Mumbai security lead pointing at an EDR alert console on a ThinkPad, security consultant looking on, conference room in Lower Parel

Morphisec India: a Mumbai SaaS security lead runs the 30-day proof after an EDR near-miss

It is 09:42 on a Thursday in Lower Parel. Rohan slides his ThinkPad across my side of the conference table and points at one line.

“This one. Forty-one minutes. The EDR caught it. Eventually.”

Rohan is the security head at a 260-person Mumbai SaaS company selling lending-decision software to small banks. He is 33, second-time security lead, came from the consulting side. The incident he is pointing at happened on Tuesday at 02:17 AM, was caught by their EDR at 02:58 AM, and triaged by an analyst named Saif at 04:11 AM. Forty-one minutes between the loader landing and the alert firing. Two more hours before a human looked at it.

Nothing left the endpoint. The loader was a PowerShell stub pulling a second-stage payload from a Cloudflare worker domain since taken down. The second stage tried to read Chrome’s Login Data SQLite file. The EDR blocked the read because of a file-access rule, not because anything detected the loader as malicious. Lucky timing on an unrelated control. Luck is not a control.

He calls me on Wednesday. He has read about Morphisec, the Israeli moving-target-defense vendor running quietly on banks and hospitals in the US for six years. He wants to know if it works in India, if it works alongside an EDR, and if the licensing makes sense for 260 seats. I drove to Lower Parel with three slides and a 30-day proof-of-value pitch.

What Morphisec actually does that the EDR does not

The first thing to clear up. Morphisec is not an EDR. It does not look for known-bad behaviour. It does not need a SOC analyst to triage alerts.

What it does is randomise the layout of system DLLs and process memory at load time. Every process start moves the addresses where critical functions live. The exploit code that landed on the endpoint was written against the addresses Windows ships by default. The exploit calls the address. The address is no longer there. The exploit fails. No alert needed. There is nothing to triage.

This is the part Indian SOC teams are slow to warm to. Indian SOC budgets are wired for detection. Tools that prevent without alerting feel like they are doing nothing, until you read the prevented-attack log and realise the EDR was never going to see seven of them. We have seen this hit a CISO during the first Morphisec console walkthrough. The first reaction is always: where are the alerts? The answer: there are none because there is no incident.

Rohan got this in ten minutes. He had spent the previous Tuesday reading the EDR triage log for a 41-minute window he could not get back. He did not need a tool that would catch the loader 38 minutes earlier. He needed a tool that would make the loader fail the moment it tried to call into memory.

The 30-day proof: 80 endpoints, two analysts, one decision deadline

We scoped the proof on Wednesday afternoon. The shape:

  • Coverage: 80 of 260 endpoints. The engineering team that touches the lending-decision model code, plus the four-person finance team that touches AP and payroll. The two groups Rohan loses sleep over.
  • Coexistence: Morphisec runs alongside the existing EDR. No uninstall, no rip-replace, no licensing renegotiation with the EDR vendor mid-cycle. Morphisec sits at a different layer in the kill chain, so the two coexist without conflict. We confirmed this with the Morphisec team on a call before scoping.
  • Console: Cloud-hosted, India region. Login on Day 1, first dashboard read on Day 2 once the agents had reported back.
  • Success criteria, agreed in writing: three numbers. (1) Count of in-memory attacks prevented and not flagged by EDR. (2) Per-analyst SOC triage minutes per week, measured Tuesday and Thursday. (3) End-user performance complaints, captured via the existing IT helpdesk ticket queue, baseline week vs. proof week 4.

Bas. Nothing fancy. Three numbers, 30 days, 80 endpoints, one boardroom-ready decision at the end.

Days 1 to 7: agents land, console populates, first prevented attack

Day 1 was deployment. The Morphisec Windows agent is around 18 MB installed and hooks into the process loader. We pushed it via Intune to the 80 scoped endpoints between 14:00 and 18:00 IST. By 19:00 the console showed 78 of 80 reporting healthy. The other two were a Bangalore developer laptop that was offline and a finance laptop whose user had not logged in that day.

Day 3 logged the first prevented attack. A finance analyst opened a payroll-vendor Word document carrying an old CVE-2017-11882 exploit in the equation editor. The exploit calls a return address that on a default Windows 11 build sits at a known location. On the Morphisec-protected endpoint the address had been moved by 7 MB. The exploit returned to memory that held nothing executable, Word crashed, Morphisec logged a prevented in-memory attack, the analyst rebooted Word and got on with her day. The EDR logged nothing. The CVE is from 2017. Block lists assume nobody is still trying it. Attackers know that.

Days 8 to 21: where the EDR and Morphisec started to disagree

This is the stretch that won Rohan the budget conversation he needed to have with his CFO. Over the middle two weeks the Morphisec console logged six more prevented attacks. The EDR console logged two of them, both late, both blocked at a downstream layer (network egress, file write). Four were never flagged by the EDR at all. The breakdown:

DateWhat Morphisec sawWhat the EDR saw
Day 10Mimikatz-lineage credential dump attempt on engineering laptop after a Chrome tab visited a typosquat domain.Nothing. Loader was novel.
Day 12Adobe Reader exploit attempt on a finance laptop, PDF attachment from a vendor address.Alert at 22:14, two hours after the exploit attempt and 9 minutes after Reader crashed.
Day 15Cobalt Strike beacon load attempt (red-team test by Saif).Alert 38 minutes after attempted load. Saif noted the gap.
Day 17Second Mimikatz lineage attempt, different obfuscation.Nothing.
Day 19Third Mimikatz lineage, packaged inside a fake Teams installer.Nothing.
Day 20Second Cobalt Strike test (Saif, different loader).Alert 26 minutes after load.
Day 21Old PowerShell empire variant from a phishing link clicked by a junior engineer.Network egress blocked at 04:31, 19 minutes after attempted connect.

The Mimikatz hits are the ones that kept Rohan awake. Mimikatz is a 12-year-old tool. Every EDR vendor claims they catch it. They catch the known variants. The three on the Morphisec log were re-compiled with different packers and different obfuscation, the kind of variation a half-decent commodity actor can ship in an afternoon. Morphisec did not need to recognise them as Mimikatz. It just made the calls fail.

₹17 crore. Average cost of a credential-led breach at an Indian financial-services firm in 2025. The Mumbai loader on Tuesday at 02:17 was the start of that arithmetic. Morphisec stopped seven of its cousins over the next 30 days.

Days 22 to 30: the analyst-time number that closed the deal

SOC analysts at a Mumbai SaaS office with calm dashboards after Morphisec moving-target-defense reduced triage volume

Rohan has two SOC analysts on the team, Saif and Priya. Both work four-day overlapping shifts, both spend the bulk of their time triaging EDR alerts, both have been on the team for eight and 14 months respectively. He picked Tuesday and Thursday as measurement days because those two carry the bulk of alert volume (Monday spillover and mid-week phishing waves). The baseline week before Morphisec went in:

  • Saif: 9.4 hours of EDR triage across Tuesday + Thursday.
  • Priya: 9.1 hours across Tuesday + Thursday.
  • Combined: 18.5 hours per week. Almost two and a half working days lost to alert noise that ended in “false positive, close ticket”.

Week 4 of the proof, on the 80-endpoint scope:

  • Saif: 4.2 hours.
  • Priya: 4.0 hours.
  • Combined: 8.2 hours per week.

Ten hours of analyst time per week, back. Saif used the first reclaimed Saturday to fix a vulnerability-management runbook he had been promising the auditors for three months. Priya used hers to sleep. Rohan used the number to walk into the CFO’s office on Day 28 and ask for a 260-seat Morphisec annual licence, against the EDR renewal that was due in October. The CFO did not ask for a slide deck. He asked how many seats and how soon.

What did not work, and the two things the proof exposed

I should write this honestly because no proof is clean and a story without scars reads like a brochure. Two things did not work on the first try.

First was the Adobe Reader build on the finance laptops. Morphisec’s protection on Reader needs a current build to map its memory transforms correctly. The finance team was on a Reader from 2023 the helpdesk had pinned for a known compatibility bug with the accounting export plugin. Morphisec flagged five of six finance laptops as “protected with reduced coverage on Adobe Reader”. The fix was a 90-minute helpdesk job to test the export plugin on a newer Reader (it worked) and push the upgrade. Pakka annoying for the team. The kind of cleanup an honest pilot surfaces.

Second was the Cobalt Strike test on Day 15. Saif loaded a beacon variant Morphisec did not block on the first attempt. The agent blocked the second loader, the third, and the fourth. The first was a known evasion technique exploiting a Windows API the agent’s transform did not cover at that version. Morphisec engineering shipped a coverage update inside seven working days. The conversation with the local Morphisec team about that miss was what won me over personally. They did not soften it. They named the technique, said the next agent version covered it, and pointed at the changelog. That is how I want a vendor to handle a coverage gap.

What this means if you are sitting on an EDR renewal

This is not an argument to throw the EDR out. The EDR caught the Adobe attempt on Day 12 (late, but caught), blocked the egress on Day 21, and stays the system of record for endpoint forensics. None of that goes away.

The argument is narrower. If your SOC analysts spend more than six hours each per week triaging alerts that close as false positive, and your EDR vendor wants more money at renewal to “upgrade to behavioural”, layer a moving-target-defense agent underneath instead. The cost is a fraction of the EDR upsell. The analyst time you get back pays for the licence inside the first quarter. The seven Mimikatz/Cobalt/PowerShell attempts the EDR did not see stop being hypothetical.

The DPDP context matters too. The DPDP Rules 2025 were notified on 13 November 2025. Personal-data-fiduciary obligations land in waves through 2026 and 2027. A credential-led breach that exfiltrates Aadhaar, PAN, or borrower KYC is a notification event with penalties scaling to ₹250 crore. The Mumbai loader on Tuesday at 02:17 was reaching for the Chrome credential store. Anything that prevents the loader from running lowers the notification surface. The CFO conversation in Lower Parel was not about cybersecurity. It was about DPDP exposure and analyst payroll. Same line item.

Where Sirius Star fits

Sirius Star runs Morphisec proofs across India on the same pattern we ran in Lower Parel. 30 days, a scoped fleet that maps to the customer’s highest-risk endpoint groups, coexistence with the incumbent EDR, three measured numbers agreed on Day 0. Joint review with Morphisec engineering at Day 15 and Day 30. Final readout the security lead walks into a CFO meeting with, no translation needed.

If you want the full Morphisec India context, our Morphisec India page has the deployment guide, licence bands, and the support pattern in the India region. For the broader endpoint-security stack we work with in India, the Trend Micro Cloud One workload-security pilot and the Acronis Cyber Protect 60-day bake-off are two recent companions. The Okta SSO rollout in Pune and the ARCON PAM at a Chennai BPO cover the identity-side controls that any endpoint conversation eventually circles back to.

For the DPDP side, the Secure Data Guard DPDP compliance package is where Morphisec sits inside the broader fiduciary-readiness stack. The MeitY notification on the DPDP Rules 2025 sits at meity.gov.in. The Morphisec public CVE coverage matrix sits at morphisec.com. The CERT-In advisory on credential-led incidents at Indian financial-services firms sits at cert-in.org.in.

Key takeaways

  • Morphisec prevents in-memory attacks by randomising process memory at load. The exploit calls an address that is no longer there. No signature, no alert, no triage.
  • It coexists with an existing EDR. The two sit at different kill-chain layers. No rip-replace.
  • On a 30-day, 80-endpoint Mumbai SaaS proof: 7 prevented attacks the EDR did not flag, including three Mimikatz-lineage credential dumps.
  • SOC analyst triage time fell from 18.5 hours/week combined to 8.2 hours/week. Ten hours of analyst payroll, back.
  • The buying argument that closes is analyst time recovered + DPDP exposure lowered. Not “we add another security layer”.

FAQ

Does Morphisec replace our EDR? No. It runs underneath. The EDR still owns detection, forensics, and the SOC workflow. Morphisec prevents the attacks the EDR is not built to see.

How heavy is the agent on a Windows laptop? The Windows agent is around 18 MB installed and uses single-digit MB of RAM. On the Mumbai proof the helpdesk recorded zero performance tickets through 30 days.

What does the licence look like for 260 seats in India? Per-endpoint annual, billed in INR through the India region. For a 260-seat fleet the licence comes in well under the typical EDR-upsell delta. We share the band on a discovery call once we have your fleet shape.

Does Morphisec work on Linux and macOS? Yes, with server-side coverage on Linux for Windows server workloads and a macOS agent for engineering teams. The Mumbai proof was Windows-only because that was the in-scope fleet. We have run macOS coverage on a Bengaluru engineering team separately.

How long does a proof take? 30 days is the recommended shape. We have shipped 14-day proofs for smaller fleets when there is a renewal-clock pressure. The 30-day window gives you a clean week-4 measurement against a baseline week 0.

Reach us: Talk to the Sirius Star team via the popup on this page during 10-7 IST. WhatsApp number on the contact page is +91 91375 93228 for plain-text reference; the popup form is the fastest route to a callback inside 24 working hours.

P.S. Sudeep here. The first reaction every CISO has on the Morphisec console is the same: “where are the alerts?” The answer is that there are none, because there is nothing to triage. That mental flip is the single thing that decides whether the tool stays after the proof. Rohan flipped on Day 3 when the Mimikatz hit landed in the prevented-attack log and the EDR console was silent. The CFO flipped on Day 28 when the analyst-time number landed in the slide. Same flip, different incentives. Both real.

Trust line: 200+ Indian businesses. 30+ in BFSI. Response within 24 working hours, 10-7 IST.



Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *