Fortinet SOC-as-a-Service for India's compliance reality — CERT-In, DPDP, RBI and SEBI, 2026
Published 29 May 2026
· By
Pawan Sharma
· Fortinet / Compliance
· 35 min read
India's compliance landscape moved from "have a security policy" to "prove that you detected, in time". CERT-In's 28 April 2022 Direction created a six-hour reporting clock. The DPDP Act 2023 turned breach response into a Data Protection Board notification with up to ₹250 crore in financial exposure. RBI's Cyber Security Framework and SEBI's CSCRF both require 24×7 monitoring. None of these obligations start at the breach. They start at detection — and the clock is only fair if you were actually watching. Building a 24×7 SOC in-house is a ₹2.5–₹3.5 crore commitment before the first alert is triaged. The realistic alternative is FortiGuard SOC-as-a-Service, billed by Fortinet's own datasheet as "always-on protection with 24/7 threat monitoring and incident response, without operational complexity." Critically — and this is the part most evaluations miss — SOCaaS monitors both Fortinet Security Fabric devices and a wide range of third-party vendors, with FortiSIEM as the multi-vendor analytics backbone and a defined four-priority escalation SLA topping out at 15 minutes for P1.
P1 = 15 min
Critical escalation SLA
Top of a four-tier ladder: P1 = 15 min, P2 = 45 min, P3 = 90 min, P4 = 6 hr (Data Sheet).
99.99%
Service availability
Across 8 Global Response Team SOC sites — AMER, EMEA, APAC including Singapore, Tokyo, Sydney.
Unlimited
Log capacity
"Unlimited Log Capacity" headlined on the datasheet — no surprise ingest-bill spike on a noisy month.
Multi-vendor
Not just Fortinet
FortiSIEM as analytics backbone — every connector and data source it supports is in scope.
The misread we keep seeing
"But we have AWS, Microsoft 365, Okta — does SOCaaS cover us?"
Yes. Fortinet ships two monitoring models inside the same service. Fortinet Fabric Monitoring covers FortiGate, FortiClient/FortiEndpoint, FortiSASE and the Security Fabric — onboarded in days via FortiAnalyzer. Multi-Vendor Monitoring, anchored on FortiSIEM, covers "a wide range of assets including applications, network devices such as firewalls, and cloud services from Fortinet and third-party vendors" — onboarded in weeks via collectors and agents. The Multi-Vendor SOCaaS license (FC1-10-SOCAS-1314-02-DD) is the only one that covers Application & SaaS, Cloud & IaaS, and Identity & Access monitoring domains, alongside Network, Endpoint, OT/IoT and Attack Surface. We unpack the matrix below.
The compliance clock starts when you detect — not when you decide to look
The change in Indian regulation over the last four years is not a tightening of penalties — it is a reframing of when the clock starts. CERT-In's 2022 Direction did not change what incidents you have to report. It changed the timer: six hours from becoming aware. The Direction also extended log retention to 180 days, stored within Indian jurisdiction, and added a defined list of incident classes that explicitly include data breaches and ransomware. The combined message is simple: you cannot satisfy a six-hour clock if you take a day to notice.
The DPDP Act reinforces the same theme from a different angle. The Act's reasonable-safeguards obligation runs continuously; the breach notification to the Data Protection Board is triggered the moment the breach is known; and the Schedule penalties — up to ₹250 crore per instance — are calibrated to the failure of safeguards, not just the breach. RBI's Cyber Security Framework and SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) both add sector-specific 24×7 monitoring obligations on the entities they cover.
Detection is now the regulator-visible event. SOC is the function that produces detection. You either have one, you outsource one, or you fail audits.
The four regulators that now require a SOC capability
Direction 20(3)/2022, 28 April 2022
Mandatory reporting of cyber incidents within 6 hours of noticing or being notified, for a defined list of incident types — unauthorised access, data breach / leak, identity theft, ransomware, attacks on critical systems, and more.
- 180-day rolling ICT-system log retention, within Indian jurisdiction
- Time synchronisation to NPL or NIC NTP servers
- Reporting via the prescribed format, channels and contact points
Digital Personal Data Protection Act, 2023
Continuous "reasonable security safeguards" obligation on every Data Fiduciary (Sec 8). Personal-data breach triggers notification to the Data Protection Board and to each affected Data Principal.
- Penalty up to ₹250 crore per instance for failing to take reasonable safeguards (Schedule)
- Penalty up to ₹200 crore per instance for failing to notify a breach
- Form, manner and timelines per the DPDP Rules
Cyber Security Framework for Banks, June 2 2016 (and successor circulars)
Mandates a Cyber Security Operations Centre (C-SOC) with 24×7 monitoring for scheduled commercial banks, including subsequent extensions to UCBs and NBFCs by size category. Baseline controls + Annual SAR.
- SOC capability with continuous monitoring
- Log retention and forensic-grade preservation
- Incident reporting to RBI within prescribed timelines
Cybersecurity and Cyber Resilience Framework (CSCRF), 2024
Consolidated cyber framework covering market infrastructure institutions, stock brokers, depositories, mutual funds, AIFs and other regulated entities — with SOC monitoring obligations scaled by category.
- 24×7 SOC monitoring for qualifying entities
- Log retention with forensic integrity
- Incident reporting to SEBI, CERT-In and exchanges where applicable
The IRDAI Information & Cyber Security Guidelines and the various sectoral CERT-Fin advisories layer additional requirements on insurance and financial-services entities. The pattern is consistent across regulators: continuous monitoring, time-bounded reporting, evidence-grade logs. Each of those is an output of a working SOC. None of them is an output of "we have a SIEM".
The math of building this in-house
The 24×7 part is what makes in-house SOC expensive. Three shifts × seven days × leave coverage + tooling + threat intelligence + storage adds up faster than most CFOs expect. The table below is a sober mid-market estimate — your numbers will vary, but the order of magnitude is hard to escape.
| Line-item (annual) | Low | High | Notes |
|---|---|---|---|
| SOC analysts — 4 × L1 (₹6–8 L CTC each) | ₹24 L | ₹32 L | 3 shifts + leave coverage |
| SOC analysts — 3 × L2 (₹10–14 L CTC each) | ₹30 L | ₹42 L | Triage, escalation, hunting |
| SOC lead — 1 (₹25–35 L CTC) | ₹25 L | ₹35 L | Shift planning, escalations, audits |
| Overheads on payroll (1.4× multiplier) | ₹31 L | ₹44 L | Benefits, taxes, attrition recruiting |
| SIEM platform licensing | ₹40 L | ₹80 L | EPS-based; varies sharply by ingest volume |
| EDR / XDR licensing (per endpoint) | ₹15 L | ₹30 L | 500–2,000 endpoints typical mid-market |
| Threat-intelligence feeds | ₹10 L | ₹20 L | Commercial feeds + sector-specific |
| SOAR / ticketing / case management | ₹5 L | ₹15 L | Playbook automation, case workflows |
| Compute + storage for log retention | ₹20 L | ₹40 L | 180-day rolling retention with hot/warm tiers |
| In-house SOC TCO (year 1) | ₹2.00 Cr | ₹3.38 Cr | Before any incident-response retainer or red-team |
Salary ranges reflect Indian SOC analyst CTC levels at the time of writing. Tooling ranges are partner-quoted bands for mid-market deployments and vary widely by vendor and ingest volume. Treat this as an order-of-magnitude estimate, not a quote.
The real problem
The hardest part isn't the cost — it's the people
India's SOC analyst attrition is double-digit annually at the L1 and L2 layers. Replacing an L2 takes 90+ days in a hot market. A SOC that has been running for three years has almost certainly been through one or two full team turnovers — every one of which costs detection quality, institutional context and audit defensibility. The economics are the polite version of the problem. The operational reality is that the team you trained last year is rarely the team watching the consoles this year.
The two monitoring models — Fortinet Fabric and Multi-Vendor
The single most important thing to understand about FortiGuard SOCaaS before scoping it is that it ships two distinct data-collection and monitoring models, documented on page 4 of the official datasheet. Most evaluations focus on one and miss the other.
Fortinet Fabric Monitoring
- Analytics platform: FortiAnalyzer (cloud or on-prem)
- Onboarding pace: "typically takes only a few days" (Data Sheet)
- In scope: FortiGate, FortiClient / FortiEndpoint, FortiSASE, FortiWeb / FortiAppSec, FortiEDR
- License shape: add-on or bundled with the underlying Fortinet product
- Domain coverage: Network, Endpoint, OT & IoT (per product); Attack Surface where applicable
Multi-Vendor Monitoring
- Analytics platform: FortiSIEM (cloud-hosted by SOCaaS)
- Onboarding pace: "may take several weeks" depending on data-source type
- In scope: "applications, network devices such as firewalls, and cloud services from Fortinet and third-party vendors" (Data Sheet, p.4)
- License shape: standalone subscription —
FC1-10-SOCAS-1314-02-DD, 1 GB/day, FortiCare Premium - Domain coverage: all seven domains incl. Application & SaaS, Cloud & IaaS, Identity & Access
The mechanical difference: Fabric Monitoring ingests via FortiAnalyzer because the data sources are already speaking the Security Fabric's protocol. Multi-Vendor Monitoring deploys FortiSIEM collectors and agents — on-prem or cloud — that ingest from third-party sources and forward to the SOC. The Ordering Guide is explicit: "FortiSIEM serves as the core security analytics platform used by the Fortinet SOC, supporting a wide range of data sources and connectors for comprehensive monitoring."
Why this matters operationally
You can mix the two — and most customers do
A typical Indian mid-market deployment runs Fabric Monitoring on FortiGate + FortiClient (because they were going to be deployed anyway), and Multi-Vendor Monitoring on top for AWS / Azure native logs, Microsoft 365, Entra ID / Okta, and any non-Fortinet appliances that survived the migration. Both feed the same FortiGuard SOC, the same incident packaging, the same FortiCloud customer portal, the same SLA ladder.
Seven monitoring domains — one license covers all of them
Page 3 of the Ordering Guide carries a coverage matrix that quietly settles the multi-vendor question. There are seven monitoring domains the SOC covers. Across the seven distinct SOCaaS licence shapes (Multi-Vendor + six product-bundled licences), only the Multi-Vendor SOCaaS licence covers all seven. Three domains — Application & SaaS, Cloud & IaaS, Identity & Access — are exclusively covered by the Multi-Vendor licence.
| Monitoring Domain | Multi-Vendor | FortiGate | FortiWeb / FortiAppSec | FortiSASE | FortiClient | FortiEDR | FortiEndpoint |
|---|---|---|---|---|---|---|---|
| Application & SaaS | ✓ | — | — | — | — | — | — |
| Cloud & IaaS | ✓ | — | — | — | — | — | — |
| Identity & Access | ✓ | — | — | — | — | — | — |
| Network | ✓ | ✓ | ✓ | ✓ | — | — | — |
| Endpoint | ✓ | — | — | ✓ | ✓ | ✓ | ✓ |
| OT & IoT | ✓ | ✓ | — | — | — | — | — |
| Attack Surface | ✓ | — | — | ✓ | ✓ | — | ✓ |
Source: FortiGuard SOCaaS Ordering Guide, March 23 2026 (SOCaaS-OG-R3-20260323), p.3 — "Service Offering / SOCaaS License" matrix.
Read it as a buyer: if you have any cloud workload, any SaaS that matters, or any identity provider (Entra ID, Okta, Ping, AD) producing audit logs you need a regulator to see — you need the Multi-Vendor SOCaaS licence in the mix. The product-bundled licences are real, useful and cheaper-per-asset, but they don't reach those three domains.
The four priority escalation SLAs — what Fortinet actually commits to
The most-quoted line from the product page — "as little as 15 minutes" — is the headline number from a defined four-tier ladder. The full SLA structure is on page 6 of the datasheet under Critical Escalation Times.
| Priority | Escalation SLA | What it typically means |
|---|---|---|
| P1 — Priority 1 | 15 minutes | High-severity confirmed incident — ransomware precursor, active credential abuse, confirmed exfiltration, public-facing compromise. Escalation timer starts at analyst confirmation. |
| P2 — Priority 2 | 45 minutes | Confirmed incident requiring response — significant policy violation, suspicious lateral movement, targeted attack pattern with limited blast radius. |
| P3 — Priority 3 | 90 minutes | Confirmed event of interest — anomaly that warrants review, posture drift, low-confidence detection with corroborating signals. |
| P4 — Priority 4 | 6 hours | Informational or low-risk — reporting items, advisory bulletins, hygiene observations, items for the weekly insights report. |
For an Indian customer mapping to the CERT-In 6-hour clock, this matters: a P1 escalation lands in your customer portal in 15 minutes, which means the regulator-facing decision window — drafting and signing the CERT-In report — has the remaining 5 hours and 45 minutes to play with, not a frantic last-hour scramble.
The MITRE ATT&CK detection catalog
Fortinet publishes the SOCaaS detection catalog as a Q2 / 2026 reference guide (the SOCaaS Threat Detection Reference Guide). Every detection is mapped to a MITRE ATT&CK Tactic and Technique, and each row names the Fabric or third-party source required to fire it. The published catalog covers both IT and OT, structured along the cyber kill chain.
▸ Vulnerabilities
FortiGate / FortiSASE device logging + FortiClient vulnerability scan logs.
▸ Reconnaissance (TA0043)
Active Scanning (T1595) — FortiGate, FortiSASE, FortiWeb traffic + IPS + attack logs.
▸ Initial Access & Delivery (TA0001)
Brute force, external remote services, drive-by, exploit of public app, phishing — FortiGate, FortiSASE, FortiWeb, FortiSandbox.
▸ Execution (TA0002)
Software deployment tools, command/scripting, exploitation for client execution, user execution — FortiAnalyzer + Microsoft 365 audit logs for Office 365 user-execution coverage.
▸ Credential Access (TA0006)
OS credential dumping (LSASS), input capture, brute force, certificate theft — FortiEDR + FortiAnalyzer + Microsoft 365 audit logs.
▸ Lateral Movement (TA0008)
Remote services, software deployment tools, exploitation of remote services, internal spear-phishing — FortiGate, FortiSASE, FortiClient + Windows events, FortiSandbox.
▸ Command & Control (TA0011)
Data obfuscation, fallback channels, encrypted channel, dynamic resolution — FortiGate + FortiSASE IPS, web/DNS filtering, traffic.
▸ Exfiltration & Impact (TA0010, TA0040)
Exfiltration over C2 channel / alternative protocol / web service; ransomware data encryption — FortiGate, FortiSASE, FortiEDR ransomware-prevention policy, FortiClient.
The detection catalog is the most concrete answer to "what does the SOC actually look for?". It's authored, versioned, and mapped to MITRE — not a marketing fly-over. The same guide also covers OT-specific detections (Industrial-protocol exploit, Hardcoded Credentials T0891, Denial of Service T0814) for customers running OT estates under SOCaaS coverage.
What runs inside the customer portal
FortiCloud Built-in Portal
The single window into what the SOC is doing on your behalf
From the datasheet: "Customer Portal provides centralized visibility into SOC operations including monitored assets, alerts, reports, dashboards, service requests, settings and more." Integrates with FortiCloud IAM, IDP, API and Organizations — you control who sees what, and you can wire it into your own ticketing.
What you can do in the portal, day-to-day: review every escalated incident with full timeline + IOCs + affected entities + sample logs; raise tuning requests; request threat hunting and additional investigations; provide false-positive feedback that the SOC uses to tune detection content; pull reports on demand and on schedule.
▸ Incident Triage Report
Per-incident package — covered on every SOCaaS licence type.
▸ Weekly SOC Insights Report
Steady-state rhythm — covered on Multi-Vendor + most product-bundled licences.
▸ Forensics Analysis Report
Available with FortiSASE, FortiClient and FortiEndpoint SOCaaS licences via FortiClient Forensics Service.
▸ Service Delivery Managers (SDMs)
Dedicated SDMs guide your SOCaaS journey; on-demand service reviews per the datasheet.
▸ Risk-Adjusted Alerts
Per-entity risk scores; impact assessment baked into prioritisation.
▸ Feedback & Threat Hunt Requests
Customer-driven tuning, exception requests, threat-hunt asks — all logged in the portal.
Certifications and global footprint
SOC 2 Type II compliant, with eight Global Response Team SOC sites
Per the Solution Brief, the FortiGuard SOC is SOC 2 Type II Compliant; the Data Sheet adds that multi-tenancy "meets ISO and SOC2 compliance requirements." For Indian regulated entities outsourcing a control function under RBI's IT outsourcing rules, that's the third-party attestation an auditor expects.
Global Response Teams operate from eight sites — Burnaby (CA), Plano (US), Nice and Paris (FR), Frankfurt (DE), Madrid (ES), Prague (CZ), Singapore, Tokyo (JP) and Sydney (AU) — so a P1 in India working hours has expert analysts already on shift in APAC.
How a CERT-In 6-hour ticket actually clears
The most useful way to evaluate any SOC is to walk a representative incident from detection to regulator. The timeline below is what a well-run FortiGuard SOC engagement looks like on a textbook ransomware-precursor case — credential theft, lateral movement attempt, attempted exfiltration. Times are illustrative but consistent with the service-level commitments these engagements carry.
Detection — FortiEDR fires on credential dumping
FortiEDR flags an LSASS access pattern from an unsigned binary on a corporate laptop. Alert lands in FortiSIEM, correlated with the user's recent identity events.
Elapsed: T+0 min
Triage — FortiGuard SOC analyst confirms
L1 analyst pulls process tree, parent-process lineage and recent network from FortiEDR; correlates with FortiAnalyzer firewall log showing outbound connection to a known C2 IP from FortiGuard threat-intel feed.
Elapsed: T+8 min
Tier-1 containment — FortiSOAR playbook
Playbook auto-isolates the endpoint via FortiEDR, blocks the C2 IP on FortiGate via Fabric Connector, disables the user in identity provider, and snapshots the endpoint for forensics.
Elapsed: T+12 min
Expert-led escalation to your security lead (the 15-min commitment)
Incident package delivered into the cloud customer portal: timeline, IOCs, scope assessment, containment status, evidence preservation. Your SOC liaison joins a bridge if needed. This is the "15-minute expert-led escalation" Fortinet's product page commits to — measured from the moment of first analyst contact, the regulator clock has hours of buffer left.
Elapsed: T+15 min from analyst confirmation
Forensic confirmation — scope, blast radius, exfiltration check
Expert analysts walk through endpoint forensics from FortiClient, check FortiAnalyzer for related lateral-movement attempts, query the SOC platform for the user's recent application access (FortiSASE / ZTNA logs make this clean), confirm whether any data left the perimeter.
Elapsed: T+1 hr 15 min
CERT-In report drafted in prescribed format
The SOC produces a CERT-In-format report — incident type, time of detection, affected systems, indicators of compromise, current containment status, contact details. Your security lead reviews and signs off.
Elapsed: T+2 hr 30 min
Report submitted to CERT-In, well inside 6 hours
Report submitted via the prescribed channel. If personal data is implicated, the DPDP-required notification to the Data Protection Board and affected Data Principals is drafted in parallel, ready for approval and dispatch in the prescribed form.
Elapsed: T+3 hr 30 min — 2 hours of buffer remaining
The contrast with the unmanaged case is stark. Without a SOC, the LSASS alert sits on an EDR console nobody is watching. The first sign is the ransom note. The 6-hour clock has long since started, but nobody knows what to put in the report because nobody preserved the forensic state. The fine is the same regardless.
What gets logged, what gets retained, where it sits
| Data class | Source | Retention | Location |
|---|---|---|---|
| Firewall logs (FortiGate, FortiSASE) | FortiAnalyzer | 180 days hot + archive | India region (cloud) or on-prem appliance |
| Endpoint telemetry | FortiEDR → FortiSIEM | 180 days hot + archive | India region or on-prem |
| Identity / authentication events | Azure AD / Okta → FortiSIEM | 180 days hot + archive | India region |
| Cloud audit logs (AWS / Azure) | CloudTrail / Activity Log → FortiSIEM | 180 days hot + archive | India region |
| ZTNA application-access logs | FortiSASE → FortiAnalyzer | 180 days hot + archive | India region |
| SOC case records, incident packages | FortiSOAR | 5 years (default) or per your policy | India region |
| Time synchronisation | NPL / NIC NTP per CERT-In Direction | n/a | India authoritative source |
180 days is the CERT-In Direction's minimum for ICT-system logs. Most regulated entities — and most audit programmes — require longer for case records and forensic evidence. The defaults above carry that without re-architecting at audit time.
Five use-cases the SOC handles on day one
▸ Ransomware precursor
Credential dumping, suspicious encryption activity, shadow-copy deletion, mass file modification — detected and contained before the ransom note lands.
▸ Identity abuse / BEC
Impossible-travel logins, OAuth abuse, mailbox-rule manipulation, MFA fatigue patterns. Correlated across identity provider and FortiMail data.
▸ Lateral movement after VPN / ZTNA compromise
Unusual cross-application access patterns; service-account misuse; jump-host hopping. ZTNA logs make scope reconstruction clean.
▸ Data exfiltration
Large outbound transfers, anomalous SaaS-to-personal-cloud flows, DNS tunnelling, encoded exfiltration. FortiNDR + FortiAnalyzer behavioural detection.
▸ Insider abuse
Privileged user accessing data outside role, off-hours unusual activity, post-resignation data access. UEBA + ZTNA application-access correlation.
▸ Cloud misconfiguration exploitation
Public S3 buckets, IAM key abuse, control-plane anomalies. CloudTrail and Activity Log feed into the SOC SIEM directly.
What stays your responsibility, what the SOC takes
FortiGuard SOC's scope
- 24×7×365 threat monitoring with AI-driven alert triage
- Expert-led incident escalation in as little as 15 minutes
- Detection content driven by FortiGuard threat intelligence
- Containment via Managed FortiGate, FortiSASE and FortiClient integrations
- Incident packaging — timeline, IOCs, scope, evidence — into the customer portal
- CERT-In format report drafting (signed and submitted by you)
- Quarterly briefings + hardening tips + customised progress reports
Your team's scope
- Approval of containment actions that affect business operations
- Business-context calls — "is this user supposed to be doing X?"
- Internal stakeholder communication during a confirmed incident
- External notifications under your name (CERT-In, Board, regulators) — draft from SOC, sign-off from you
- Forensics and recovery beyond initial containment
- Policy decisions (acceptable use, identity, data residency)
The boundary is deliberate. The SOC does the work that needs continuous attention and specialist tooling. You keep the decisions that need business context and legal accountability. Every action is logged in the cloud customer portal, both sides — auditable end-to-end.
A 30-day onboarding plan
Scoping and data sources
List all log sources — FortiGate, FortiSASE, FortiEDR, identity provider, cloud audit, SaaS, custom apps. Categorise by criticality and event volume (EPS). Validate retention and storage residency requirements.
FortiAnalyzer / FortiSIEM tenancy provisioning
Stand up the SOC data plane. Configure NTP to NPL / NIC sources per CERT-In Direction. Set 180-day rolling retention with India-region storage. Onboard first three log sources.
Detection content + first playbooks
Apply FortiGuard detection content tuned to your environment. Implement the first 10 FortiSOAR playbooks — IOC block, endpoint isolation, user disable, evidence preservation, escalation routing.
Onboard remaining log sources + tune
Identity events, cloud audit, SaaS, FortiEDR, FortiNDR if applicable. Run a tabletop exercise on a credential-theft scenario. Tune detection thresholds against your baseline activity.
SOC liaison + runbook agreement
Define escalation paths, business-hours contact, after-hours on-call. Sign off the CERT-In reporting workflow with your security lead. Agree the monthly executive report format.
Go-live + first 30-day review
Production monitoring begins. First weekly review confirms detection coverage and tunes false-positive rates. Day-30 review formalises the steady-state service level.
An anonymised India engagement
A real outcome — anonymised
Indian NBFC, ≈ 1,200 staff, RBI-regulated, prior unmanaged SIEM
The incumbent setup was a self-hosted SIEM with a two-analyst team during business hours. Out-of-hours coverage was nominal. The last RBI cyber audit cited inadequate evidence of 24×7 monitoring and partial CERT-In incident-reporting workflow. The audit programme was costing the security team six weeks per cycle to reconstruct evidence.
Post-rollout: FortiAnalyzer + FortiSIEM + FortiSOAR + FortiEDR deployed across 1,200 endpoints and the AWS Mumbai estate. FortiGuard SOC-as-a-Service took over Tier-1. The first three months produced 4 confirmed incidents — two BEC attempts caught at the OAuth-grant stage, one ransomware precursor (LSASS access) contained inside 18 minutes, one cloud-IAM-key abuse caught from CloudTrail. The next RBI audit cycle closed the 24×7 monitoring finding and reduced evidence-reconstruction effort from six weeks to four working days.
FAQ
Does outsourcing the SOC transfer regulatory liability?
Is Ogma CERT-In Empanelled?
Does SOCaaS support non-Fortinet products and third-party data sources?
FC1-10-SOCAS-1314-02-DD (1 GB/day, FortiCare Premium included). All connectors and data sources FortiSIEM supports are in scope.How fast does the SOC escalate a real incident?
What are the FortiGuard SOC's own certifications?
Which monitoring domains does each SOCaaS licence shape cover?
Where do logs sit? Indian residency?
What about pre-existing FortiAnalyzer / FortiSIEM deployments?
How is SOCaaS priced and packaged?
What happens if we have a real incident on day 35?
How do we know it's actually working?
How do we evaluate this before committing?
Free 7-day SOC readiness assessment
See the gap between where you are and what the regulator expects
Ogma reviews your detection coverage, log sources, retention posture and incident-reporting workflow against the CERT-In Direction, the DPDP Act and the applicable sector framework (RBI, SEBI, IRDAI). You get a gap report with prioritised remediation and a Fortinet SOC-as-a-Service quote sized to your environment, in seven working days.
Request the SOC readiness assessment or explore Ogma as your Fortinet partner in IndiaSources (official Fortinet documentation + Indian regulator notifications)
- fortinet.com/products/socaas — FortiGuard SOC-as-a-Service product page
- FortiGuard SOCaaS Data Sheet (SOC-DAT-R15-20260311) — official tagline, P1–P4 escalation times, two monitoring models, global SOC locations, subscription shapes
- FortiGuard SOCaaS Ordering Guide (SOCaaS-OG-R3-20260323) — licence SKUs (FC1-10-SOCAS-1314-02-DD and product-bundled variants), seven-domain coverage matrix, MSSP / multi-tenant options
- SOCaaS Threat Detection Reference Guide (SOC-26Q2-R2-20260407) — MITRE ATT&CK detection catalog, IT + OT coverage
- FortiGuard SOCaaS Solution Brief — SOC 2 Type II badge, 99.99% / 24×7×365 / Unlimited log capacity headline metrics, "reduce MTTD 99% or more" (ESG citation)
- FortiGuard SOCaaS Overview — Monitor / Detect / Investigate → Respond → Improve workflow
- Top Five Considerations: Insource vs Outsource IR — NIST 800-61 alignment
- Fortinet CISO Collective — SOCaaS cost-effectiveness frame
- cert-in.org.in — Direction No. 20(3)/2022-CERT-In, 28 April 2022 (6-hour reporting + 180-day log retention)
- meity.gov.in — Digital Personal Data Protection Act, 2023
- rbi.org.in — Cyber Security Framework in Banks (DBS.CO.CSITE.BC.No.4083, June 2 2016)
- sebi.gov.in — Cybersecurity and Cyber Resilience Framework (CSCRF)
- irdai.gov.in — Information & Cyber Security Guidelines for insurance sector
Related: ZTNA replacing VPN — what GlobalProtect, AnyConnect and FortiClient users need to know in 2026 · How FortiSASE shrinks your AWS / Azure cloud bill · Fortinet Partner India · Talk to Ogma
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
