A 250-seat Canary Wharf fintech (FCA-regulated payments processor, Cabot Square address, Series C raised in 2024) was paying £14,200 per seat per month for Big-4 MDR across 2 dedicated SOC seats. £340,800 a year. 24×7 coverage on paper. MTTD on P1 alerts averaging 47 minutes — well outside the 15-minute internal SLA the CISO had committed to the board. Same SIEM (Splunk Cloud), same EDR (CrowdStrike Falcon Enterprise), same compliance posture (FCA + ISO 27001). The fix is on the labour-cost side, not the tooling side.

This post is the worked example of what the AB7 Mohali SOC pod actually costs, how the 6-week MDR-exit window runs, and what the steady-state P1 MTTD looks like after week 6.

What the deployment actually looks like

A 2×L2 + 1×L3 fractional bundle out of AB7 Mohali SOC HQ. Two L2 analysts — Splunk-certified, CrowdStrike Falcon Pro-trained, ITIL-aware — split the 24-hour coverage between the 06:00-14:00 GMT and 14:00-22:00 GMT shifts. The third shift (22:00-06:00 GMT, which is 03:30-11:30 IST in Mohali) is covered by a rotating L2 on the Mohali night bench, with the named L3 lead on PagerDuty for any P1 the L2 cannot close within 30 minutes.

Cost: £6,800 per seat per month for the 2×L2 + 1×L3 bundle. UK pricing. US-equivalent is $8,400/seat. The £177,600/year delta from the £14,200 Big-4 baseline is real run-rate, not a one-time saving.

What is in scope per seat per month:

L2 alert triage on the buyer Splunk Cloud — 240-rule baseline tuned in week 2, drift-tuned every 14 days thereafter
L3 escalation lead on 30-minute SLA for any P1 ticket the L2 cannot close
Weekly false-positive review with the buyer internal security lead (Friday 14:00 GMT call, standing)
Monthly P1/P2 incident retrospective with root-cause analysis written to a shared Confluence space
Quarterly purple-team exercise (the AB7 pen-test pod runs the red side; the SOC pod plays defender)

What is out of scope and the buyer keeps in-house: SIEM licensing (Splunk Cloud), EDR licensing (CrowdStrike Falcon), policy approvals, and any direct-to-FCA regulatory communication.

The 6-week MDR-exit window

Week 1. AB7 signs the BAA + the data-processing addendum (Cabot Square fintech needed both, given the FCA reporting overlay). VPN access provisioned to the Splunk Cloud workspace. The two named L2 analysts and the L3 lead are introduced on a Friday call — full names, photos, LinkedIn URLs, certifications. No incident work yet.

Week 2. The 240-rule SIEM baseline tune. AB7 senior detection engineer in Mohali (CISSP + GIAC GCIA) walks the buyer-side security lead through the rule-by-rule deltas. 38 rules ship with new thresholds. 12 rules are deprecated as legacy noise. 7 net-new rules ship for the buyer specific FCA-regulated workflow patterns.

Week 3-4. Shadow-mode triage. The AB7 L2s handle the live Splunk queue alongside the Big-4 MDR vendor (whose contract runs until end of week 6). Every ticket gets two parallel responses; the buyer-side CISO compares the AB7 ticket-quality to the incumbent ticket-by-ticket. Week 4 close: AB7 ticket close-out time is 22% faster on average.

Week 5-6. Live cutover. Big-4 MDR contract terminates at end of week 6 with the 30-day notice the vendor required. AB7 owns the queue 24×7 from week 5 Monday onwards. MTTD on the week-5 P1 alerts: 16 minutes (already inside the buyer 15-minute board-committed target with a 1-minute buffer).

Week 7-12. Steady-state. By the end of week 12, MTTD on P1 is 9 minutes. False-positive rate on weekly volume is 4.1% (Big-4 baseline was 11.8%). The CISO presents the £177,600 run-rate saving to the board at the Q3 2026 review and gets sign-off to extend the AB7 pod from 2 to 3 seats for the SOC 2 Type II audit prep work landing in Q4.

What this is not

This is not an MSSP. AB7 doesn’t pool L2 analysts across 30 clients and ration their attention. The 2 L2s on the Canary Wharf fintech are named individuals, on the named buyer account, with the named L3 lead on escalation. If one of the L2s goes on PTO, the named L3 covers the shift directly — no anonymous fill-in from a shared bench.

This is not Splunk-only or CrowdStrike-only. The pod also deploys on Microsoft Sentinel, Sumo Logic, IBM QRadar, Elastic Security (SIEM), and SentinelOne Singularity, Defender for Endpoint, Sophos Intercept X, Palo Alto Cortex XDR (EDR). 26 vendor partnerships total. The Canary Wharf pod just happens to run Splunk + CrowdStrike because that is the buyer existing stack.

This is not for buyers below 150 seats. Under that headcount, the Big-4 MDR licence-cost dominates over labour cost; the AB7 saving narrows to under £40,000/year and doesn’t justify the 6-week cutover effort. AB7 will say so on the scoping call, not on month 3.

The objection the Canary Wharf CISO usually raises

“Mohali is 4.5 hours ahead of London. Won’t I lose the same-day-resolution feel I had with Big-4 in Reading?” The honest answer: same-day resolution is unrelated to the SOC team geography. P1 incidents get worked the moment they fire — whether the L2 is in Reading or in Phase 8B, Mohali. What changes is the live-chat synchronicity for the non-P1 work (policy reviews, runbook updates, weekly false-positive walks). The Mohali 06:00-14:00 GMT shift covers 09:30-17:30 IST — which is exactly when London is at desk, 09:30-17:30 GMT. The overlap is 4.5 hours of full bilateral availability. For the Canary Wharf fintech, that overlap is enough to handle every non-P1 sync the CISO needs.

The work that benefits from the time offset, not suffers from it: overnight queue clean-up (the Mohali night shift runs while London sleeps), batch tuning sprints (Mohali starts at 09:30 IST = 05:00 GMT and has the queue stabilised before the London CISO walks in), and timezone-distributed purple-team exercises.

What happens in the first 60-minute call

Ashok Benial (founder of AB7, Calendly link below) takes the call. Three things on a 60-minute scoping call:

1. The actual cost baseline. The Canary Wharf CISO brings the Big-4 MDR contract (or the equivalent MSSP / staffed-SOC contract), the current per-seat all-in cost, and the past 90 days of P1 MTTD numbers. AB7 brings the AB7 equivalent build at £6,800/seat. 2. The 240-rule baseline diff preview. AB7 sends a sample of 20 of the rules the Mohali detection engineer would tune in week 2. The CISO reads them on the call and flags any that conflict with the buyer internal policy. 3. The 6-week deployment plan. Named L2 analysts, named L3 lead, BAA timeline, VPN access, the cutover Monday. The CISO leaves the call with a written plan, two LinkedIn URLs of the assigned L2s, and a Tuesday start date.

Book the 60-minute scoping call