Loading...
Managed Security Hardware-as-a-Service
Enterprise cybersecurity hardware, fully managed.
Firewalls, EDR, HSMs, WAFs, backup vaults, NAC, SOC sensors, OT sensors, PAM appliances — leased on 36-month terms with monitoring, refresh, and a single monthly bill. From RM800/month.
Finance & Procurement
From capital expenditure to predictable operating expenditure
Enterprise cybersecurity hardware — a next-generation firewall, an HSM cluster, a PAM appliance, an OT sensor — carries a combined list price that can easily exceed RM 500,000 for a mid-sized regulated organisation. That capital expenditure requires board approval, a procurement committee, a vendor evaluation process, and a lead time of months before any security benefit is realised. For the CFO, it is a balance-sheet commitment. For the CISO, it is a delay that leaves risk unmitigated while finance reviews the business case.
Managed security leasing converts that single large capital outlay into a fixed monthly operating expense. The 36-month contract covers the hardware appliance, all vendor licences, nCrypt 24/7 management, quarterly reviews, and a hardware refresh at month 30 — when most appliances would ordinarily be approaching end-of-support. There are no surprise refresh costs, no renewal negotiation, and no unmanaged equipment ageing into a security liability.
The 36-month refresh cycle is deliberate. Security hardware vendors typically release a generational product update every three to four years. By including a refresh at month 30, the bundle ensures you are never more than one generation behind the threat curve. The old appliance is returned to the vendor under RMA. You receive the replacement, pre-configured and tested, with zero disruption to production.
Support tiers are included in every bundle, not bolted on as options. nCrypt manages firmware patching, signature updates, policy tuning, and vendor SLA escalation. Your internal IT team retains co-managed read access and an emergency-override credential, but the operational burden sits with nCrypt.
Malaysian organisations should note that under MFRS 16 (Malaysia Financial Reporting Standard 16, aligned with IFRS 16), leases longer than 12 months are generally recognised on the balance sheet as a right-of-use asset with a corresponding lease liability. This means the lease is not a pure opex treatment in the accounting sense — finance teams should model the balance-sheet impact before contract execution. We recommend engaging your auditor to confirm the correct classification for your specific arrangement. Where a lease is structured as a service contract rather than an asset lease, the accounting treatment may differ; this is a matter between the customer and their auditor.
End-of-term paths are always defined upfront. The three options are: renew with a fresh hardware refresh at a re-negotiated monthly rate (the most common outcome), return all hardware and exit cleanly, or execute a buyout at fair market value if the organisation wishes to own the asset outright. There is no ambiguity at month 36.
Who this is for
Four buyer profiles — one leasing model
🏢
SME (50–200 employees)
Challenge: Enterprise-grade security hardware is out of reach at capex pricing. Procurement cycles are slow and IT teams are lean.
Why leasing fits: A single monthly bill covering hardware, management, and refresh removes the barrier entirely. No procurement team needed. No capex committee.
🏦
Regulated Enterprise (RMiT-bound)
Challenge: BNM RMiT mandates specific controls — firewalls, HSMs, PAM, EDR, SOC sensors — with documented audit evidence. Buying and operating each independently is expensive and complex.
Why leasing fits: Every leased category ships with an RMiT-aligned audit pack. nCrypt attends BNM audit sessions as the technical operator, reducing your internal audit preparation burden significantly.
⚙️
OT / Industrial Operator
Challenge: Operational technology environments have long equipment lifecycles and cannot tolerate interruption. Traditional IT security procurement does not understand OT protocols or plant operations.
Why leasing fits: OT-Security-as-a-Service is passive — it installs via SPAN port with zero injection into the plant network. The 36-month lease aligns with plant turnaround cycles. IEC 62443 and NACSA documentation is included.
🏪
Multi-Branch Retail & Hospitality
Challenge: Each branch needs a managed firewall, NAC, and EDR. Buying hardware per site is expensive; maintaining it with a small central IT team is unsustainable.
Why leasing fits: Bundled per-site pricing covers HQ and all branches under one contract. Centralised policy management means your IT team sees one dashboard, not 20 separate appliance UIs.
One bundle, four guarantees.
Hardware appliance
Sized and pre-staged by nCrypt. Vendor-warrantied. Refreshed at month 30.
All licences included
IPS, sandboxing, threat intel, EDR — sized to your environment.
24/7 management
nCrypt SOC monitors, tunes, and responds. Quarterly policy reviews.
Single monthly bill
Hardware + licences + management + refresh, one line item, predictable budget.
Nine categories. One contract.
Mix and match the hardware your environment actually needs.
Flagship
Firewall-as-a-Service
Sophos XGS · Fortinet FortiGate
Modern next-gen firewall hardware on a 36-month bundle. Zero capex. Includes SSL inspection, IPS, sandboxing, web filtering, and SD-WAN where supported.
Learn more →Flagship
Endpoint-as-a-Service
Sophos Intercept X · Kaspersky EDR Expert
Full EDR/XDR coverage on every laptop, desktop, and server, with a hardened on-prem management appliance and 24/7 SOC eyes. Per-endpoint billing scales naturally with headcount.
Learn more →Flagship
HSM-as-a-Service
Thales Luna Network HSM · Entrust nShield Connect
Tamper-resistant hardware for cryptographic key management, leased on 36-month terms. Required by BNM RMiT for licensed FIs and PCI DSS for any organisation issuing or processing payment cards.
Learn more →Flagship
WAF-as-a-Service
F5 Advanced WAF · Imperva SecureSphere · Barracuda WAF
On-prem or virtual WAF hardware leased on 36-month terms with managed signatures, custom rule development, and PCI DSS Req 6.6 attestation support.
Learn more →Flagship
Backup-as-a-Service (Cyber-Recovery)
Veeam Hardened Repository · Rubrik · Cohesity
Backup hardware that ransomware cannot encrypt or delete. Leased on 36-month terms with quarterly restore drills and documented cyber-recovery runbooks.
Learn more →Service hook
NAC-as-a-Service
InfoExpress CGX · Cisco ISE
NAC appliances that authenticate, profile, and segment every device on your network — corporate laptops, BYOD phones, IoT sensors, guests. Leased and managed on 36-month terms.
Learn more →Service hook
SOC-Sensor-as-a-Service
Custom-built sensor · Corelight · ExtraHop
On-premises sensor hardware capturing network metadata, plus nCrypt SOC 24/7 monitoring. Solves the "we can't send our logs to a US-hosted SaaS" data-sovereignty problem common in regulated Malaysian sectors.
Learn more →Service hook
OT-Security-as-a-Service
Claroty xDome · Nozomi Guardian · Dragos Platform
Passive OT/ICS sensor appliance leased on 36-month terms, monitoring industrial control systems without injecting any traffic. Built for Malaysian manufacturing, oil & gas, utilities, and critical national infrastructure.
Learn more →Service hook
PAM-as-a-Service
CyberArk Privileged Access Security · BeyondTrust Password Safe
PAM appliance leased on 36-month terms with managed onboarding, session-recording review, and integration with your existing IAM. Required by BNM RMiT for FIs managing privileged accounts.
Learn more →Procurement Comparison
Buy outright vs lease vs MSSP-managed — what is actually different
The three procurement paths for enterprise security hardware each carry different financial profiles, operational commitments, and risk-transfer models. The comparison below covers the most common decision criteria.
| Criterion | Buy outright | Lease (nCrypt) | MSSP-managed (cloud SaaS) |
|---|---|---|---|
| Upfront cost | RM 100K–500K+ per category | Zero — monthly only | Zero — monthly SaaS fee |
| Refresh cadence | Manual (5–7 yr budget cycle) | Included at month 30 | Vendor-managed (no hardware) |
| Patching responsibility | Internal IT (often delayed) | nCrypt (SLA-bound) | MSSP (SLA-bound) |
| 24/7 monitoring | In-house SOC (expensive) | Included in bundle | Included in SaaS tier |
| SOC integration | Manual integration required | nCrypt SOC or feed to yours | MSSP SOC (foreign cloud) |
| Data sovereignty | On-prem (full control) | On-prem + Malaysian DC only | Cloud (may be offshore) |
| Total 5-yr TCO (indicative) | 150% (capex + ops + refresh) | 115–130% (all-in monthly) | 120–140% (SaaS + integration) |
| Best fit | Large enterprises with full IT ops | SME to enterprise, regulated sectors | Cloud-native, no on-prem requirement |
TCO bands are indicative. Actual total cost depends on organisation size, site count, service tier, and credit assessment. Request a scoping call for a precise quote.
Pricing tiers — built for your size.
SMB
RM 800 – 1,500 / month
< 100 employees · 1 site · 1-2 hardware categories
- ✓Single appliance
- ✓Business-hours support
- ✓Quarterly reviews
- ✓Refresh at month 30
Mid-Market
RM 1,500 – 4,000 / month
100-500 employees · 2-5 sites · 3-5 categories
- ✓HA pairs
- ✓24/7 support
- ✓Monthly tuning
- ✓Refresh at month 30
- ✓Co-managed access
Enterprise
RM 4,000 – 15,000+ / month
500+ employees · multi-DC · 5+ categories
- ✓Multi-region HA
- ✓15-min SLA
- ✓Weekly tuning
- ✓Dedicated analyst
- ✓Custom integrations
Responsibility
Risk and responsibility matrix — who does what
One of the most common questions from procurement and legal teams is: when something goes wrong, who is responsible? The RACI below documents the responsibility split across all material operational activities. R = Responsible, A = Accountable, C = Consulted, I = Informed.
| Activity | nCrypt | Customer | Vendor |
|---|---|---|---|
| Hardware sourcing and procurement | R | C | I |
| Firmware and OS patching | R | I | C |
| Security policy configuration | R | C | I |
| Rule and signature tuning | R | C | I |
| Alert triage (24/7) | R | I | I |
| Incident containment decision | C | R | I |
| Incident response execution | R | A | I |
| Regulatory audit preparation | R | A | I |
| End-of-life hardware disposal | R | I | C |
| Business-continuity decision | I | R | I |
Authorised partner of
SophosKasperskyInfoExpress+ vendors via our financing partners
Nine Security Categories
Every security hardware category, available as a managed lease
Each category below is available as a standalone 36-month bundle or as part of a multi-category stack. Combining three or more categories qualifies for multi-bundle pricing. See the bundle calculator for a precise monthly quote.
Firewall-as-a-Service
NGFW appliance + 24/7 management. From RM 1,200/month.
Endpoint-as-a-Service (EDR)
EDR for every endpoint + SOC monitoring. From RM 30/endpoint/month.
SOC-Sensor-as-a-Service
On-prem network sensor + nCrypt SOC. From RM 4,500/month.
PAM-as-a-Service
Privileged access vault + session recording. From RM 3,500/month.
HSM-as-a-Service
FIPS 140-3 hardware key management. From RM 4,000/month.
Backup-as-a-Service
Immutable ransomware-resistant backup. From RM 3,000/month.
OT-Security-as-a-Service
Passive ICS/SCADA visibility. From RM 6,000/month.
WAF-as-a-Service
Hardware WAF + continuous tuning. From RM 2,500/month.
NAC-as-a-Service
Device authentication + BYOD segmentation. From RM 1,800/month.
Looking for consulting services rather than managed hardware? See our SOC-as-a-Service consulting, BNM RMiT compliance advisory, and contact us for a scoping discussion.
Frequently asked questions
How does managed security leasing work under MFRS 16?
Under MFRS 16, which aligns with IFRS 16, a lessee must recognise a right-of-use asset and a corresponding lease liability on the balance sheet for leases longer than 12 months. For most Malaysian organisations the managed security lease will qualify as a finance lease. This treatment means the monthly fee is split into principal and interest components, and the asset is depreciated over the lease term. In practical terms this differs from a pure opex treatment — finance teams should model both the balance-sheet impact and the P&L split before signing. nCrypt does not provide accounting advice; we recommend engaging your auditor to confirm the classification for your specific contract structure before execution.
Can we upgrade hardware mid-term if our environment grows?
Yes. Mid-term hardware upgrades are structured as a contract amendment with the financing partner. The most common trigger is a significant site expansion (new branch offices, a merger, or a doubling of endpoint count). We price the upgrade as a delta on the existing contract, adjusting the remaining monthly payments. We do not charge a penalty for upgrading; we do charge a nominal amendment fee to cover the procurement and configuration work.
What are the exit clauses if we need to terminate early?
Early termination requires a buyout of the remaining lease obligation, calculated by the financing partner as the net present value of outstanding payments. In most cases this is 60–80% of the remaining monthly total. We design contracts with a break clause at month 24 for Enterprise customers on multi-year frames. We always recommend reading the termination schedule in the master service agreement before signing.
Who owns customer data and logs at end of term?
All logs, configurations, and data generated by your environment belong to you. At end of term nCrypt returns all configuration exports, log archives, and credential sets within 30 days. Hardware is returned to the financing partner. We retain no right to your operational data beyond the term.
If nCrypt custom-tunes rules or policies, who owns that intellectual property?
Custom rules, detection signatures, and policy configurations developed specifically for your environment are licensed to you for perpetual use. Generic rule sets developed for all customers remain nCrypt intellectual property but you retain a perpetual right to use them during and after the contract. This is documented in the IP schedule of the master service agreement.
What if nCrypt loses its relationship with a hardware vendor?
The hardware you are operating is yours for the lease term regardless of any change in our vendor partnership. We maintain a vendor-neutral substitution clause — if a hardware refresh falls due at a point when we no longer carry the original vendor, we substitute an equivalent or superior appliance at no additional cost and provide full configuration migration. Our core vendor relationships (Sophos, Fortinet, Thales, CyberArk, Claroty) are multi-year contracted, not spot.
Can the managed leasing bundle integrate with our existing SOC?
Yes. All hardware categories produce standard log formats (syslog, CEF, STIX/TAXII for threat intel). We integrate with your existing SIEM — Splunk, Microsoft Sentinel, QRadar, or Elastic — and can supply raw log feeds to your SOC team. If you do not have a SOC, nCrypt SOC monitoring is included in the bundle. Co-managed and SOC-only configurations are both available.
Additional questions
Talk to a CREST member-firm consultant
Share your scope. We'll respond within 24 hours.
Get a Free Quote
Share your scope. We'll respond within 24 hours.
Get your bundle priced in three minutes.
Tell us how many people, how many sites, and which hardware you want. We'll email a precise quote within 24 hours.