The Indian managed-security market has matured fast — a CISO can now choose from a dozen credible MDR and MSSP vendors locally, plus global names with India delivery. But the labels 'MDR' and 'MSSP' get used interchangeably in RFPs, and the difference shows up only when something breaks at 2am. Here is the 2026 buyer guide for India and the UAE: what each is, who plays where, real pricing bands, and a procurement checklist.
- Core: Manages security tools you bought (SIEM, FW, EDR, email gateway)
- Outcome: Tool uptime + alert triage + ticket dispatch
- Pricing: Per device / per log volume / per seat
- Telemetry: You provide; vendor consumes
- Detection content: Mostly vendor library, light tuning
- Response: Hands-off-keyboard — advisory only, customer remediates
- India price band: ₹15L – ₹2 Cr/yr
- Core: Brings tooling + detection engineering + active response
- Outcome: Detect + investigate + contain (host isolation / account disable)
- Pricing: Per asset / per seat with response SLA
- Telemetry: Vendor's EDR/NDR/cloud sensors usually included
- Detection content: Custom + threat-led + continuously updated
- Response: Hands-on-keyboard — vendor takes action on agreed assets
- India price band: ₹40L – ₹4 Cr/yr
Why the distinction matters in 2026
Five years ago an MSSP was good enough for most Indian mid-sized banks — the threat profile was opportunistic, ransomware groups were noisy, and a 30-minute triage window was acceptable. In 2026 the profile is different: targeted ransomware operators, financially motivated initial-access brokers selling India-specific access, and supply-chain compromises that ride trusted vendor channels. The 30-minute window is now the difference between an alerted incident and a billion-rupee impact. MDR exists to close that window — by combining sensor telemetry, threat-led detection content, and live response authority into one contract.
The Indian managed-security landscape (2026)
| Vendor | Primary positioning | Strength | Typical fit |
|---|---|---|---|
| Tata Communications (MDR) | MDR + MSSP hybrid | Telco-scale infra, BFSI footprint, India SOC | Large BFSI, regulated enterprises, govt |
| Sequretek | MDR + XDR product + MSSP | Own XDR stack (Percept), Indian IP | Mid-large BFSI, manufacturing, retail |
| NII Consulting (now Sucuri) | MSSP + advisory | Audit + ops combination | Mid-sized regulated firms |
| Lucideus / SAFE Security | Cyber risk quantification + MDR-adjacent | Risk-based reporting to boards | Enterprise with mature risk function |
| Wipro / TCS / Infosys MS | Large MSSP / IT services SOC | Global delivery scale | Large IT services portfolios, captive SOCs |
| Paladion (Atos) | MDR pioneer in India | Long-running platform (AI-Saac) | Mid-large enterprise, established BFSI |
| Inspira / Network Intelligence | MSSP + VAPT + GRC | Sectoral depth | BFSI, healthcare, manufacturing |
| Macksofy | Boutique MDR + training pipeline | Hand-picked SOC analysts, India-trained, OffSec/EC-Council bench | Mid-sized BFSI, fintech, regulated SaaS |
| Arctic Wolf / Sophos MDR / CrowdStrike Falcon Complete | Global MDR with India delivery | Mature detection content, global threat intel | Indian arms of global firms |
Representative India-relevant vendors and where they sit
Pricing reality in India
Indian managed-security pricing varies more by what is bundled than by vendor list price. A useful rule of thumb for 2026: MSSP starts at ~₹15 lakh/year for a small SCB with 50-100 assets and basic SIEM monitoring; mid-sized BFSI at ~₹40-90 lakh/year for comprehensive MSSP; full MDR with EDR/NDR/cloud sensors and response authority sits at ₹60 lakh - ₹2 crore/year for mid-sized, and ₹2-4 crore/year for large BFSI with multi-site coverage.
| Buyer profile | Endpoints / users | MSSP | MDR |
|---|---|---|---|
| Small fintech / NBFC | <200 endpoints | ₹15-30L/yr | ₹40-70L/yr |
| Mid-sized SCB / Coop bank | 200-1000 endpoints | ₹40-90L/yr | ₹70L-1.6 Cr/yr |
| Large BFSI / multi-site bank | 1000-5000 endpoints | ₹80L-2 Cr/yr | ₹1.6 Cr-3.5 Cr/yr |
| Indian SaaS / fintech with cloud-only | Cloud + 200 users | ₹20-50L/yr | ₹50L-1.2 Cr/yr |
| Manufacturing with OT | 1000+ endpoints + OT | ₹50L-1.5 Cr/yr | ₹1.2-3 Cr/yr (OT add-on) |
Indian price bands by buyer profile (2026, indicative)
What MDR actually does that MSSP does not
- Owns the EDR/NDR sensor — visibility is not contingent on your tool decisions
- Maintains custom detection content tuned to your environment (Sigma / Sentinel KQL / Splunk SPL)
- Has hands-on-keyboard authority — can isolate a host, disable an account, kill a process across your fleet
- Provides threat-led hunting cycles (typically monthly), not just alert-driven triage
- Couples response with case management — you get an incident narrative, not a stack of tickets
- Includes a named senior analyst / customer-facing lead, not just a rotating Tier 1
When MSSP is the right answer
MSSP is the right call when you already have a strong internal IR capability and need extension-of-hours coverage rather than active response, or when your tooling investment is recent and you need stability around it. Large Indian PSU banks, mature manufacturing groups with internal CSIRTs, and Indian IT services firms running captive SOCs typically buy MSSP as a layer — not as a replacement.
When MDR is the right answer
MDR is the right call when you do not have a credible 24x7 internal response capability, when EDR/NDR investment has been chronic, when you need to satisfy regulatory 24x7 monitoring requirements without standing up an internal SOC, or when your threat model has shifted toward targeted intrusion. Most mid-sized Indian fintechs, NBFCs, and regulated SaaS firms fit this profile in 2026.
The procurement questionnaire
- What sensors do you provide vs require us to license? — name the vendors and licence model
- Who writes detection content? Show us 5 custom detections written for a comparable Indian BFSI customer
- What is your MTTD and MTTR for the last 12 months on Indian BFSI accounts?
- What is the response SLA — minutes-to-acknowledge, minutes-to-investigate, hours-to-contain?
- Will the vendor take containment action without our explicit authorisation? Under what runbook?
- What is your CERT-In incident reporting integration? Walk us through a sample filing.
- How is the threat intelligence sourced? Names of feeds, plus internal research output volume.
- What is the named-analyst model — single point of contact or rotating queue?
- Show us a sample monthly report — narrative, metrics, hunting findings, recommendations
- What is your exit / data portability commitment if we terminate? Where do logs go?
UAE buyer note
In the UAE the buyer market splits between DESC-aligned MSSPs serving Dubai government and regulated entities, and global MDR brands (CrowdStrike, Sophos, Arctic Wolf) selling into commercial enterprises. India-headquartered firms with UAE presence (Tata, Sequretek, Macksofy) are increasingly visible on DIFC and ADGM fintech accounts because of the price-quality position. For dual-presence Indian groups, contracting one provider across both geographies typically saves 15-25% versus separate contracts.
Macksofy's MDR for Indian BFSI and fintech is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.