Problem
Radar-driven XDR visibility and automated response flows for a fintech platform with 1M active users.
Solution
Problem
The client processed around 6-10 TB/day of security and platform telemetry from CloudTrail, EDR, WAF, IAM, and API gateway streams. Detection latency and alert noise were increasing operational pressure on the SOC.
Solution
We implemented a Kafka-based ingestion layer, tiered storage with ClickHouse and S3, Sigma-driven detection rules, and threat intelligence enrichment. SOAR playbooks were integrated with PagerDuty, Jira, and Slack to automate response orchestration.
Architecture Notes
- A radar-style monitoring surface mapped threat flow progression in near real time.
- Rule tuning and enrichment quality controls reduced noisy detections.
- High-confidence cases triggered controlled actions such as token revoke, IP block, and host isolate.
Outcome
In the initial phase, MTTD dropped from 3.5 hours to 24 minutes. False positive rate decreased from 34% to 18%. Average MTTR improved by 39%.
Architecture
Kafka | ClickHouse | S3 | Sigma Rules | Threat Intelligence | SOAR
Results
MTTD: 3.5 hours to 24 minutes
False positive: 34% to 18%
MTTR: 39% improvement