Vertex Financial ServicesCybersecuritySOCComplianceCloud Security

Standing Up a 24/7 Security Operations Center for Vertex Financial Services

How we designed, deployed, and operated a 24/7 Security Operations Center that cut Vertex Financial's mean time to detect threats from 9 hours to under 4 minutes — while reducing incident response cost by 52%.

3m 40s

Mean time to detect

Down from 9 hours

38 min

P1 response time

Down from 72 hours

-52%

Cost vs MSSP

Annualized savings

RBI audit findings

Critical issues closed

The challenge

Vertex Financial Services, a mid-market NBFC with operations across India and the UAE, was operating without a dedicated security function. Their infrastructure had grown organically — 140+ cloud workloads across AWS and Azure, 800+ endpoints, six third-party SaaS integrations handling customer financial data, and zero centralized visibility.

A failed RBI audit and a near-miss ransomware incident forced the issue. Their board gave the CIO 90 days to stand up a functioning Security Operations Center or risk losing their lending license.

They had three hard constraints:

No in-house security engineers beyond a single IT manager

A fixed budget that ruled out traditional MSSP retainers

Compliance requirements across RBI, DPDP Act, and UAE PDPL

Our approach

Phase 1: Threat modeling and tooling selection (Week 1-3)

Before buying a single tool, we mapped their actual risk surface:

Crown jewel analysis — identified the 14 systems where a breach would be materially damaging

Threat modeling against MITRE ATT&CK for financial services (initial access, credential abuse, data exfiltration)

Log source inventory — audited what was already being logged (most of it wasn't)

Gap assessment against RBI Cyber Security Framework for NBFCs

Based on the risk model, we selected a stack built around open standards instead of vendor lock-in:

SIEM: Wazuh on a hardened self-hosted cluster (OpenSearch backend)

EDR: CrowdStrike Falcon on endpoints and servers

Cloud posture: Prowler for AWS/Azure CSPM, integrated into the SIEM pipeline

Network telemetry: Zeek + Suricata at the perimeter, with flow logs forwarded from both clouds

SOAR: Tines for playbook automation — cheaper than Splunk SOAR, easier to iterate on

Phase 2: Log pipeline and detection engineering (Week 3-7)

We built a single pane of glass on top of Wazuh:

Normalized 28 log sources into a common schema (ECS-aligned)

Authored 142 detection rules mapped to MITRE techniques relevant to financial services

Tuned out 94% of the initial noise — baseline false positive rate dropped from 600+/day to under 40

Built UEBA baselines for privileged accounts after two weeks of observation

Integrated threat intelligence feeds (AlienVault OTX, abuse.ch, and two paid RBI-shared feeds)

Every detection rule had three artifacts: the rule, a runbook, and a test case. Nothing shipped without all three.

Phase 3: SOC operations model (Week 5-10)

We ran a hybrid "follow-the-sun" model instead of a single 24/7 local team:

Tier 1 (triage): Offshore team running 3 shifts, 365 days — handles alert review and initial containment

Tier 2 (investigation): Our senior analysts during IST business hours + on-call rotation

Tier 3 (threat hunting and engineering): Weekly hunts against top-risk scenarios, monthly purple team exercises

We wrote 47 SOAR playbooks that handled the high-volume, low-complexity alerts automatically — phishing triage, brute force containment, suspicious login geo-blocks, malware isolation. Analyst time is reserved for the work that actually needs a human.

Phase 4: Compliance and reporting layer (Week 8-12)

The SOC doubled as Vertex's compliance engine:

Automated daily evidence collection for RBI audit requirements

Pre-built dashboards mapped to RBI, DPDP, and UAE PDPL control requirements

Monthly board-ready security posture reports

Quarterly tabletop exercises documented for audit trail

The results

Within the 90-day deadline, Vertex had a fully operational SOC. Six months in, the numbers were unambiguous:

Mean time to detect (MTTD): 9 hours → 3 minutes 40 seconds
Mean time to respond (MTTR): 72 hours → 38 minutes for P1 incidents
Incidents contained before data exposure: 100% (including two real ransomware attempts via phishing, both stopped at the endpoint)
Alert volume: reduced from ~3,200 raw events/day to 18 high-fidelity alerts analysts actually review
Cost vs. MSSP quote they received: 52% lower annualized, with full data sovereignty retained
RBI follow-up audit: passed with zero critical findings

Independent penetration testing six months post-launch rated the environment as "significantly above peer benchmark" for NBFCs of comparable size.

Key insight

Most SOC deployments fail because teams buy tools before they understand their own risk. We spent the first three weeks doing nothing but mapping what actually mattered to Vertex's business. Every technology choice after that was forced to justify itself against that risk model. The result was a SOC that is smaller, cheaper, and more effective than the traditional "buy the Gartner leader and hope" approach.

Client feedback

"Agix delivered what three larger firms told us was impossible in the timeline. More importantly, they built us a function — not a dependency. Our team now runs the SOC day-to-day with Agix as partners, not operators." — CIO, Vertex Financial Services

Back to all case studies