat hunting: Analysts actively searching for threats that haven't triggered alerts — dormant implants, slow-and-low data exfiltration, legitimate tool abuse (living-off-the-land).
- Response: Containment actions taken directly (with pre-authorised playbooks) or in coordination with your team.
- Reporting: Monthly threat landscape summaries, incident post-mortems, posture improvement recommendations.
Penetration Testing: Purpose, Types, and Frequency
What Penetration Testing Aims to Accomplish
The primary purpose of penetration testing is to validate whether your security controls actually work under adversarial pressure. Vulnerability assessments tell you what's theoretically exploitable. Penetration testing proves it — or disproves it — by simulating how an attacker would chain vulnerabilities together to achieve a real-world objective like data exfiltration, privilege escalation, or service disruption.
Penetration Testing vs. Vulnerability Assessment
| Dimension | Vulnerability Assessment | Penetration Testing |
|---|---|---|
| Approach | Automated scanning | Manual, human-driven exploitation |
| Scope | Broad — entire environment | Targeted — specific systems, scenarios |
| Output | List of CVEs with severity ratings | Narrative attack paths with proof of exploitation |
| Frequency | Weekly to monthly | Quarterly, before major releases, or annually at minimum |
| Skill required | Tool operation | Offensive security expertise |
| False positives | Common | Rare (findings are validated) |
| Depth | Surface-level | Deep — includes chaining, pivoting, social engineering |
Both are necessary. Vulnerability assessments provide continuous hygiene; penetration tests provide periodic validation. Running only assessments gives you a false sense of completeness. Running only pen tests misses the drift between tests.
Types of Penetration Testing for Cloud Environments
External network pen test: Targets internet-facing assets — load balancers, APIs, web applications, DNS. Tests what an unauthenticated attacker sees.
Internal network pen test: Assumes the attacker has a foothold inside the VPC/VNet — tests east-west movement, internal service authentication, segmentation effectiveness.
Web application pen test: Focused on application-layer vulnerabilities — OWASP Top 10, business logic flaws, authentication bypass, injection attacks.
Cloud configuration review: Tests IAM policies, storage bucket permissions, network ACLs, secrets management. This is where cloud-specific expertise matters — an S3 bucket misconfiguration or an overly permissive Azure role assignment won't show up in a traditional network pen test.
Red team engagement: Full-scope adversary simulation including social engineering, physical access attempts, and multi-stage attack chains. Typically annual for mature organisations.
Cloud Provider Rules of Engagement
Each hyperscaler has specific policies around penetration testing:
- AWS: No longer requires prior approval for pen testing against most services you own (EC2, RDS, Lambda, etc.) in ap-south-1 (Mumbai) or ap-south-2 (Hyderabad). DDoS simulation and DNS zone walking still require authorisation.
- Azure: Does not require notification for standard pen testing of your own resources in Central India or South India regions. Fuzzing and stress testing require following Microsoft's rules of engagement.
- GCP: Allows pen testing of your own resources without notification. Testing must not violate the Acceptable Use Policy or impact other tenants.
Always document authorisation in writing before starting. Your pen testing provider should have a clear scoping document, rules of engagement, and communication plan for critical findings discovered mid-test.
Compliance Frameworks That Demand Cloud Security Monitoring for Indian Organisations
Cloud security services aren't optional if you operate under any of these frameworks:
DPDPA 2023 (India)
India's Digital Personal Data Protection Act, 2023 requires "reasonable security safeguards" to protect personal data. While subordinate rules under the Act are still being finalised by MeitY, the framework's intent is clear: organisations must implement continuous monitoring and breach detection capabilities. The Data Protection Board of India will have authority to impose penalties of up to ₹250 crore for significant data breaches. Organisations processing personal data of Indian citizens — whether from Mumbai, Bangalore, or Hyderabad data centres — need cloud security monitoring that satisfies DPDPA requirements.
RBI Cloud Framework (BFSI)
The Reserve Bank of India's framework on adoption of cloud services by BFSI entities carries specific mandates:
- Data localisation: All customer data must reside within India. This means deploying workloads and security monitoring infrastructure in ap-south-1 (Mumbai), ap-south-2 (Hyderabad), Azure Central India, or Azure South India.
- Continuous monitoring: Regulated entities must maintain 24/7 security monitoring of cloud workloads.
- Incident reporting: Banks and NBFCs must report significant cyber incidents to CERT-In and RBI within six hours.
- Vendor risk management: Cloud service providers and managed security providers must be assessed against RBI's outsourcing guidelines.
For any bank, NBFC, insurance company, or payment aggregator operating in India, a SOC with Indian-resident analysts and India-region log storage is not a nice-to-have — it's a regulatory requirement.
SEBI Cloud Guidelines
SEBI's framework for regulated entities (stock exchanges, depositories, mutual funds, brokers) mandates:
- Cloud adoption with appropriate security controls and monitoring
- Data residency within India for market-sensitive data
- Regular vulnerability assessments and penetration testing
- Incident response and reporting mechanisms
CERT-In Directives
CERT-In's April 2022 directive requires organisations to report cybersecurity incidents within six hours of becoming aware of them. This tight window makes 24/7 SOC monitoring essential — you cannot report what you have not detected. The directive also mandates maintaining logs for 180 days within Indian jurisdiction.
SOC 2
Trust Services Criteria CC7.2 requires monitoring system components for anomalies indicative of malicious acts, natural disasters, and errors. CC7.3 requires evaluating security events to determine if they constitute incidents. CC7.4 requires responding to identified incidents. A functioning SOC — internal or managed — directly addresses these criteria. For Indian IT services and SaaS companies serving global clients, SOC 2 certification is increasingly table stakes.
ISO/IEC 27001
Annex A controls A.8.15 (Logging) and A.8.16 (Monitoring activities) require organisations to produce, store, protect, and analyse logs, and to monitor networks, systems, and applications for anomalous behaviour.
NIS2 Directive (EU) and GDPR
Indian organisations serving European clients or operating EU subsidiaries must also account for NIS2's 24-hour incident notification mandate and GDPR Article 32's requirement for appropriate technical measures including monitoring. GDPR Article 33 mandates 72-hour breach notification to supervisory authorities.
Building a Cloud Security Programme: Practical Sequencing
Organisations often ask "where do I start?" The answer depends on maturity, but this sequencing works for most mid-market and enterprise teams in India:
Phase 1 — Foundations (Month 1-2):
- IAM audit: enforce MFA everywhere, eliminate standing admin access, implement just-in-time privilege escalation
- Enable native cloud security tools: AWS Security Hub + GuardDuty in ap-south-1 (Mumbai), Microsoft Defender for Cloud in Central India, GCP Security Command Center
- Encrypt everything at rest and in transit — with keys managed within Indian regions for BFSI and government workloads
- Map data residency requirements: identify which workloads must remain within India per RBI, SEBI, and DPDPA mandates
Phase 2 — Visibility (Month 2-4):
- Deploy SIEM or centralised logging (Microsoft Sentinel if Azure-heavy, AWS Security Lake if AWS-heavy, or a cross-cloud platform like Splunk/Elastic)
- Onboard MDR provider or stand up initial SOC capability — ensure 24/7 coverage aligned with CERT-In's six-hour reporting window
- Implement CSPM scanning for continuous misconfiguration detection
- Ensure log retention of 180 days within Indian jurisdiction per CERT-In directives
Phase 3 — Validation (Month 4-6):
- First penetration test against external attack surface
- Vulnerability assessment programme on a weekly cadence
- Tabletop incident response exercise — include CERT-In notification workflows
Phase 4 — Maturity (Ongoing):
- Threat hunting programme (proactive, hypothesis-driven)
- Red team exercises (annual)
- Compliance certification pursuit (SOC 2, ISO 27001)
- Cloud security posture benchmarking against CIS Benchmarks
- Periodic review against evolving DPDPA subordinate rules and RBI/SEBI updates
Tooling Recommendations by Cloud Provider
| Function | AWS (ap-south-1/2) | Azure (Central India) | GCP | Cross-Cloud |
|---|---|---|---|---|
| CSPM | Security Hub | Defender for Cloud | Security Command Center | Wiz, Orca, Prisma Cloud |
| Threat Detection | GuardDuty | Defender for Cloud (threat protection) | Event Threat Detection | CrowdStrike Falcon, SentinelOne |
| SIEM | Security Lake + OpenSearch | Microsoft Sentinel | Chronicle | Splunk, Elastic Security |
| WAF | AWS WAF | Azure Front Door / App Gateway WAF | Cloud Armor | Cloudflare, Akamai |
| Secrets Management | Secrets Manager, Parameter Store | Key Vault | Secret Manager | HashiCorp Vault |
| EDR/XDR | (partner) | Defender for Endpoint | (partner) | CrowdStrike, SentinelOne, Palo Alto Cortex |
The honest take: no single vendor covers everything well across all three clouds. If you're running multi-cloud — and many Indian enterprises do, hosting in both ap-south-1 (Mumbai) and Azure Central India — expect to use a combination of native and third-party tools, unified through a cross-cloud SIEM and a SOC team that understands all three environments.
What Opsio Sees Across Multi-Cloud Environments
Operating a 24/7 SOC/NOC across Karlstad (EU) and Bangalore (India) gives Opsio direct visibility into recurring patterns — including those specific to Indian cloud deployments:
- Identity is the #1 attack vector. Compromised credentials — especially long-lived access keys and service accounts with excessive permissions — account for the majority of incidents we investigate. Not novel zero-days. Not sophisticated APTs. Stolen or leaked credentials used against overprivileged identities.
- Misconfigurations persist. Publicly accessible S3 buckets in ap-south-1, security groups with 0.0.0.0/0 ingress on management ports, and unencrypted databases continue to appear despite years of industry awareness. Indian BFSI organisations face additional risk here, as any such misconfiguration can trigger RBI compliance violations.
- Alert fatigue kills security programmes. Organisations that deploy tools without tuning them — GuardDuty at default settings, Defender for Cloud with every recommendation enabled — drown in noise and start ignoring alerts. A tuned, curated alert pipeline with fewer, higher-fidelity signals produces better outcomes than maximum coverage with no triage.
- Cross-cloud incidents are increasing. As Indian enterprises adopt multi-cloud architectures across AWS Mumbai/Hyderabad and Azure Central India, attackers exploit the seams. CI/CD pipelines with deployment credentials to multiple clouds are a particularly attractive target.
- Data residency adds complexity. For BFSI and government workloads, ensuring that security logs, SIEM data, and incident response artefacts all remain within Indian borders requires careful architecture — particularly when using global SaaS security tools that may route data through non-Indian regions by default.
Frequently Asked Questions
What are cloud security services?
Cloud security services are the combination of technologies, processes, and human expertise used to protect cloud-hosted workloads, data, and identities. They include identity and access management, network segmentation, encryption, continuous monitoring (SOC/SIEM), managed detection and response (MDR), vulnerability assessments, penetration testing, and compliance auditing across AWS, Azure, GCP, or multi-cloud environments. In India, these services must also account for DPDPA 2023 requirements, RBI cloud circulars for BFSI workloads, and data residency mandates for regulated industries.
What is the difference between penetration testing and vulnerability assessment?
A vulnerability assessment scans systems to catalogue known weaknesses at breadth — it tells you what could be wrong. Penetration testing goes further: a tester actively exploits vulnerabilities to prove real-world impact, chaining multiple weaknesses together the way an attacker would. Assessments are automated and frequent; pen tests are manual, targeted, and typically run quarterly or before major releases.
What is SOC reporting and how does it differ from a Security Operations Center?
SOC reporting refers to System and Organization Controls reports (SOC 1, SOC 2, SOC 3) defined by the AICPA — they are audit attestations about a service organisation's controls. A Security Operations Center is a team and facility that monitors, detects, and responds to threats 24/7. They share an acronym but serve entirely different functions. You need the operations centre to protect your environment; you need the reports to prove that protection to customers and auditors.
Do I need MDR if I already have a SIEM?
A SIEM collects and correlates logs but generates alerts that someone must investigate. MDR provides the human analysts and threat hunters who triage those alerts, investigate incidents, and take containment actions. If your team cannot staff 24/7 alert triage — and most mid-market teams cannot — a SIEM without MDR produces noise, not security. MDR turns your SIEM investment into actual outcomes.
Which Indian compliance frameworks require cloud security monitoring?
India's DPDPA 2023 requires reasonable security safeguards to protect personal data. RBI's cloud framework mandates that BFSI entities maintain continuous monitoring and data localisation within Indian borders. SEBI's cloud guidelines require regulated entities to ensure security monitoring and incident response capabilities. CERT-In directives mandate six-hour incident reporting and 180-day log retention within India. Additionally, SOC 2 Trust Services Criteria CC7 covers system monitoring, and ISO 27001 Annex A controls A.8.15 and A.8.16 address logging and monitoring. For organisations serving global clients, GDPR Article 32 and NIS2 requirements also apply.
