Fortinet SOCaaS for Indian Enterprises — Architecture, Capabilities, and Deployment Guide

Building an in-house Security Operations Centre demands a minimum of 8–12 analysts working in shifts, a SIEM platform, a SOAR engine, threat intelligence feeds, and continuous training — an annual investment that exceeds ₹3–5 crore for most mid-market Indian organisations before a single alert is triaged. Fortinet's SOC-as-a-Service (SOCaaS) eliminates that burden by extending your security team with Fortinet's own global SOC analysts, AI-driven triage, and FortiGuard threat intelligence — delivered as a subscription tied to your existing Fortinet Security Fabric deployment.

What Is Fortinet SOCaaS?

Fortinet SOCaaS is a cloud-based managed security service that provides continuous visibility into threats across your network. It is delivered by a global team of security analysts working 24×7×365, powered by FortiGuard Threat Intelligence Services. The service covers three core functions:

• Monitor, Detect, and Investigate — Fortinet analysts monitor and investigate FortiGate alerts and notifications around the clock, notifying your team only when something is important and needs attention.
• Respond — When a legitimate threat is detected, Fortinet's security experts notify your team with analysis of what happened, why it happened, and what steps to take to remediate the incident. Critical alerts are escalated within 15 minutes.
• Improve — A cloud-based portal with dashboards, on-demand reports, and regular service reviews allows your team to drill into incidents, improve security posture, and reduce alert noise over time.

Global SOC Infrastructure

Fortinet operates SOC facilities and data centres across multiple regions to provide follow-the-sun coverage:

• Americas — Burnaby (Canada), Plano TX (US)
• EMEA — Nice and Paris (France), Frankfurt (Germany), Madrid (Spain), Prague (Czechia)
• APAC — Singapore, Tokyo (Japan), Sydney (Australia)

For Indian enterprises, the Singapore and Tokyo SOC facilities provide the lowest latency for alert processing and analyst response. The service carries 99.99% availability, unlimited log capacity, and support for Fortinet Security Fabric log data ingestion.

How Threat Detection Works

SOCaaS threat detection operates through two distinct data collection and analytics models, depending on your deployment:

1. Fortinet Fabric Monitoring

When your organisation runs Fortinet Security Fabric devices — FortiGate firewalls, FortiClient endpoints, FortiSASE, FortiWeb, FortiEDR, or FortiEndpoint — these can be onboarded directly to SOCaaS. FortiAnalyzer (cloud or on-premises) serves as the primary analytics platform to collect, process, and forward logs to the SOC for monitoring and analysis. Onboarding typically completes within a few days.

This is the fastest path. If you already have FortiGate deployed at your branches and headquarters, adding SOCaaS as an add-on license (SKU: FC-10-[Model]-464-02-DD) gives you immediate 24×7 monitoring with a complimentary FortiAnalyzer Cloud instance.

2. Multi-Vendor Monitoring

For environments that include applications, network devices, firewalls, and cloud services from non-Fortinet vendors, SOCaaS uses FortiSIEM as the core analytics platform. FortiSIEM collectors and agents are deployed on-premises or in the cloud to securely collect logs and forward them to the SOC. This model supports a wider range of data sources but onboarding takes several weeks depending on the systems being integrated.

The multi-vendor SOCaaS subscription (SKU: FC1-10-SOCAS-1314-02-DD) includes 1 GB/day of log monitoring covering both Fortinet and third-party sources, with FortiCare Premium included.

Key Capabilities

24×7 Monitoring and SOC Expert Access

Your organisation gets continuous access to certified SOC analysts across all time zones. These are not tier-1 ticket-loggers — they are Fortinet-trained security professionals who provide expert-level support for escalated security alerts, with deep knowledge of the Security Fabric products generating those alerts.

AI-Driven Automated Triage

SOAR automation playbooks extract insights from different data sources and enrich alerts. AI-driven alert triage capabilities — trained over years of operational data — enable the SOC team to make fast, accurate decisions. Alerts are automatically enriched by CMDB metadata and historical activities of affected assets, providing more context for triage and reducing false positives.

FortiCloud SOC Portal

The customer portal provides centralised visibility into SOC operations: monitored assets, alerts, reports, dashboards, service requests, and direct communication with SOC analysts. It integrates with FortiCloud Central Management (IAM, IDP, API), allowing your existing identity provider to control access to SOC data.

Incident Response Guidance

Following initial triage, the SOC provides analysis, verdict, severity classification, and incident response guidance. You receive source of detection, indicators of compromise, affected users and entities, triage reports with historical data, and sample logs. A risk score system calculates risk across users, endpoints, indicators, security events, and alerts — enabling automated risk-adjusted alert prioritisation.

Integration with Fortinet Managed Services

SOCaaS coordinates with other subscribed Fortinet Managed Services. SOC alerts shared with Managed FortiGate, FortiClient, or FortiEndpoint services can trigger containment actions directly. SOC data shared with MDR enhances XDR capability. Data shared with FortiGuard Forensics and Incident Response services facilitates investigation, remediation, and recovery — creating a cohesive incident response lifecycle.

Critical Escalation SLAs

Fortinet publishes defined escalation timeframes based on alert priority:

These SLAs are contractual — not aspirational targets. For Indian enterprises operating under RBI, SEBI, or CERT-In compliance mandates, this provides documented evidence of a 24×7 monitoring and response capability backed by a globally recognised security vendor.

MITRE ATT&CK Coverage

Fortinet publishes a comprehensive SOCaaS Threat Detection Reference Guide mapping every detection to the MITRE ATT&CK framework. The coverage spans both IT and OT threat detections, organised by Cyber Kill Chain phase:

IT Threat Detections

OT Threat Detections

For industrial environments, SOCaaS detects OT-specific threats using FortiGate's OT Security license — covering ICS/SCADA protocols, industrial application control, and OT-specific IPS signatures. The OT detections cover Initial Access (T0819, T0866), Discovery (T0846), Lateral Movement (T0866), Persistence (T0891), and Denial of Service (T0814) techniques from the MITRE ATT&CK for ICS framework.

Licensing and SKU Structure

SOCaaS licensing depends on which Fortinet products you deploy. Here is the licensing structure as documented in Fortinet's ordering guide (document SOCaaS-OG-R3-20260323):

FortiGate + SOCaaS

Add-on to any FortiGate HW/VM. SKU: FC-10-[Model]-464-02-DD. Includes FortiAnalyzer Cloud (complimentary instance with limited storage), SOCaaS 24×7 cloud-based monitoring, incident triage, and SOC escalation service. Each FortiGate in an HA pair requires its own license. FortiFlex Program and FortiPoints are supported for purchase and renewal.

FortiSASE + SOCaaS

Bundled with FortiSASE Advanced or Comprehensive Subscription. Logs from FortiSASE Analytics are sent to SOCaaS for monitoring. Onboarding completes on the SOCaaS portal.

FortiWeb / FortiAppSec + SOCaaS

Available as add-on to FortiWeb HW/VM (must have Advanced or Enterprise subscription) or included with FortiAppSec Enterprise subscription. FortiAppSec Cloud Threat Analytics is required for SOC monitoring.

FortiEndpoint + SOCaaS

Bundled with Managed FortiEndpoint and select DIY FortiEndpoint licenses. FortiAnalyzer Cloud is included. Multiple tiers available — from DIY XDR + SOCaaS to Managed XDR + SOCaaS with full FortiEDR and Network detection correlation.

FortiClient + SOCaaS

Bundled with FortiClient Forensics Analysis Service subscriptions. Both EMS Cloud and EMS On-premise are supported.

Multi-Vendor SOCaaS

Standalone subscription for environments with mixed-vendor infrastructure. SKU: FC1-10-SOCAS-1314-02-DD. Includes 1 GB/day of log monitoring covering Fortinet and third-party sources, FortiCare Premium, and full SOC escalation services.

Multi-Tenancy for MSSPs and Partners

SOCaaS is built with multi-tenancy at its core, designed for Managed Security Service Providers (MSSPs) and Fortinet partners who need to manage security operations for multiple clients. Key multi-tenancy features:

• Dedicated Fabric Devices — Each tenant gets a dedicated fabric device assigned during onboarding, monitored exclusively for that tenant
• Shared Fabric Devices — For FortiGate and FortiClient deployments, a single physical device can be shared across tenants using FortiGate VDOMs or FortiClient EMS Sites
• FortiCloud Organizations — MSSPs manage multiple FortiCloud accounts (one per tenant) with centralised portal visibility across all tenants

The multi-tenancy architecture meets ISO and SOC2 compliance requirements with clear data boundaries between tenants.

The In-House vs Outsourced SOC Decision

Fortinet's own IR checklist (published document) identifies five questions every organisation should answer before deciding to build an in-house incident response function:

1. Can you find the right cybersecurity staff? — IR professionals need skills in digital forensics, threat hunting, and incident containment. A global survey found that 67% of incident responders experience daily anxiety in the role — it is a specialised function where recruitment and retention are constant challenges.
2. Can you staff 24×7? — Incidents do not wait for business hours. The longer a breach persists, the more an attacker can move laterally and escalate privileges.
3. Can you afford the expertise? — NIST recommends dedicating IR staff full-time (not as a secondary responsibility) and separating the role from security administration and operations.
4. Can you afford the response-specific costs? — Beyond personnel, you need forensic tools, sandboxing environments, and continuous adversary TTP training.
5. Are you concerned about sharing access? — Outsourcing means granting a third party access to sensitive systems. But the alternative — keeping unqualified staff or part-time coverage — often creates more risk.

For most Indian mid-market and enterprise organisations, the honest answers to these questions point strongly toward a hybrid model: retain a small internal security team for policy, compliance, and business context, and extend it with SOCaaS for 24×7 monitoring, triage, and escalation.

What SOCaaS Does Not Replace

It is important to understand the boundaries. SOCaaS provides monitoring, triage, and response guidance — but it does not replace:

• Your internal security policy function — You still define acceptable use, access controls, and compliance requirements
• Active incident containment — SOCaaS provides guidance; your team (or Managed FortiGate service) executes containment. Adding Managed FortiGate Service (SKU: FC-10-[Model]-660-02-DD) enables Fortinet NOC experts to take direct action on your FortiGate.
• Digital forensics — For deep-dive forensic investigation, Fortinet offers FortiGuard Forensics and Incident Response as separate services that integrate with SOCaaS
• Compliance documentation — SOCaaS provides evidence of 24×7 monitoring for auditors, but your GRC team still owns the compliance programme

Deployment Through Ogma

As an authorised Fortinet partner, Ogma helps Indian enterprises plan, license, deploy, and operationalise FortiGuard SOCaaS. Our engagement covers:

• Architecture assessment — We map your existing Fortinet deployment (FortiGate models, FortiAnalyzer, FortiClient/EMS) and recommend the optimal SOCaaS licensing path
• Onboarding — We handle FortiAnalyzer Cloud provisioning, log forwarding configuration, and SOCaaS portal setup
• Complementary services — Ogma runs its own Vulnerability Assessment and Breach & Attack Simulation services that feed findings into your SOCaaS-monitored environment — validating that your FortiGate policies actually block the threats SOCaaS detects
• Ongoing optimisation — Quarterly reviews of SOCaaS reports, alert noise reduction, detection rule tuning, and Security Fabric policy adjustments

Getting Started

If you already run FortiGate, the fastest path to 24×7 SOC monitoring is adding the SOCaaS Fabric Monitoring license to each firewall. For organisations with mixed-vendor environments, the multi-vendor SOCaaS subscription provides comprehensive coverage through FortiSIEM-based log collection.

Contact Ogma for a SOCaaS architecture assessment and licensing quote tailored to your environment.