MITRE ATT&CK v15 CERT-In Compliant

Security Operations Centre
Setup & Build Services in India

Most organisations buy a SIEM, hire two analysts, and call it a SOC. Real security operations require architecture decisions across people, process, and technology — all aligned to your threat profile, regulatory obligations, and budget. Ogma designs and builds your SOC as a structured project with defined deliverables: working technology, documented playbooks, trained analysts, and measurable MITRE ATT&CK coverage on day one.

View Project Scope
25+
SOC build projects delivered
8–16 Weeks
Typical project timeline
50 Use Cases
ATT&CK baseline delivered
4 Frameworks
Compliance coverage at go-live

What We Build for You

A SOC build project spans six workstreams — all delivered in a single engagement.

SOC Architecture Design

We design your SOC architecture: on-premises vs. hybrid vs. cloud-hosted SIEM, SOAR platform selection, ticketing system integration, threat intelligence feeds, and data flow diagrams. Architecture decisions are documented with rationale and cost/capability trade-offs.

  • SIEM platform selection (FortiSIEM / Splunk / QRadar)
  • SOAR platform evaluation
  • Data flow and log source architecture
  • Network zone design for SOC infrastructure
Technology Deployment

We deploy and configure the selected SIEM and SOAR platforms, onboard your log sources, and integrate with existing security tools (EDR, NDR, firewall, email gateway). All deployments are production-grade with HA where required.

  • SIEM deployment + log source onboarding
  • SOAR platform deployment + playbook development
  • EDR, NDR, and firewall integrations
  • Threat intelligence platform (TIP) connection
Use Case Library (MITRE ATT&CK)

We map and deploy 50 detection use cases across MITRE ATT&CK v15 tactics, prioritised for your industry's threat profile. Each use case has defined detection logic, severity level, SOAR response playbook, and analyst runbook.

  • 50 use cases across ATT&CK tactics
  • Industry-specific threat prioritisation
  • ATT&CK coverage heat map
  • Use case test cases and validation
Process & Playbook Documentation

A SOC without documented processes is an analyst team making ad-hoc decisions. We develop the L1/L2/L3 escalation model, incident classification matrix, shift handover process, CERT-In reporting procedure, and playbooks for the top 20 incident types.

  • L1/L2/L3 tier model and escalation matrix
  • Incident classification (P1–P4) definitions
  • CERT-In 6-hour reporting procedure
  • 20 analyst runbooks (top incident types)
Compliance Framework Mapping

Your SOC is often the primary evidence source for cyber compliance audits. We map your log sources, use cases, and reports to applicable frameworks — so your SOC delivers compliance evidence as a by-product of normal operations.

  • RBI Cyber Security Framework (CSF)
  • CERT-In Cyber Crisis Management Plan
  • ISO 27001:2022 (Annex A.16 / A.8)
  • SEBI CSCRF / IRDAI cyber guidelines
Analyst Training & Handover

Technology and process are useless without skilled analysts to operate them. We deliver structured training for your L1/L2 team: SIEM navigation, alert triage methodology, use case walkthrough, SOAR playbook operation, and escalation procedures — plus a 30-day post-go-live support period.

  • 4-day analyst training programme
  • SIEM and SOAR platform hands-on labs
  • Tabletop exercise (simulated incident)
  • 30-day post-go-live hypercare support

Why Ogma for SOC Build?

Vendor-Neutral Architecture

We recommend the SIEM and SOAR platform that fits your environment — FortiSIEM, Splunk, IBM QRadar, or Microsoft Sentinel. Our recommendation is based on your EPS volume, budget, existing Fortinet investment, and team's skill level. We don't push one vendor.

India Regulatory Expertise

CERT-In's 6-hour incident reporting, RBI CSF annexures, SEBI CSCRF continuous monitoring requirements, and IRDAI cyber guidelines are built into our SOC design. We've helped regulated entities across BFSI, insurance, and NBFCs pass their first SOC-related audits.

Proven Delivery Model

Our SOC build methodology follows a structured 5-phase project model with defined milestones, acceptance criteria, and sign-off gates. You always know what's been delivered and what's next. No open-ended consulting engagements with no tangible outputs.

Project Delivery Process

5-phase methodology. Fixed milestones. Defined deliverables at each gate.

1
Discovery & Architecture (Weeks 1–2)

We inventory your existing security tools, interview stakeholders (CISO, IT, compliance), and understand your regulatory obligations. Current-state assessment is documented. We produce the target SOC architecture diagram, technology recommendations, staffing model, and project timeline for CISO sign-off before any technology is deployed.

2
Technology Deployment (Weeks 2–6)

SIEM and SOAR platforms are deployed and hardened. Log sources are onboarded in priority order: network (firewall, DNS, proxy first), then endpoint (EDR/AV), then application (critical apps, AD, email gateway). Each log source is validated for parse accuracy and completeness before moving to the next batch.

3
Use Case Development (Weeks 4–8, parallel)

While log sources are being onboarded, use case development begins for confirmed sources. Each use case goes through: define → build → test → tune → document → sign-off. The first 20 use cases are deployed in alert mode, reviewed for false positives, then promoted to detection mode before the remaining 30 are developed.

4
Process & Playbook Documentation (Weeks 6–10)

SOC operating model is documented: shift schedules, escalation matrix, incident classification, CERT-In reporting procedure, daily/weekly/monthly analyst task checklists, and 20 analyst runbooks covering the most common incident types for your industry.

5
Training, Testing & Handover (Weeks 10–16)

4-day analyst training programme covering SIEM operation, alert triage, SOAR playbook execution, and compliance reporting. A tabletop exercise simulates a realistic incident (ransomware or supply chain attack) to validate the SOC's response capability. Final deliverable: SOC Go-Live Report with ATT&CK coverage heat map and 30-day hypercare support period.

Engagement Tiers

Final scope and pricing confirmed after discovery workshop. Tell us your EPS and target use-case count and we'll quote within 2 hours.

Small Enterprise
Competitive · fixed-scope project
500–2,000 EPS · 1 SIEM node · 30 use cases
  • Architecture design
  • SIEM deployment (single-node or cloud)
  • SOAR (basic playbooks, 10)
  • 30 use cases (ATT&CK mapped)
  • Process documentation (15 runbooks)
  • 2-day analyst training
  • 30-day hypercare
RECOMMENDED
Enterprise
Competitive · fixed-scope project
2,000–10,000 EPS · Multi-node · 50 use cases
  • Full architecture design + HA SIEM
  • SOAR with 20 production playbooks
  • 50 use cases (ATT&CK v15 mapped)
  • Compliance mapping (RBI/CERT-In/ISO 27001)
  • Full process documentation (20 runbooks)
  • 4-day analyst training + tabletop exercise
  • ATT&CK coverage heat map
  • 60-day hypercare
Large / BFSI
Competitive · fixed-scope project
10,000+ EPS · HA cluster · Full scope
  • Enterprise architecture with DR site
  • Full SOAR automation (30+ playbooks)
  • 75+ use cases with custom development
  • All India compliance frameworks
  • Dedicated project manager
  • Custom scope — priced on assessment

Does not include SIEM/SOAR platform licences, hardware, or ongoing support contracts. Ogma can assist with technology procurement and sizing.

Frequently Asked Questions

Yes — technology selection is part of the Discovery phase. We evaluate the top candidates (FortiSIEM, Splunk, IBM QRadar, Microsoft Sentinel) against your criteria: EPS volume, existing Fortinet investment, team skill level, compliance requirements, and budget. We present a scored comparison with our recommendation. If you've already decided on a SIEM platform, we deploy it — the selection phase is optional.

For an 8×5 (business hours) SOC, a minimum of 2 L1 analysts and 1 L2 analyst is workable at under 3,000 EPS. For 24×7 coverage, multiply by 3–4 to cover shifts and leave. We document the staffing model as part of the architecture design, including job descriptions and skill requirements for each tier. We don't provide staffing recruitment — we design what you need and train the team you hire.

MITRE ATT&CK is a globally recognised framework of adversary tactics and techniques. A 50-use-case ATT&CK baseline means your SIEM has detection logic for the most common attack techniques used against your industry. The coverage heat map we deliver shows visually which ATT&CK tactics you have coverage for and which remain blind spots — giving you a structured, prioritised roadmap for future use case development.

Yes. CERT-In's Information Security Practices and Procedures (Amendment Rules, 2022) requires covered entities to report certain cybersecurity incidents within 6 hours of detection. We design your SOC's incident classification matrix to align with CERT-In's reportable incident categories, develop the reporting procedure and templates, and include CERT-In report generation in relevant SOAR playbooks so the first-draft notification is auto-generated when a reportable incident is detected.

No. We start with an inventory of your existing tools (firewalls, EDR, email security, vulnerability scanners) and integrate them into the SOC as log sources and response integrations. If you have an existing SIEM that's poorly configured, we assess whether to re-tune it or replace it — recommendation depends on the platform, licence status, and gap severity.

For a mid-market enterprise (2,000–5,000 EPS, 50 use cases), the typical timeline is 12–14 weeks from contract signature to go-live. Larger environments with more log sources or complex compliance requirements may take 16 weeks. The timeline is driven primarily by log source access and your team's availability for discovery workshops and training — infrastructure delays are the most common cause of schedule extension.

Yes. Our Managed SOC (SIEM managed service) can take over 24/7 alert triage, content updates, and compliance reporting after the build project completes — transitioning your SOC from a build project to a managed service on a monthly retainer. Many customers choose a 90-day handover period where Ogma manages alongside your team before full transition. Ask about our Managed FortiSIEM or Managed SOC services.

Build a SOC That Detects Real Threats

Tell us your industry, approximate EPS volume, compliance obligations, and whether you have an existing SIEM. We'll scope a SOC build project with a fixed timeline, defined deliverables, and a team that's done this before.