Where do my logs live?

On-premises on your sensor + a hardened nCrypt SOC location in Malaysia. No data leaves the country.

How is this different from MDR?

MDR (our /services/managed-detection-response/) typically uses endpoint and cloud telemetry. This adds network sensor capture, which is required by some regulators and catches threats endpoint EDR misses.

Network traffic metadata (Zeek logs), DNS queries, TLS metadata, file-transfer summaries. No full-packet capture unless requested.

15-min mean-time-to-acknowledge for high-severity alerts, 1-hour MTTA for medium. Documented quarterly with incident reports.

Do we need to send packets / PCAPs to the cloud?

No. Metadata-only analysis is standard. Full PCAP is captured locally and accessed by SOC analysts via VPN when needed.

Does this replace our SIEM?

It can complement or replace. For Enterprise deployments we integrate with your existing SIEM (Splunk, Sentinel, QRadar).

What about cloud workloads?

Sensor focus is on-prem. Cloud workloads are monitored via CloudTrail/VPC Flow Logs integration, sized into the bundle.

Can we see what your SOC sees?

Yes. Read-only portal access to all alerts, dashboards, and reports.

BNM RMiT · NACSA · PDPA · Data Sovereignty

SOC Sensor-as-a-Service Malaysia

On-premises network sensor hardware combined with nCrypt 24/7 SOC monitoring — leased on a 36-month bundle. All data stays in Malaysia. 15-minute MTTA on high-severity alerts.

Calculate my bundle Talk to sales

SOC Sensor-as-a-Service architecture — on-premises network monitoring Malaysia

Data Sovereignty Problem

Why Malaysian regulated organisations cannot just use a cloud SIEM

The default architecture recommended by most global MSSP vendors is to ship all endpoint and network logs to a cloud-hosted SIEM — typically hosted in the United States, Europe, or Singapore. For a Malaysian bank, a healthcare provider, or a government agency operating under BNM RMiT or the Cyber Security Act 2024, this creates a data-sovereignty problem that is difficult to resolve without restructuring the entire monitoring architecture.

BNM RMiT requires financial institutions to manage data — including security telemetry — in a manner consistent with national sovereignty obligations. Sending it to a foreign-hosted SIEM is not simply a privacy question; it is a regulatory question that RMiT compliance teams must resolve explicitly. Healthcare organisations under PDPA 2024 face similar considerations around where patient-linked operational data is processed.

The SOC Sensor model solves this structurally. The sensor appliance lives on your network, captures metadata locally, and sends enriched alert data to nCrypt's SOC — which operates from a Malaysian data centre. No raw traffic, no log data, and no sensitive metadata leaves the country. For organisations under NACSA's NCII designation, this architecture maps to the monitoring obligation without the data-export question. See our SOC service overview and the broader managed security leasing overview.

Threat Coverage

Network-layer threats that endpoint tools miss

Endpoint detection tools have a structural blind spot: attacker activity that occurs entirely at the network layer, between devices, or in encrypted tunnels that do not touch any monitored endpoint. Three scenarios the SOC Sensor detects that EDR misses: (1) Lateral movement between servers — SMB enumeration and PsExec movement visible in connection records even if both hosts are unmonitored by EDR. (2) DNS tunnelling — command-and-control encoded in DNS queries, bypassing HTTP/HTTPS inspection, detectable via Zeek entropy analysis. (3) Data exfiltration — large uploads to cloud storage services, unusual TLS certificate chains, and outbound patterns to rare autonomous systems visible in network metadata.

Our SOC analysts review these signals 24/7 against a baseline established in the first deployment month. Pairing this with Endpoint-as-a-Service delivers full-spectrum visibility. For organisations with OT environments, the sensor integrates with OT-Security-as-a-Service to extend coverage to industrial control systems.

Frequently asked questions

Why does BNM RMiT require on-premises network monitoring rather than cloud SIEM?

BNM RMiT Section 10.4 addresses cyber security operations and requires financial institutions to implement monitoring that covers network traffic and ensures logs are retained in a manner consistent with data-sovereignty obligations. Sending raw network metadata to a foreign-hosted cloud SIEM may conflict with this requirement depending on the data classification of the captured traffic. The SOC Sensor model keeps all captured data on-premises in your environment and within a Malaysian nCrypt DC, with no data leaving the country. This approach maps cleanly to the RMiT data-sovereignty expectation without legal uncertainty.

What network traffic does the sensor capture and what does it miss?

The sensor captures network metadata — Zeek logs including connection records, DNS query logs, TLS certificate details, HTTP transaction headers, file-transfer summaries, and protocol anomalies. It does not capture application-layer payload content by default. This metadata-only approach means the sensor sees enough to detect lateral movement, command-and-control beaconing, and data-exfiltration patterns, without capturing sensitive payload data that would create additional privacy obligations. Full packet capture is available but is an explicit opt-in for incident-response purposes, stored locally.

How is SOC Sensor-as-a-Service different from managed EDR?

Endpoint Detection and Response (EDR) covers what happens on individual devices — process execution, file modifications, and memory injection. The SOC sensor covers what happens on the network — lateral movement between devices, communication with external C2 infrastructure, DNS tunnelling, and data exfiltration patterns. The two telemetry sources are complementary. Our leasing bundles can combine SOC Sensor with Endpoint-as-a-Service for full-coverage visibility.

What is the mean-time-to-acknowledge for SOC alerts?

15 minutes for high-severity alerts (potential active compromise, lateral movement, data exfiltration), 1 hour for medium-severity (policy violations, suspicious patterns, anomalous volume). These SLAs are documented in the master service agreement and reported monthly. Quarterly reports include actual achieved MTTA data against the SLA targets.

Can we feed the sensor data into our own SIEM?

Yes. All sensor output is available as syslog (CEF or JSON) for integration with your existing SIEM — Splunk, Microsoft Sentinel, IBM QRadar, or Elastic. We can also supply STIX/TAXII threat-intel feeds. If you do not have an existing SIEM, nCrypt SOC handles all triage internally and provides read-only portal access to alerts, dashboards, and reports.

How does this help with NACSA obligations under the Cyber Security Act 2024?

The Cyber Security Act 2024 permits NACSA to designate organisations as National Critical Information Infrastructure, imposing periodic risk assessments, biennial audits, and incident reporting obligations. NCII-designated organisations need continuous monitoring capability as part of their cyber resilience posture. The SOC Sensor provides the network telemetry and documented monitoring evidence that maps to the monitoring obligation. nCrypt supplies NACSA-aligned documentation with the bundle. This service helps organisations prepare for NCII compliance but does not constitute legal advice on regulatory obligations.

Hardware-as-a-Service · 36-month bundle

On-prem sensor + 24/7 SOC eyes. From RM4,500/month.

Network sensor capturing your traffic, feeding nCrypt SOC analysts for 24/7 monitoring, detection, and response — without sending your logs to a foreign cloud.

Calculate your bundle Talk to sales

What's included in the bundle

Sensor appliance (Zeek-based or Corelight)

TAP / SPAN port integration

24/7 SOC monitoring (SLA: 15-min MTTA for high-severity)

Monthly threat reports + quarterly threat hunts

Incident-response runbook tailored to your environment

Hardware refresh at month 30

Who this is for

✓BNM-licensed FIs with RMiT data-sovereignty requirements
✓Government agencies under NACSA guidelines
✓Healthcare with PHI that cannot leave the country
✓Companies with insufficient log-shipping bandwidth to cloud SIEM

Deployment timeline

Week 1

Network topology review, TAP/SPAN planning

Week 2

Sensor install, baseline traffic capture, tuning

Week 3-4

SOC onboarding, runbook delivery, first weekly review

Ongoing

24/7 monitoring, monthly reports, quarterly threat hunts

Sample bundles by company size

SMB

RM 4,500 – 7,000 / month

Single sensor, 1 Gbps capture, SMB SOC tier

MidMarket

RM 7,000 – 14,000 / month

HA sensors at 2-3 sites, 10 Gbps, Mid-Market SOC tier

Enterprise

RM 14,000 – 35,000+ / month

Multi-DC capture, 40+ Gbps, custom threat hunts, dedicated analyst

Aligned to your regulatory obligations

BNM RMiTNACSAPDPAISO 27001

Frequently asked questions

Need a one-off engagement instead of a leased bundle?

See our consulting service →

Get a SOC Sensor leasing quote

Share your user count, locations, and current stack. We'll respond within 24 hours.

Ready to size SOC Sensor for your environment?

Three minutes in the calculator. A precise quote emailed within 24 hours.

Calculate my bundle Talk to sales

Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.

Why Malaysian regulated organisations cannot just use a cloud SIEM

Network-layer threats that endpoint tools miss

Frequently asked questions