Key Takeaways
- 24 months ransomware-free for a 600-person Indian SaaS company through layered controls and continuous monitoring.
- One near-miss incident (compromised RDP via leaked credential) was detected and contained in 87 minutes, before encryption or exfiltration occurred.
- The program cost roughly 0.8% of annual revenue, far below the industry average breach cost of 4-7% of revenue.
- What worked: defense in depth. EDR + MFA everywhere + segmentation + monthly hunting + quarterly pentest + ISO-aligned governance.
- What does not work: any single control. The near-miss bypassed three of seven layers; the fourth caught it.
The Client: A 600-Person Indian B2B SaaS
The client (we'll call them Acme SaaS, all identifying details have been changed) is a mid-sized Indian B2B SaaS provider serving roughly 2,000 enterprise customers across India, the Middle East, and Southeast Asia. Around 600 employees, 60% engineering, primary office in Bengaluru with a secondary office in Chennai. Hybrid workforce post-COVID. Infrastructure on AWS with extensive use of Office 365, Slack, GitHub Enterprise, and CrowdStrike for endpoint.
When we started the engagement in early 2024, Acme had a competent internal IT team but no dedicated security function. Endpoint protection was deployed but minimally tuned. Office 365 had MFA enabled for admins only. AWS had IAM users with long-lived keys. Logging existed but was not centralized. A previous penetration test, 18 months earlier, had surfaced 11 high findings, 7 of which remained open.
Their wake-up call: a peer SaaS company in the same vertical was hit with ransomware in late 2023, paid INR 4.2 crore, and lost three enterprise customers. Acme's CEO decided the company needed real security, fast.
The First 90 Days: Stabilize the Foundation
Phase 1 of the engagement focused on closing the high-leverage gaps. We did not start with anything sophisticated; we started with hygiene. MFA enforced on every Office 365 account, including all admins and including all service accounts. Long-lived AWS IAM keys eliminated; SSO + role-based access deployed across the AWS organization. CrowdStrike EDR moved from monitor mode to active prevention with carefully tuned exclusions. The previously-open penetration test findings remediated and re-tested.
We also onboarded the environment to our managed SOC. Microsoft Sentinel deployed in Acme's tenant, logs flowing from Office 365, AWS CloudTrail, CrowdStrike, AD/Entra, and the production application. 15 initial detection use cases live. Tier 1 monitoring 24x7 by our SOC team in Chennai.
By day 90, the foundation was solid. None of this was glamorous; all of it was necessary.
Find Out What Your Program Is Missing
Free 60-minute security program review by an OSCP and ISO 27001 Lead Auditor certified consultant. Bring your current setup; leave with a gap analysis and prioritized roadmap.
Book Free Security Review →The Layered Defense: Seven Layers, Each Doing Real Work
Over the next 6 months, we built out seven distinct layers of defense. Each layer addresses a different stage of the attacker kill chain. Each one alone is bypassable; together they create the depth that makes ransomware-grade attacks expensive and detectable.
- Layer 1: Identity, Universal MFA, conditional access, leaked-credential detection via Entra ID Protection, monthly review of risky users
- Layer 2: Endpoint, CrowdStrike Falcon with full prevention, isolation capability, monthly tuning review
- Layer 3: Email, Microsoft Defender for Office 365, banner warnings on external emails, advanced phishing protection, quarterly phishing simulation
- Layer 4: Network, AWS Network Firewall for egress filtering, security groups reviewed quarterly, no public RDP/SSH
- Layer 5: Detection, Microsoft Sentinel with 40 tuned use cases, 24x7 monitoring by our SOC, MTTD under 30 min for high severity
- Layer 6: Hunting, Monthly proactive threat hunting against MITRE ATT&CK techniques relevant to SaaS targeting
- Layer 7: Validation, Quarterly web application pentest, annual internal network pentest, annual red team exercise
The Near-Miss: A Real Test of the Program
In month 14 of the engagement, on a Saturday at 2:47 AM IST, our SOC received a high-severity Sentinel alert: an Acme employee's account had logged in from a foreign IP that had never been seen for that user, immediately followed by an RDP attempt to an internal jump host. The user was a senior engineer with broad access; the jump host provided access to AWS production console.
The alert was an anomalous-sign-in detection (Layer 1) combined with an internal RDP anomaly detection (Layer 4 and Layer 5 working together). Our tier 1 analyst reached the on-call senior within 4 minutes. Within 22 minutes the analyst had: pulled the user's session history, confirmed the engineer had not traveled, contacted the engineer via Acme's secondary channel (their personal mobile, on file for emergencies), confirmed compromise, and triggered our incident response playbook.
By minute 87 the account was disabled, the RDP session forcibly terminated, the endpoint isolated via CrowdStrike, all the user's SSO sessions revoked, and a forensic capture of the attacker's activity preserved. No encryption occurred. No data exfiltration occurred. Forensic analysis later confirmed the initial vector: the engineer had reused a password on a third-party site that had been breached 4 months earlier, and the attacker had purchased the leaked credentials on a criminal marketplace.
What Continuous Improvement Looks Like
Security is not a project; it is a program. Every month our team and Acme's IT leadership conduct a 60-minute review: incidents from the past month, threat intel relevant to Acme's industry, control gaps surfaced by hunting or pentest, planned changes for the next month. Once per quarter we run a tabletop exercise with Acme's leadership, different scenarios each time (ransomware, data exfiltration, BEC, supply chain compromise).
We track measurable outcomes: MTTD, MTTR, alert volume per analyst, false positive rate, control coverage of MITRE ATT&CK, pentest finding count over time, time-to-remediate by severity. These trend graphs go to Acme's board quarterly. Security is measured, not assumed.
Acme is now ISO/IEC 27001:2022 certified, which they use as a competitive differentiator in their enterprise sales process. The certification was a natural extension of the program, most of the controls were already in place; the work was formalizing them into ISMS documentation.
Managed Detection and Response
24x7 managed SOC by named Indian-based analysts. Microsoft Sentinel, Splunk and Elastic supported. ISO/IEC 27001:2022 certified provider.
See Managed Security →The Cost: Why It Was Justified
Total program cost for Acme over the 24-month engagement: roughly INR 1.8 crore. Breakdown: managed SOC (~50%), quarterly pentest and annual red team (~20%), platform licenses (~15%), ISO 27001 implementation (~10%), incident response retainer and forensics (~5%).
Against this: Acme's annual revenue at the start was roughly INR 70 crore. Total security spend at 0.8% of revenue is below the industry benchmark of 1-1.5% for SaaS at this scale. Industry-average breach cost is 4-7% of annual revenue. The program effectively bought INR 3-5 crore of expected-value risk reduction at a cost of INR 90 lakh/year.
The peer ransomware incident that originally drove Acme to act ended up costing that company INR 6-8 crore total once business disruption, customer churn, legal fees, and remediation were tallied. Avoiding one such incident pays for the program more than three times over.
Frequently Asked Questions
How long does it take to reach a mature security posture for a mid-size SaaS?
Foundational hygiene (MFA everywhere, EDR tuned, basic SIEM, top pentest findings closed) within 90-120 days. Layered defense across all 7 layers described above: 9-12 months. Full ISO 27001 certified ISMS with measurable continuous improvement: 18-24 months. The pace depends on internal IT bandwidth and leadership commitment more than budget.
Could the near-miss have been prevented entirely?
Possibly with a passwordless or phishing-resistant MFA (FIDO2 / Windows Hello for Business) for the affected engineer's account, the attacker did successfully bypass first-factor authentication. We have since rolled out FIDO2 keys to all Acme privileged users. Detection caught it; prevention would have been better.
What is the most overlooked control in mid-size SaaS security?
Egress filtering at the network layer. Most SaaS companies invest heavily in endpoint and identity but leave network egress wide open. When an attacker does establish a foothold, egress filtering disrupts command-and-control and data exfiltration. It is unglamorous and very effective.
How do you measure if a security program is actually working?
Three categories of metrics: detection metrics (MTTD, MTTR, alert quality), exposure metrics (open pentest findings by severity and age, MITRE ATT&CK coverage, vulnerability SLA compliance), and outcome metrics (incidents detected, incidents prevented, near-misses contained). Report all three monthly to leadership. A program with no measurable outputs is not a program; it is a hope.
Is this kind of program affordable for a 100-person company?
Yes, scaled appropriately. A 100-person Indian SaaS can run a comparable program for INR 40-70 lakh/year, same layered model, smaller scale, more reliance on managed services and less on in-house tools. The percentage-of-revenue ratio holds: 0.8-1.2% of revenue for a competent security program is achievable at any scale.
Did your client ever consider building an in-house SOC instead?
Yes, at month 18 we modeled it. An in-house 24x7 SOC for Acme's scale would require 8-10 analysts plus management, fully loaded INR 2.5-3.5 crore/year compared to our managed service at INR 60-80 lakh/year. The economics did not work, and they retained the managed model with a dedicated internal security lead who serves as the technical owner.
How important is ISO 27001 certification for SaaS sales?
Increasingly important and approaching mandatory for enterprise B2B SaaS. Approximately 80% of enterprise procurement questionnaires in 2026 require ISO 27001 evidence at some level. Certification typically pays for itself within 12 months through accelerated enterprise deal cycles and increased win rates.
Get the Same Program for Your Business
Codesecure is ISO/IEC 27001:2022 certified and operates layered security programs for Indian SaaS, fintech and enterprise clients. Named consultants, fixed-price engagements, executive-ready outcomes. Free initial consultation.
