The $3.2M Breach That Started This Guide
A $3.2M IAM transformation failure is not an outlier; it’s a recurring pattern in enterprise security programs where platform complexity is underestimated. In 2026, implementing identity stacks like SailPoint, CyberArk, and Okta requires deep, hands-on architecture expertise not just certifications or surface-level experience.
Hiring IAM & Cybersecurity Engineers from India has become a strategic priority for global enterprises looking to scale security engineering while managing costs. India offers a large talent pool, but the gap between tool familiarity and real-world implementation capability is where most programs break leading to audit risks, delays, and expensive remediation.
The urgency is backed by global threat data. According to Cybersecurity Ventures, global cybercrime damages are expected to reach $10.5 trillion annually by 2026, making cybersecurity one of the highest-priority investment areas for enterprises: Cybercrime Damages Report
As enterprises accelerate identity modernization, the real challenge is not finding engineers but identifying those who can design secure, compliant architectures across IGA, PAM, and IdP systems from day one.
TL;DR 8 Answers Before You Read Further
| Question | Answer |
| What does a Senior IAM Engineer cost from India? | $48–72/hr fully loaded. A Zero Trust Architect runs $130–175/hr. Section 5 has platform-by-platform rates. |
| Which IAM platform has the deepest India talent pool? | Okta largest certified pool. SailPoint IdentityNow is second. CyberArk PAM is thin at architect level. Ping and ForgeRock are genuinely scarce. |
| The fastest I can close 10 IAM engineers? | 35–50 days with pre-vetted bench for Okta/SailPoint. 60–90 days for CyberArk architects. ForgeRock: 90+ days. |
| What certification actually matters? | Platform-specific and product-specific. SailPoint IdentityNow Certified Engineer. CyberArk Defender + Sentry for operational, Guardian for architecture. Okta Certified Architect. Section 5 covers every platform. |
| What's the most commonly misrepresented credential? | SailPoint IdentityIQ experience presented as IdentityNow. They are different products on different architectures. Most India SailPoint experience is IdentityIQ legacy. |
| Zero Trust: how many Indian engineers actually know it in production? | Fewer than 300 engineers in India have designed and delivered a production Zero Trust Network Access architecture. ZTNA is widely claimed on CVs. Production delivery is rare. |
| What's typical attrition for IAM specialists? | 11–15% annually. Lower than IT average because IAM is a specialist track lateral moves are limited and the community is tight. |
| What's the single biggest hiring mistake for security programs? | Treating IAM as a single skill. SailPoint, CyberArk, Okta, Ping, and ForgeRock are different platforms requiring different architects. A "broad IAM background" almost always means shallow on all of them. |
Are You Actually Ready for This?
Security programs fail for buyer-readiness reasons at a higher rate than almost any other enterprise stack. The consequences of audit failures, compliance gaps, breach exposure are more severe than a delayed ERP go-live. Score yourself before you engage a single vendor.
Score each: 0 (not in place), 2 (partially), 4 (done).
| # | Criterion | Score |
| 1 | Named security program owner. One person with CISO authority. Not a committee. | 0/2/4 |
| 2 | IAM platform decisions made SailPoint vs Saviynt for IGA, CyberArk vs BeyondTrust for PAM, Okta vs Ping for IdP | 0/2/4 |
| 3 | Zero Trust strategy defined ZTNA platform chosen (Zscaler, Prisma, Cloudflare) or explicitly deferred | 0/2/4 |
| 4 | Joiner-mover-leaver process documented for offshore vendor engineers themselves | 0/2/4 |
| 5 | Source system inventory complete which HR, AD, and application systems feed the IGA | 0/2/4 |
| 6 | Privileged account inventory complete which service accounts, admin accounts, and shared credentials are in scope for PAM | 0/2/4 |
| 7 | Compliance framework confirmed SOC2, HIPAA, PCI-DSS, ISO 27001, or combination | 0/2/4 |
| 8 | Interview panel with hands-on platform experience available within 5 business days | 0/2/4 |
| 9 | Legal SLA under 15 days for MSA review | 0/2/4 |
| 10 | CISO signed off on offshore engineers accessing identity infrastructure | 0/2/4 |
| 11 | Background check requirements for offshore security engineers defined | 0/2/4 |
| 12 | KPIs defined: provisioning SLA, orphan account rate, access certification completion rate | 0/2/4 |
| 13 | Escalation path defined: vendor PM → your IAM Program Lead → your CISO | 0/2/4 |
| 14 | IP ownership for custom connectors, workflows, and policy configurations in MSA | 0/2/4 |
| 15 | Finance can process USD-denominated invoices within 30 days | 0/2/4 |
What your score means:
| Score | Tier | Reality Check |
| 48–60 | Scaler | You’re ready. This guide is a checklist. |
| 34–46 | Builder | 3–4 gaps. In security, they cost more than 60 days. Fix before signing. |
| 20–32 | Explorer | Significant internal work needed. A premature security engagement creates more exposure than it closes. |
| 0–18 | Pre-Stage | 90 days of internal security architecture work before an offshore engagement makes sense. |
From the deal floor: A US-based financial IT services company 4,000 employees, SOC2 Type II in scope scored 20 on this checklist. Their VP Engineering signed a 6-person SailPoint SOW anyway. The source system inventory (criterion 5) had never been completed. The India team spent the first 11 weeks discovering which HR systems, AD domains, and applications needed connector work that should have been done before the SOW was signed. Eleven weeks at $58/hr blended across 6 engineers: $152K spent on discovery that was the buyer’s homework, not the vendor’s delivery.
The IAM & Cybersecurity Talent Market in India 2026
India’s cybersecurity talent pool is large in absolute terms and dangerously thin at the platform-specific architect level. The gap between “cybersecurity experience” and “CyberArk PAM architect who has designed a Safe model for a 50,000-seat enterprise” is enormous. Most vendor rate cards don’t reflect it.
The overall pool:
India produces approximately 35,000 cybersecurity professionals annually from engineering colleges and certification programs. The certified IAM and security specialist pool is significantly smaller:
| Platform / Specialisation | Estimated India Certified Pool | Architect-Level Practitioners |
| Okta (any certification) | ~8,200 | ~420 |
| SailPoint IdentityNow | ~3,400 | ~280 |
| SailPoint IdentityIQ (legacy) | ~4,800 | ~340 |
| CyberArk (any certification) | ~4,100 | ~190 |
| Microsoft Entra ID / Azure AD | ~12,000 | ~800 |
| Ping Identity | ~1,200 | ~95 |
| ForgeRock / OpenAM | ~800 | ~60 |
| Saviynt | ~1,600 | ~120 |
| BeyondTrust | ~900 | ~75 |
| Zscaler (ZTNA) | ~2,800 | ~160 |
| Palo Alto Prisma Access | ~2,200 | ~130 |
| SentinelOne / CrowdStrike EDR | ~3,600 | ~210 |
| Splunk (SIEM) | ~5,400 | ~320 |
| Microsoft Sentinel | ~4,200 | ~280 |
The critical observation: the numbers that matter for enterprise programs are in the architect column, not the certified pool column. A Fortune 500 hiring a SailPoint IdentityNow architect is drawing from 280 active practitioners in India not 3,400.
The IdentityIQ vs IdentityNow problem:
This is the single most important distinction in India IAM hiring and the one most commonly exploited by vendors.
SailPoint IdentityIQ is the legacy on-premise IGA product. It has been deployed at thousands of enterprises since 2007. India has approximately 4,800 IdentityIQ-certified professionals, the largest SailPoint pool in the country.
SailPoint IdentityNow is SailPoint’s SaaS IGA platform cloud-native, different connector framework, different workflow engine, different UI, different integration model. It has approximately 3,400 certified professionals in India.
A vendor who says “we have 15 SailPoint engineers on bench” almost certainly has IdentityIQ engineers. When your program requires IdentityNow, you are drawing from a different and smaller pool. An IdentityIQ engineer needs 3–4 months of retraining to become productive on IdentityNow. Most vendors will not tell you this unprompted.
Where the talent lives:
| City | Dominant IAM/Security Specialisations | Why |
| Bangalore | Okta, SailPoint IdentityNow, Zero Trust (Zscaler/Prisma), Microsoft Entra ID, CrowdStrike | Highest density of cloud-native security engineers. Global tech company security teams concentrated here. |
| Pune | SailPoint IdentityIQ (legacy), CyberArk PAM, Saviynt, BeyondTrust | Large SI delivery centers (Cognizant, Wipro, Infosys) with established IAM practices. Strong on legacy IGA. |
| Hyderabad | Microsoft Entra ID, Azure AD, Microsoft Sentinel, Ping Identity | Microsoft India HQ effect. Deep Microsoft security ecosystem. |
| Gurgaon | CyberArk PAM, Splunk SIEM, BFSI security programs, Palo Alto | BFSI GCC concentration. Capital markets security programs. |
| Chennai | Legacy IAM, RSA SecurID, IBM Security products | TCS/Cognizant legacy security delivery. Strong in older platforms and support programs. |
| Mumbai | BFSI compliance security, regulatory audit programs, ForgeRock | Proximity to India’s financial regulator ecosystem. RBI compliance-driven security programs. |
Supersourcing Index: Across 112 IAM and cybersecurity placements in the Supersourcing GCC Benchmark 2026, median time-to-fill for a Senior SailPoint IdentityNow Engineer in Bangalore was 24 calendar days. For a CyberArk PAM Architect with Safe model design experience: 41 days. For a Zero Trust architect with Zscaler production deployment and multi-cloud ZTNA design: 58 days. For a ForgeRock architect: 72 days.
The Zero Trust CV inflation problem:
“Zero Trust” became a board-level buzzword in 2021. By 2022, every security engineer in India had added it to their LinkedIn profile. The term appears on approximately 40% of security CVs submitted to Supersourcing.
Production Zero Trust architecture designing device posture assessment policies, configuring identity-based microsegmentation, implementing ZTNA for a hybrid workforce across managed and BYOD devices, integrating with PAM for privileged access has been delivered by fewer than 300 engineers in India. The gap between claiming Zero Trust and having built it is wider in this domain than any other security specialisation.
Red flag: Any vendor claiming “Zero Trust architects on bench” without being able to name the specific ZTNA platform (Zscaler, Palo Alto Prisma Access, Cloudflare Access, Microsoft Entra Private Access), the number of users in scope, and the device management framework used is presenting engineers who have read about Zero Trust, not built it.
Platform-by-Platform: Rates, Depth, and What the Credential Actually Means
SailPoint
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| SailPoint Engineer | 3–6 yr | $30–48 | $90–125 | $125K–$161K |
| Senior Engineer | 6–9 yr | $48–72 | $125–165 | $161K–$192K |
| Lead / Architect | 8–12 yr | $70–105 | $160–220 | $187K–$239K |
| Principal Architect | 12+ yr | $100–138 | $210–290 | $228K–$318K |
What the credential actually means:
SailPoint has two distinct certification tracks, one for IdentityIQ (legacy) and one for IdentityNow (SaaS). The certifications look similar on a CV. They are not interchangeable.
- SailPoint IdentityNow Certified Engineer: The current SaaS platform certification. Tests connector configuration, role mining, access certification campaigns, and workflow design in IdentityNow. This is what modern programs require.
- SailPoint IdentityIQ Professional: The legacy on-premise certification. Deep platform knowledge but on a product that is in maintenance mode. Only relevant for IdentityIQ support or migration-from-IdentityIQ programs.
Verify at: SailPoint’s partner and certification portal. Ask for the specific product (IdentityNow vs IdentityIQ) and the certification level. SailPoint also maintains a partner directory vendors who are SailPoint partners have some certification verification built in.
The connector gap: SailPoint’s value in an IGA program is entirely dependent on connector quality. A senior SailPoint engineer who has never built a custom connector for a non-standard HR system or a legacy application is a campaign administrator, not an IGA engineer. Ask specifically: which connectors have they built from scratch, for which source systems, and what aggregation pattern did they use.
CyberArk
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| CyberArk Engineer | 3–6 yr | $32–50 | $95–130 | $135K–$166K |
| Senior Engineer | 6–9 yr | $50–75 | $130–175 | $166K–$208K |
| PAM Architect | 8–12 yr | $75–110 | $165–230 | $187K–$250K |
| Principal Architect | 12+ yr | $105–145 | $215–295 | $228K–$312K |
What the credential actually means:
CyberArk has a tiered certification program:
- CyberArk Trustee: Entry-level. Tests basic vault navigation and password retrieval. Not a practitioner credential.
- CyberArk Defender: Operational certification. Tests vault administration, Safe management, and session monitoring. This is the minimum for a working CyberArk engineer.
- CyberArk Sentry: Advanced operational certification. Tests CPM (Central Policy Manager) configuration, PSM (Privileged Session Manager) setup, and PVWA customisation. Required for senior engineers.
- CyberArk Guardian: Architecture-level certification. Tests enterprise PAM design, disaster recovery, high availability configuration, and cloud PAM architecture. Fewer than 190 active Guardians in India. This is the credential required for architect roles.
Verify at: cyberark.com/certification. Each certification level appears separately. A Defender presenting as a Guardian is verifiable in 60 seconds.
The administration vs architecture gap: CyberArk administration adding accounts to vaults, rotating passwords, monitoring sessions is a different skill from CyberArk architecture designing the Safe model, configuring CPM policies for different account types, designing the PSM topology for a hybrid cloud environment. India has approximately 4,100 CyberArk-certified professionals. Most are at Defender level. The 190 Guardians are the architects. Everyone else is an administrator.
Okta
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| Okta Engineer | 2–5 yr | $28–45 | $85–115 | $119K–$145K |
| Senior Engineer | 5–8 yr | $45–68 | $115–155 | $145K–$182K |
| Okta Architect | 7–11 yr | $68–100 | $155–215 | $182K–$239K |
| Principal Architect | 11+ yr | $98–135 | $210–290 | $228K–$322K |
What the credential actually means:
Okta’s certification hierarchy:
- Okta Certified Professional: Entry-level. Tests basic tenant configuration and app integration. The most widely held Okta cert in India.
- Okta Certified Consultant: Mid-level. Tests advanced SSO configuration, MFA policies, lifecycle management, and API Access Management. The minimum for a working senior Okta engineer.
- Okta Certified Architect: The architect-level credential. Tests enterprise identity architecture, multi-tenant design, complex org-to-org federation, and Okta Identity Governance. Approximately 420 holders in India. This is the credential required for architect roles.
Verify at: okta.com/learning search by candidate name. The three levels appear distinctly. An Okta Professional presenting as an Okta Architect is a verifiable misrepresentation.
The Okta Identity Governance gap: Okta acquired Spera Security in 2023 and launched Okta Identity Governance (OIG) as its IGA layer. Most Okta architects in India have no OIG experience; it’s too new. If your program requires Okta IGA rather than just Okta as an IdP, the practitioner pool drops significantly. Ask specifically for OIG experience, not just Okta experience.
Ping Identity
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| Ping Engineer | 4–7 yr | $35–55 | $100–140 | $135K–$176K |
| Senior Engineer | 7–10 yr | $55–80 | $140–185 | $176K–$218K |
| Ping Architect | 9–13 yr | $78–115 | $175–245 | $202K–$270K |
| Principal Architect | 13+ yr | $110–148 | $220–310 | $228K–$337K |
What the credential actually means:
Ping Identity has a formal certification program Ping Certified Professional and Ping Certified Architect. The program is less widely known than Okta or SailPoint, which means fewer candidates have pursued it. With approximately 1,200 Ping-certified professionals in India, the pool is thin and concentrated in Bangalore and Hyderabad.
Ping Identity’s product suite PingFederate, PingAccess, PingDirectory, PingOne requires product-specific experience. A PingFederate specialist is not automatically a PingAccess architect. Ask for product-specific project history.
Verify at: Ping Identity’s certification portal. The pool is small enough that a vendor claiming 5+ Ping architects on bench should be able to produce cert IDs for all of them immediately.
Zero Trust / ZTNA Platforms
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| ZTNA Engineer | 4–7 yr | $38–58 | $105–145 | $140K–$181K |
| Senior ZTNA Engineer | 6–9 yr | $58–85 | $145–195 | $181K–$228K |
| Zero Trust Architect | 8–12 yr | $85–130 | $190–265 | $218K–$281K |
| CISO Advisory / Principal | 14+ yr | $130–175 | $270–370 | $291K–$405K |
What the credential actually means:
Zero Trust does not have a single certification standard. Platform-specific certifications exist:
- Zscaler: ZCCA-IA (Internet Access), ZCCA-PA (Private Access), and ZCCP (Certified Professional). The ZCCP is the senior practitioner credential.
- Palo Alto Prisma: PCNSA (Network Security Administrator) and PCNSE (Network Security Engineer). PCNSE is the practitioner standard for Prisma Access.
- Cloudflare: Cloudflare Certified (general), with Zero Trust-specific tracks.
- Microsoft Entra Private Access: No standalone cert verified through Microsoft SC-series security certifications.
Verify the platform-specific cert before anything else. “Zero Trust architect” without a named platform and verifiable certification is a CV inflation claim, not a credential.
SIEM Splunk and Microsoft Sentinel
Rate Table:
| Level | Experience | India Rate ($/hr) | US Equivalent ($/hr) | Annual Saving ($) |
| SIEM Engineer | 3–6 yr | $28–45 | $85–115 | $119K–$145K |
| Senior SIEM Engineer | 5–8 yr | $45–68 | $115–155 | $145K–$182K |
| SOC / Detection Architect | 7–11 yr | $65–98 | $150–210 | $176K–$234K |
| Security Architect / Principal | 10+ yr | $92–130 | $200–275 | $228K–$301K |
What the credential actually means:
Splunk: Splunk Core Certified User → Splunk Core Certified Power User → Splunk Enterprise Certified Admin → Splunk Enterprise Security Certified Admin. The Enterprise Security cert is the one that matters for SOC programs; it tests Splunk ES configuration, correlation searches, notable event management, and risk-based alerting. Verify at: splunk.com/en_us/training/certification-track.
Microsoft Sentinel: No standalone Sentinel certification verified through SC-200 (Microsoft Security Operations Analyst). The SC-200 tests Sentinel workspace configuration, analytic rule creation, KQL query writing, and incident management. Verify at: learn.microsoft.com/certifications.
The SPL vs KQL gap: Splunk uses SPL (Search Processing Language) and Microsoft Sentinel uses KQL (Kusto Query Language). They are different query languages. A Splunk engineer cannot write effective Sentinel detection rules without learning KQL, and vice versa. Candidates who claim both Splunk and Sentinel expertise at depth are either genuinely rare or overstating one of them. Ask for a live query writing demonstration for the specific platform your SOC runs.
The JD That Attracts the Right Candidates
JD 1: Senior SailPoint IdentityNow Engineer (5–8 years, Staff Augmentation)
Senior SailPoint Identity Now Engineer Remote from India Engagement: Staff Augmentation | Duration: 12 months, renewable Rate: ₹28–42 LPA CTC equivalent | Billing: $48–72/hr (vendor-facing)
What you’ll own: Build and maintain identity governance workflows in SailPoint IdentityNow. You’ll configure source connectors for HR and application systems, build role models, manage access certification campaigns, and develop lifecycle management workflows. This is a delivery role you’ll be measured on provisioning SLA adherence, orphan account reduction, and access certification completion rates.
What we require:
- SailPoint IdentityNow Certified Engineer (active will be verified at SailPoint’s certification portal before interview)
- 5–8 years in IAM, minimum 2 years in production IdentityNow environments (not IdentityIQ)
- Connector experience: built or extended at least 3 source connectors for non-standard applications
- Role mining and role model design can describe their approach to entitlement aggregation and role construction
- Access certification campaign design recertification frequency, reviewer routing, escalation logic
- API integration experience SailPoint REST APIs for custom integrations
What disqualifies you:
- IdentityIQ-only experience with no IdentityNow production exposure
- “SailPoint experience” that is entirely campaign administration without connector or workflow development
- No custom connector development experience for a senior role
- Identity governance knowledge limited to out-of-box IdentityNow configuration
Interview process: Technical screen (30 min) → Live IdentityNow connector configuration task (90 min) → Access model design discussion with IAM Program Lead (45 min)
JD 2: CyberArk PAM Architect (10+ years, GCC or BOT)
CyberArk PAM Architect India GCC or BOT Engagement Engagement: GCC Build or BOT | Duration: 24+ months CTC: ₹75–105 LPA | Billing: $95–135/hr (vendor-facing)
What you’ll own: End-to-end CyberArk PAM architecture for an enterprise program. You will own the Safe model design, CPM policy framework, PSM topology for hybrid cloud, PVWA customisation, and integration architecture with our IGA (SailPoint) and IdP (Okta). You will be the technical authority for a team of 6–12 CyberArk engineers.
What we require:
- CyberArk Guardian certification (active will be verified at cyberark.com/certification before interview)
- 10+ years in privileged access management, minimum 3 years at architect level
- Designed and delivered at least 2 enterprise PAM programs from scratch can describe Safe model topology, CPM policy design, and DR architecture in detail
- Cloud PAM experience: CyberArk for AWS, Azure, or GCP privileged accounts dynamic secrets, cloud-native account onboarding
- Integration architecture: CyberArk + SailPoint provisioning workflow, CyberArk + SIEM event forwarding, CyberArk + ITSM ticketing
- Compliance mapping: can describe how CyberArk controls map to SOC2, PCI-DSS, or HIPAA requirements
Interview process: Architecture whiteboard (60 min) → Live Safe model design scenario (45 min) → Compliance control mapping discussion (30 min) → Reference call with prior CISO or IAM Program Director
What most enterprise JDs get wrong for IAM roles:
They ask for “IAM experience” without specifying the platform which returns generalists who know Active Directory group policies and call it IAM. They list multiple platforms at architect level as a requirement SailPoint AND CyberArk AND Okta at architect depth on one person is extremely rare and the JD that requires it either gets ignored by real architects or attracts people who overstate all three.
Pick your primary platform and require depth on it. They don’t specify the product version “SailPoint experience” without specifying IdentityNow vs IdentityIQ floods the pipeline with legacy engineers. And they don’t specify the compliance context.
A healthcare IAM engineer with HIPAA experience is a different profile from a financial services IAM engineer with PCI-DSS experience. The compliance context determines which source systems, which data sensitivity, and which audit requirements shape the implementation.
How to Verify Experience Not Just Credentials
The 3 verification steps before any security interview:
Step 1: Platform-specific certification verification
Every major IAM platform has a certification registry. Verify before scheduling:
- SailPoint: SailPoint certification portal confirm IdentityNow vs IdentityIQ and active status
- CyberArk: cyberark.com/certification confirm Defender vs Sentry vs Guardian level
- Okta: okta.com/learning confirm Professional vs Consultant vs Architect level
- Zscaler: mylearn.zscaler.com confirm certification level and active status
- Splunk: splunk.com/en_us/training/certification-track confirm core vs enterprise security level
This takes 90 seconds per platform. Do it before the first interview is scheduled. In security hiring, a misrepresented credential is not just a sourcing failure it is a program risk.
Step 2: Compliance context verification
Ask for the specific compliance framework on each project listed. A candidate who claims “enterprise PAM implementation” should be able to name the compliance driver SOC2 Type II, PCI-DSS, HIPAA, ISO 27001 and describe how the CyberArk controls are mapped to specific control requirements. Candidates with real compliance-driven implementations answer this immediately. Candidates from internal IT programs without compliance drivers cannot.
Step 3: Source system specificity
For IGA (SailPoint, Saviynt) roles: ask for the specific source systems they’ve built connectors for. SAP HR as an authoritative source is different from Workday HR, which is different from a custom HRMS with no standard connector. The connector challenge is where IGA programs succeed or fail. Real engineers name specific systems and describe specific connector challenges. Generic answers describe the aggregation framework without naming source systems.
The 5 interview questions that expose fake seniority:
Q1: SailPoint IdentityNow Joiner-Mover-Leaver Design
“Walk me through your lifecycle event design for a joiner workflow in IdentityNow from HR system trigger through to application provisioning, with your specific approach to provisioning policy and approval routing.”
Real answer: describes the source connector aggregation trigger, the identity profile mapping from HR attributes to IdentityNow identity attributes, the role assignment logic at join, the provisioning policy structure (who gets what automatically vs what requires approval), and the approval workflow routing. They name specific IdentityNow workflow components transforms, provisioning policies, lifecycle states.
Tutorial candidate describes the joiner-mover-leaver concept correctly but cannot describe IdentityNow-specific implementation. Says “the system provisions access based on the role assignment” without describing the provisioning policy or approval routing.
Q2: CyberArk Safe Model Design
“Describe your Safe model design for an enterprise with 800 Windows servers, 200 Unix servers, and 150 database servers across on-premise and AWS. How do you structure Safes, CPM policies, and account types?”
Real answer: describes Safe segregation by platform type and environment (Windows Prod, Windows Dev, Unix Prod, AWS dynamic accounts), CPM policy design per platform (rotation frequency, verification method, reconciliation account), the difference between individual and shared account handling, and how AWS dynamic secrets are handled differently from on-premise static accounts. They have opinions about Safe granularity tradeoffs.
Tutorial candidate describes the Safe model conceptually. Says “we create Safes based on the account type and environment.” Cannot describe CPM policy specifics or explain how AWS accounts are handled differently.
Q3: Zero Trust Device Posture Policy Design
“Walk me through how you’ve designed device posture assessment in a Zero Trust implementation for an organisation with 60% managed devices and 40% BYOD. What policies differ between device types and how do you enforce them?”
Real answer: describes the posture assessment framework managed devices via MDM compliance check (Intune/Jamf), BYOD via browser isolation or limited-access policy, the specific conditions checked (OS version, patch level, disk encryption, EDR agent presence), and how the ZTNA platform (Zscaler/Prisma) enforces different access policies based on posture score. They describe the BYOD risk model and how they’ve handled the employee privacy vs corporate security tension.
Tutorial candidate describes Zero Trust principles correctly. Cannot describe specific posture assessment conditions or explain how managed and BYOD policies differ in the ZTNA platform configuration.
Q4: Splunk Detection Engineering
“Describe your approach to building a detection rule for lateral movement in Splunk ES: what data sources, what SPL logic, and how you tune to reduce false positives without missing real events.”
Real answer: describes the relevant data sources (Windows Security Event Logs 4624/4625, Sysmon, network flow data), the SPL logic for detecting anomalous authentication patterns (unusual source/destination pairs, off-hours authentications, pass-the-hash indicators), how they use Splunk ES’s Risk-Based Alerting framework to accumulate risk scores rather than firing individual alerts, and their tuning approach (baseline normal behaviour, whitelist known service accounts, use stats commands to identify statistical outliers). They describe a specific lateral movement pattern they’ve built detection for.
Tutorial candidate describes lateral movement conceptually. Cannot write SPL or describe the Risk-Based Alerting framework. Says “we look for unusual login patterns.”
Q5: IAM Architecture Compliance Mapping
“For a PCI-DSS in-scope environment, walk me through how you’d map CyberArk controls to PCI-DSS Requirement 7 (restrict access to system components) and Requirement 10 (log and monitor all access). What specific CyberArk configurations address each requirement?”
Real answer: maps CyberArk Safe-level access control to PCI Requirement 7.1 (limit access to system components to only those individuals whose job requires such access), CPM credential rotation to 7.2 (establish an access control system), PSM session recording to Requirement 10.2 (implement audit trails for user access), and PVWA access logging to 10.3 (record at least the specified audit trail entries). They can describe specific CyberArk configuration items that produce the audit evidence a QSA would require.
Tutorial candidate describes PCI-DSS requirements correctly. Cannot map specific CyberArk configurations to specific PCI requirements. Says “CyberArk helps with PCI compliance by controlling privileged access.”
8 CV red flags exact language to watch for:
- “Zero Trust architect” without naming the specific ZTNA platform Zscaler, Prisma, Cloudflare, or Entra Private Access
- “SailPoint architect” without specifying IdentityNow vs IdentityIQ the products are architecturally different
- “CyberArk architect” with Defender-level certification Defender is operational, not architecture
- “IAM architect” with only Active Directory and LDAP experience AD administration is not IAM architecture
- “SIEM engineer” without naming the specific platform and the query language they use
- “Identity governance experience” that is entirely recertification campaign management campaigns are analyst work, not engineering
- “Cloud security architect” without naming the specific cloud and the specific security services AWS Security Hub is different from Azure Defender is different from GCP Security Command Center
- Multiple IAM platforms at architect level with under 10 years total experience genuine architect depth on SailPoint AND CyberArk AND Okta simultaneously in under a decade is extremely rare
How to Source What’s Working, What Isn’t
What’s working in 2026:
Platform partner networks.
SailPoint, CyberArk, Okta, and Zscaler all maintain partner directories of certified implementation partners in India. Partners keep bench rosters and have direct relationships with the practitioner community. A direct inquiry to 3–4 platform partners yields a curated shortlist faster than any job board and partners have a reputation incentive not to misrepresent certification level.
ISACA and ISC2 chapter networks in India.
ISACA (CISM, CISA, CRISC) and ISC2 (CISSP, CCSP) have active India chapters in Bangalore, Mumbai, and Pune. The senior security practitioners who hold these certifications alongside platform-specific credentials are the profiles enterprise programs need for architect and advisory roles. Chapter events and LinkedIn groups are direct access to this community.
3 ready-to-use LinkedIn boolean search strings:
- String 1 (SailPoint IdentityNow Architect): “SailPoint” AND “IdentityNow” AND (“Architect” OR “Lead”) AND (“Bangalore” OR “Pune”) AND “India”
- String 2 (CyberArk Guardian / PAM Architect): “CyberArk” AND (“Guardian” OR “PAM Architect”) AND “India”
- String 3 (Zero Trust with platform specificity): “Zero Trust” AND (“Zscaler” OR “Prisma Access” OR “Cloudflare”) AND (“Architect” OR “Engineer”) AND “India”
CISM/CISSP + platform cert combination search.
The most valuable security hires in India hold both a governance-level certification (CISM or CISSP) and a platform-specific certification. This combination CISSP + SailPoint IdentityNow Certified Engineer, or CISM + CyberArk Guardian signals practitioners who understand both the architectural principles and the platform implementation. Search specifically for this combination when hiring for senior architect or CISO advisory roles.
Supersourcing pre-vetted bench. For Senior SailPoint IdentityNow Engineers, Supersourcing’s median fill time from JD sign-off to accepted offer is 24 calendar days. Certification verified at platform-specific registries before any CV is submitted.
What isn’t working:
Generic “cybersecurity” job postings on Naukri.
Returns penetration testers, SOC analysts, and compliance assessors for IAM architect roles. The platform specificity of enterprise IAM is completely lost on generic job boards. Every applicant looks like a security professional. Almost none have the specific platform depth enterprise programs require.
Asking vendors for “IAM experience” without platform specificity.
The single most common sourcing failure in security hiring. Without naming SailPoint IdentityNow, CyberArk Guardian, or Okta Certified Architect in the vendor brief, you receive a pool of AD administrators and generic identity management professionals at specialist rates.
Treating IAM and cybersecurity as one hiring pool.
IAM engineers (SailPoint, CyberArk, Okta) and cybersecurity engineers (Splunk, CrowdStrike, Zscaler) come from different communities, hold different certifications, and concentrate in different cities. A vendor who claims “strong cybersecurity bench” without specifying which platforms almost certainly has one pool depth on one platform and shallow coverage on the rest.
Interviews without live platform tasks.
Security interview coaching has reached the point where verbal descriptions of CyberArk Safe models or SailPoint provisioning workflows are not reliable filters. The only reliable filter for platform-specific depth is a live task: configure a connector in a SailPoint sandbox, design a Safe structure in a CyberArk test vault, and write a detection rule in a Splunk development instance. Candidates who can’t do it live haven’t done it in production.
Supersourcing Index: Pipeline-to-offer conversion rate for IAM and cybersecurity roles in the Supersourcing GCC Benchmark 2026: 8%. Of every 100 CVs submitted by vendors for senior IAM roles, 8 result in hires that pass the technical bar described in Section 7. Primary reasons for rejection: IdentityIQ experience presented as IdentityNow (31% of rejections), CyberArk Defender presented as architect-level (24%), Zero Trust claimed without platform specificity (22%), compliance mapping depth insufficient (23%).
The Contract Stack for Security Engagements
Security engagements require a higher standard of contractual protection than most enterprise IT programs. The stakes audit failures, breach exposure, regulatory liability make standard MSA IP clauses insufficient.
Clause 1: Individual Resource Approval with Platform Cert ID and Level
Every engineer who touches your identity infrastructure must be individually approved in writing before starting. The SOW schedule must list: engineer name, platform certification name and level (not just “certified”), cert ID, and approved system access scope. A CyberArk Defender listed in the SOW schedule for an architect role is a contractual misrepresentation. Require cert level specificity in every resource approval.
Clause 2: Background Check Requirement
For any engineer accessing identity infrastructure, privileged account vaults, or SIEM data, require a background check equivalent to your internal security employee standard. Specify: criminal record check, identity verification, and employment history verification minimum. For engineers accessing PAM systems with production privileged accounts, consider enhanced background check requirements. This needs to be a contractual prerequisite to system access, not a best-efforts process.
Clause 3: Substitution Notice with Security Clearance Equivalence
14 days written notice and client approval for any personnel change. The replacement must hold equivalent platform certification at the same level a CyberArk Guardian replacement cannot be filled by a CyberArk Sentry. Security clearance or background check equivalence must be confirmed before the replacement accesses any system.
Clause 4: IP Assignment Deed Security Configuration as IP
Executed within 5 business days of each engineer’s start date. Must explicitly cover: SailPoint connector configurations and provisioning policy definitions, CyberArk Safe model topology and CPM policy configurations, Okta policy framework and application integration configurations, SIEM detection rules and correlation searches (these are proprietary threat detection IP), Zero Trust policy definitions and microsegmentation rules. Standard software IP clauses do not clearly cover these configuration artifacts. Name them specifically.
Clause 5: Access Revocation 4 Hours, Not 24
Security engineers have access to privileged infrastructure. Standard 24-hour access termination clauses are insufficient. Require: privileged account access revocation within 4 hours of engagement end notification, PAM vault access removal within 4 hours, SIEM platform access removal within 4 hours, IdP admin access removal within 4 hours. Name each system specifically. The 24-hour window standard for general IT engagements is a security gap for IAM programs.
Clause 6: Non-Disclosure with Security Specific Scope
Standard NDA clauses cover confidential business information. For security programs, explicitly extend NDA scope to cover: identity architecture diagrams, PAM Safe model topology, SIEM detection rule logic, vulnerability assessment findings, and access control policy structures. Security architecture knowledge is more sensitive than most standard NDA definitions capture.
Running a Security Team at Scale
Governance model for a 10–20 engineer IAM program:
Privileged access for the offshore team itself.
Every offshore engineer on your IAM program is a privileged user; they have access to identity infrastructure that controls access to everything else. Their own accounts must be managed under your PAM program. Service accounts used by the offshore team should be vaulted in CyberArk. Their access should be scoped to the minimum required for their specific workstream. This is not a courtesy, it is a control requirement for any SOC2 or ISO 27001 program.
Separation of duties in the offshore team.
Engineers who configure provisioning policies should not be the same engineers who approve access for production systems. Engineers who write SIEM detection rules should not be the same engineers who can disable alerts. Separation of duties requirements that apply to your internal security team apply equally to your offshore team.
Change control for security configurations.
Every change to a SailPoint provisioning policy, CyberArk CPM policy, Okta application integration, or SIEM detection rule must go through your change control process, not a vendor-internal review. Security configuration changes that bypass your change control process create audit gaps that appear in SOC2 and ISO 27001 assessments.
Knowledge transfer as a delivery requirement.
Security configuration knowledge, how the SailPoint role model was built, why specific CyberArk CPM policies were configured a certain way, and what the SIEM detection rules are designed to catch must be documented and transferred to your internal team throughout the engagement, not at the end. Security knowledge trapped in a vendor team is a program risk that compounds over time.
Early warning signals that a security engineer is disengaging:
- Declining ticket resolution quality shallower analysis, slower response to security events
- Missing change advisory board submissions changes going through without proper documentation
- Reduced participation in threat intelligence sharing sessions
- LinkedIn activity spike security certifications updated, new connections from competing firms
- Increase in unresolved access certification exceptions a disengaged IGA engineer lets exceptions accumulate
Retention levers specific to security engineers in India:
Certification sponsorship has an outsized impact in security. CISSP costs approximately $699. CISM costs approximately $575. Platform-specific certifications (CyberArk Guardian exam: ~$300) are direct investments in the engineer’s career value. Engineers in active certification pursuit do not leave mid-cycle. The retention signal is stronger in security than most stacks because the security certification community in India is small enough that being known as a certified practitioner has real career value.
Threat landscape exposure keeps security engineers engaged. Engineers who work on active threat hunting, red team exercises, or incident response alongside their platform implementation work stay longer than those doing pure configuration work. If your program has security operations components, including IAM engineers in threat hunting sessions, the cross-functional exposure is a retention mechanism.
Compliance program ownership. IAM engineers who own a control framework “this engineer owns the CyberArk control evidence for our SOC2 Type II audit” have a program identity that is difficult to walk away from mid-audit cycle. Assign compliance ownership deliberately and early.
When Things Go Wrong
Pattern 1: The IdentityIQ-to-IdentityNow Confusion
Described in Section 1. The pattern repeats across programs. A US healthcare network, a UK financial services company, and a US retail enterprise all experienced the same failure in 2025 SailPoint IdentityIQ engineers presented as IdentityNow-ready, connector frameworks built on the wrong product architecture, remediation required.
The root cause in every case: the vendor had a deep IdentityIQ bench because that’s where India’s SailPoint experience concentrates historically. The buyer didn’t verify the product version. The interview didn’t test IdentityNow-specific knowledge.
The 90-second fix: ask “IdentityNow or IdentityIQ?” before scheduling the first interview. The answer tells you immediately whether the candidate is relevant.
Pattern 2: The CyberArk Safe Model Rebuild
A global manufacturing company of 45,000 employees, 12 countries hired a 6-person CyberArk team through an Indian staffing vendor. The lead was presented as a CyberArk architect. His certification: CyberArk Sentry (operational level, not Guardian).
The Safe model he designed was a single Safe per environment (Windows Prod, Windows Dev, Unix Prod) with all accounts regardless of sensitivity level. Eighteen months into the program, the compliance team flagged the model in a PCI-DSS audit. PCI Requirement 7 requires access restriction based on business need. A flat Safe model with all Windows production accounts in one Safe does not demonstrate least-privilege access control.
The rebuild: 14 weeks, a contracted CyberArk Guardian architect at $195/hr, and a manual review of 2,800 vaulted accounts against the new Safe structure. Total cost: $310K. The Guardian certification check would have prevented this in 60 seconds.
Pattern 3: The Zero Trust Paper Architecture
A US-based technology company hired a “Zero Trust architect” at $115/hr through an Indian vendor. The CV listed Zscaler, Prisma Access, and Cloudflare experience. Three platforms at architect level.
At the architecture review in month two, the architect presented a Zero Trust design that was conceptually correct but operationally unimplementable device posture policies with no reference to the MDM platform the client used, microsegmentation rules that didn’t account for the client’s hybrid cloud topology, and a BYOD policy that assumed all devices could be enrolled in Intune (60% of the workforce used personal Macs that had never been enrolled in any MDM).
The architect knew Zero Trust theory. He had not designed a production ZTNA implementation. The three platforms on his CV were from lab environments and one proof-of-concept engagement.
The fix: an onsite Zero Trust architect engagement at $250/hr for 8 weeks to redesign the architecture. Cost: $80K. The verification step asks for the named client, number of users, device management platform, and go-live date for each claimed ZTNA implementation that would have surfaced the lab environment limitation before the SOW was signed.
When India Is the Wrong Call
Three scenarios where India-based security hiring creates more risk than it resolves.
Scenario 1: Classified or highly sensitive government programs.
US federal, UK MOD, or any program requiring security clearances above commercial standard. India-based engineers cannot hold US security clearances. For programs where the identity infrastructure scope includes classified systems, cleared personnel requirements, or FedRAMP-authorized environments, offshore security engineering is not viable for the core program team. India-based engineers can support non-classified integration layers with appropriate access scoping, but the privileged infrastructure work requires cleared resources.
Scenario 2: Active incident response programs.
If your security program is running in parallel with an active breach investigation or incident response, offshore security engineering adds risk rather than reducing it. Incident response requires real-time collaboration, often in restricted communication channels, with time-sensitive decisions on access revocation and system isolation. The timezone gap (IST UTC+5:30) creates a 10–12 hour response window that is unacceptable during active incidents. Contain the incident first. Bring in offshore engineering for the post-incident remediation and hardening program.
Scenario 3: Programs with no internal security architecture ownership.
Offshore security engineers execute architecture. They do not create it without strong internal security leadership. If your CISO role is vacant, your security architecture is undocumented, and your compliance posture is unclear, hiring offshore IAM engineers before you have an internal security architecture owner will produce a security infrastructure that nobody on your team understands or can audit. The failure patterns in Section 11 all have a common root: no strong internal security owner validating the offshore team’s architectural decisions. Hire your internal security lead first.
The Supersourcing Vendor Scorecard™ IAM & Cybersecurity Edition
Score your vendor before you sign. Maximum 100 points. Minimum threshold to proceed: 65. Security engagements warrant a higher threshold than general IT programs.
Category 1: Bench Depth and Certification Accuracy (0–20 pts)
| Criterion | 0 | 10 | 20 |
| Can produce platform-specific cert IDs within 24 hours for all claimed bench | Cannot | Some | All claimed bench, all platforms |
| Certification level accuracy (Guardian not Defender, Architect not Professional) | Wrong levels | Some accurate | All levels verified accurately |
| IdentityNow vs IdentityIQ distinction acknowledged proactively | Conflates them | Distinguishes when asked | Proactively distinguishes |
Category 2: Security-Specific Vetting Process (0–20 pts)
| Criterion | 0 | 10 | 20 |
| Background check process for security engineers | None | Ad hoc | Standardised, equivalent to client standard |
| Live platform assessment (not verbal) for senior roles | No | Optional | Mandatory for senior+ |
| Compliance context verification in technical screen | None | Generic security questions | Compliance-specific scenario questions |
Category 3: Contract Readiness Security Specific (0–20 pts)
| Criterion | 0 | 10 | 20 |
| IP Assignment Deed covering security configuration artifacts | Not available | Available on request | Standard, lists config types specifically |
| Access revocation SLA 4 hours for privileged access | Not present | 24 hours | 4 hours, named systems |
| Background check as contractual prerequisite to access | Not present | Best effort | Contractual prerequisite |
Category 4: Security Delivery Track Record (0–20 pts)
| Criterion | 0 | 10 | 20 |
| Named security clients with compliance context (SOC2, HIPAA, PCI) | None | Logo only | Named contact + compliance framework confirmed |
| Completed IGA or PAM programs with audit evidence | None claimed | Claimed, unverified | Verified with audit outcome |
| Attrition on security programs | Unknown / >20% | 15–20% | <15% |
Category 5: Commercial and Governance Structure (0–20 pts)
| Criterion | 0 | 10 | 20 |
| Rate card transparency by platform and cert level | Refused | Blended rate only | Platform and level specific |
| Substitution clause with certification level equivalence | Not present | Available | Standard, cert level equivalence specified |
| SLA on replacement including background check completion | None | Best effort | Contractual SLA ≤21 days including background |
Score interpretation:
- 85–100: Shortlist. Proceed to SOW negotiation.
- 65–84: Proceed with conditions. Close Category 2 and 3 gaps before signing.
- 45–64: Red flag. A security vendor scoring below 65 represents program risk beyond the delivery risk.
- Below 45: Walk. The risk of a security engagement with a vendor at this score level exceeds the cost of the right vendor.
15 Questions Buyers Actually Ask
Q: What’s the difference between IGA and PAM?
IGA (Identity Governance and Administration) manages who has access to what across an organisation joiner/mover/leaver processes, role models, access certifications, and segregation of duties. SailPoint, Saviynt, and Okta Identity Governance are IGA platforms. PAM (Privileged Access Management) specifically controls privileged accounts, administrator accounts, service accounts, and shared credentials that have elevated access to systems. CyberArk and BeyondTrust are PAM platforms. Most enterprise security programs need both: IGA governs the full access lifecycle, PAM secures the highest-risk accounts within that lifecycle. They are complementary, not interchangeable.
Q: Can one vendor handle SailPoint and CyberArk on the same program?
Yes but require separate cert verification and separate technical screens for each platform. A vendor strong on SailPoint may not have equivalent CyberArk depth. Bundling the rate card incentivises staffing the weaker platform with lighter talent to protect margin on the stronger one. The SailPoint/CyberArk integration where IGA governs PAM account onboarding is a specific integration challenge that requires depth on both sides. Ask for a named reference where the vendor has delivered both on the same program.
Q: Should I require CISSP for senior security roles?
CISSP (Certified Information Systems Security Professional) is a governance and architecture credential that validates broad security knowledge across 8 domains. It is not a platform implementation credential. Requiring CISSP for a SailPoint IdentityNow engineer role filters out the implementation specialists you need in favour of generalists. For architect and security program leadership roles, CISSP or CISM in addition to platform-specific certification signals both implementation depth and security governance understanding. For senior engineer and lead roles, platform-specific certification at the appropriate level (CyberArk Guardian, SailPoint IdentityNow Certified Engineer) is more relevant than CISSP.
Q: What’s the realistic timeline to build a 15-person India IAM team?
For a mixed platform team SailPoint, CyberArk, Okta expect 45–60 days from JD sign-off to a full 15-person team accepted and onboarded, assuming pre-vetted bench. The timeline extends if you require specific compliance context (HIPAA-experienced SailPoint engineers take longer than general enterprise experience), if you need Guardian-level CyberArk architects (41-day median fill), or if you’re building for a niche platform combination (ForgeRock + SailPoint: 60–80 days). Background check completion adds 7–14 days to the onboarding timeline over general IT programs.
Q: Is Zero Trust a job role or a framework?
Both and the distinction matters for hiring. Zero Trust as a framework applies to every security engineering role: it’s the principle of never trust, always verified, applied across identity, device, network, and application access. Zero Trust as a job role a “Zero Trust Architect” specifically designs and implements ZTNA (Zero Trust Network Access) platforms: Zscaler Internet Access, Zscaler Private Access, Palo Alto Prisma Access, Cloudflare Access. When hiring, specify which you need: a security engineer who applies Zero Trust principles across their work, or an architect who designs and deploys a ZTNA platform. They require different skills and come from different talent pools.
Q: How do I evaluate a vendor’s claimed SOC team depth?
Ask for the specific SIEM platform their SOC engineers use (Splunk vs Microsoft Sentinel vs IBM QRadar vs Google Chronicle), the certification level on that platform, and a named client reference with compliance framework context (SOC2 Type II SOC, HIPAA-covered SOC, PCI-DSS in-scope SOC). A SOC team is only as good as its detection engineering, asking specifically about detection rule development, threat hunting methodology, and mean time to detect on the last three incidents at a named client.
Q: Can I use offshore security engineers for an active SOC function?
Yes with structured shift coverage. India Standard Time (UTC+5:30) provides morning coverage for the US East Coast that works for scheduled operations. For 24/7 SOC coverage, India-based teams typically cover the US night shift (India day shift). The challenge is the 2–3 hour overlap window for handoff and escalation. For active security operations real-time incident response, breach containment ensures your escalation path has a US or EMEA-based security lead who can make real-time decisions without waiting for India morning hours.
Q: What background check standard should I require for India-based security engineers?
Minimum: criminal record check through an accredited Indian background check agency (AuthBridge, First Advantage India, or equivalent), identity verification against government ID, and employment history verification for the last 5 years. For engineers accessing PAM systems with production privileged accounts: add education verification and address verification. For programs with US federal or financial services compliance scope: consider enhanced background check including global sanctions screening. Specify the standard in the MSA as a prerequisite to system access, not a post-onboarding process.
Q: What’s the most underhired security role from India in 2026?
IAM Integration Architect specifically engineers who can design and build the integration between IGA (SailPoint/Saviynt), PAM (CyberArk/BeyondTrust), IdP (Okta/Ping), and SIEM (Splunk/Sentinel) as a unified identity security architecture. Most programs hire platform specialists separately and discover the integration gaps at go-live. An engineer who understands all four platform layers and can design the data flows between them how SailPoint feeds CyberArk account onboarding, how Okta feeds SailPoint correlated identities, how CyberArk session recordings feed Splunk is among the most valuable security profiles in enterprise programs and among the hardest to source.
Q: How do I structure an offshore security team for a Zero Trust transformation program?
Three tiers: a Zero Trust Architect (ZTNA platform owner, network segmentation design, policy framework), Identity Security Engineers (IGA + PAM implementation, identity-based access policy), and Security Operations Engineers (SIEM detection, monitoring, incident response integration). The Zero Trust Architect is the onshore or near-shore role architectural decisions on a Zero Trust transformation need to be made by someone physically accessible for stakeholder alignment. The Identity Security Engineers and Security Operations Engineers are your offshore India team. This model works well and produces a well-functioning security program when the architect role is filled correctly.
Q: Is Saviynt a viable alternative to SailPoint for India-sourced IGA programs?
Yes and the Saviynt pool in India is growing faster than SailPoint IdentityNow. Saviynt has approximately 1,600 certified professionals in India with approximately 120 at architect level. For cloud-native IGA programs Saviynt is cloud-first by design Saviynt-experienced engineers are often more current on SaaS IGA architecture patterns than SailPoint IdentityIQ engineers being retrained for IdentityNow. If your IGA platform decision is still open, the India talent pool depth is comparable between SailPoint IdentityNow and Saviynt at the architect level. SailPoint has the larger overall pool; Saviynt has a more consistently cloud-native practitioner base.
Q: What’s the hardest security profile to hire from India in 2026?
A ForgeRock architect with CIAM (Customer Identity and Access Management) production experience. ForgeRock has approximately 800 certified professionals in India with approximately 60 at architect level. CIAM programs identity for millions of external customers rather than thousands of employees requiring different architecture patterns from enterprise IAM. ForgeRock CIAM architects who have designed high-availability, high-throughput customer identity platforms for consumer-facing programs in India are under 40 active practitioners. Median fill time: 72 days. Expect top-of-range rates and competition from global financial services and telecom programs.
Q: Is Supersourcing the right partner for a 3-engineer security program?
Not our ideal engagement. Our model is built for 8+ engineer programs with enterprise governance requirements and SOW-level accountability. For 3 security engineers on a defined scope, a security-specialist staffing firm or a platform-certified boutique is a better fit. We’d rather tell you that than win a deal we’ll underserve.
Q: How does India’s DPDP Act affect offshore IAM programs?
The Digital Personal Data Protection Act 2023 (DPDP) classifies India-based vendors processing personal data of Indian citizens as Data Processors under Section 10. For IAM programs, this means: the vendor’s engineers processing identity data names, email addresses, HR attributes, and biometric data used in MFA are processing personal data. Require a DPDP-compliant Data Processing Agreement addendum in your MSA. If your IAM program processes personal data of EU citizens, it also requires a GDPR Art. 28(3) DPA. Both can typically be negotiated as standard addenda without significant delay.
Closing
IAM and cybersecurity hiring from India works. The platform-certified talent is real, the BFSI and enterprise delivery track record is deep, and the savings versus US hiring are substantial $125K to $405K per engineer per year depending on platform and level.
The failure mode is not India. The failure mode is hiring “cybersecurity experience” when you need a CyberArk Guardian. It is not verifying IdentityNow vs IdentityIQ before the first interview. It is signing an MSA without a 4-hour access revocation clause for privileged infrastructure. None of these checks are complicated. All of them matter more in security than any other enterprise stack because the consequences of getting it wrong are not delayed go-lives. They are audit failures and breach exposure.
The verification process in this guide is how you find the 8% of submitted security CVs that actually pass the bar. It takes less time than a single bad hire costs to remediate.
If you want Supersourcing to verify a specific security role, bring us the platform, the certification level required, and the compliance context. We’ll tell you what the talent pool looks like, what the realistic rate is, and how long it will take to source someone who passes every layer.
Book a 30-minute Security Talent Discovery Call → No deck. Just the numbers and the bench.
