Customer Background
The customer is a large private educational institution based in Macau, with over 12,000 students across multiple campuses. Its Information Technology Office comprises more than 20 IT staff, including three (3) members responsible for day-to-day IT security operations. The organization operates a diverse digital infrastructure supporting academic systems, administrative networks, and multi-campus operations, all of which require continuous protection against modern cyber risks.
As an operator subject to a national cybersecurity regulatory framework requiring continuous monitoring, incident reporting, and timely response, the institution must demonstrate strong internal cybersecurity measures to avoid non-compliance penalties and ensure uninterrupted services for faculty, students, and administrative departments.
We spoke to the Head of the Information Technology Department to understand the key factors behind the decision to onboard Sangfor Athena MDR and the improvements observed thus far.
Cybersecurity Challenges Prior to Athena MDR
Despite having multiple security products in place, including firewall, traditional antivirus, NDR, and user gateway, the institution continued to face significant operational gaps. The internal team recognized that tools alone were insufficient to provide the visibility, response capability, and operational maturity needed to meet regulatory expectations and defend against increasingly sophisticated attacks.
1. Limited Endpoint Visibility & Missed Alerts
The organization lacked a centralized SOC platform to correlate endpoint and network logs. Endpoint visibility was especially problematic; if an end-user closed an antivirus alert window, IT staff had no way of knowing the event occurred. This visibility gap delayed the detection of active threats.
2. High Alert Volume With Limited Capacity to Respond
Existing security tools generated over 100 alerts per day for each device. With only three (3) staff members spending around 50% of their time on security-related tasks, the team could only review a fraction of daily alerts. The lead analyst, in particular, spent nearly full-time on alert triage and incident review.
Approximately 20% of alerts were escalated to the IT head, while medium and low-severity alerts were often deprioritized. This increased the risk of meaningful indicators of compromise being overlooked.
3. Limited Expertise Caused Slow Threat Investigation
The internal team lacked expertise in handling complex attacks, including performing deep investigations, analyzing coordinated activity across multiple devices, and clearing backdoors or hidden intrusion points. As a result, the team spent around three (3) hours on average analyzing and responding to each security event. More complex investigations often required email ticket creation, vendor support, and remote sessions, extending resolution time to two days or more.
In the customer’s last major incident prior to Athena MDR, full investigation and cleanup required several days, creating concern over the team’s ability to consistently meet regulatory expectations requiring high-risk threats to be remediated within 24 hours.
4. Previous SOC Vendor Lacked Depth, Visibility, and Responsiveness
The customer had previously engaged a SOC provider, but the service only provided monitoring for internet-facing traffic. Incident response support was also restricted to one (1) IR case per year, while additional cases were treated as chargeable add-ons. Response times could take up to half a day, and the reports provided were basic with limited actionable insight.
5. Inefficient Reporting Preparation
The previous SOC service delivered quarterly reports with minimal actionable insight. As a result, internal staff often needed up to one (1) week to prepare management summaries based on the SOC reports. This added further pressure to the internal IT security team.
6. Strengthening SecOps Internally Required Significant Time and Capital
The customer’s Head of IT estimated that implementing equivalent tooling and infrastructure internally, excluding labor costs, would require approximately USD 63,000 to USD 75,000 per year. Even with this level of investment, achieving MDR-level visibility, analytics, and 24/7 operational capability was expected to take three (3) or more years.
Sangfor Security Solution
To address evolving cyber threats while maintaining smooth day-to-day operations, the institution strengthened its existing security foundation by adopting Sangfor Athena MDR. Rather than replacing its deployed controls, Athena MDR unified visibility across endpoint, network, and perimeter layers, while adding continuous expert monitoring, AI-assisted analytics, and expert-guided response capabilities. This operational uplift enabled the security team to move beyond reactive alert handling toward faster validation, coordinated containment, and measurable improvements in security resilience.
Athena MDR operates 24/7 through Sangfor’s ISO/IEC 27001-certified SOC in Malaysia, supported by more than 400 cybersecurity experts globally. The service combines AI-driven analytics through Sangfor Security GPT with human analyst expertise, enabling real-time threat validation before response actions are taken to avoid unnecessary operational disruption.
The following highlights outline the most significant operational and security improvements achieved after Athena MDR deployment.
Solution Benefits and Outcomes
Security Posture Summary Before and After Sangfor Athena MDR:
| Area | Before Athena MDR | After Athena MDR |
| Visibility Coverage | Limited endpoint visibility; missed alerts could occur if users closed antivirus notifications. No centralized endpoint and network log correlation. | Unified visibility across endpoint, network, authentication, firewall, and internal traffic telemetry, enabling earlier threat detection. |
| Alert Management & Workload | 100+ alerts per device daily; only 3 staff spending around 50% of their time on security tasks. Lead analyst spent nearly full-time on triage and review. | Validated and prioritized alerts reduced noise by 97.36%, lowering team security workload from 50% to 20–30% and lead analyst involvement to around 50%. |
| Threat Investigation & Response | Complex investigations could take 1–2 days or longer; last major incident required several days for full investigation and cleanup. | Expert-led investigation reduced average detection and response time to under one hour, a more than 95% improvement. Similar-complexity incidents were handled within 24 hours. |
| SOC Coverage & Incident Support | Previous SOC monitored mainly internet-facing traffic, had response times of up to half a day, and included only one IR case per year. | Broader SOC coverage, faster support, and unlimited IR investigation under the MDR subscription. |
| Reporting & Executive Communication | Basic quarterly SOC reports required internal staff to spend up to one week preparing management summaries. | Structured reports and proactive updates reduced report preparation time by 75% on average. |
| SecOps Maturity | Internal build-out required USD 63,000–75,000 annually, excluding labor, and three or more years to mature. | Mature MDR capability delivered without major internal build-out, enabling enterprise-level resilience 35x faster. |
Detailed Breakdown of Outcomes & Benefits
1. Improved Visibility Through Correlated Network & Endpoint Telemetry
Athena MDR provided centralized visibility across endpoint events, network telemetry including internal east-west traffic, and authentication behavior. This enhanced visibility enabled earlier detection of exploitation activity, lateral movement, and multi-stage attacks that previously went undetected.
2. Reduced Alert Noise and Lower Operational Workload
Athena MDR validates and prioritizes actionable security alerts before notifying the customer, allowing the internal team to focus on genuine threats instead of manually reviewing large volumes of duplicate and low-value alerts. This also helped ensure that true security findings across high, medium, and low severity levels were not overlooked due to limited internal review capacity.
Based on observed service data, Athena MDR achieved an average 97.36% reduction in alert noise, measured from ingested logs to true positive alerts generated. This reduction was supported by Athena MDR’s AI-assisted threat analysis and human-validated detection process, ensuring that only meaningful security events were escalated to the customer.
As a result, the security team reduced its time spent on security operations from around 50% to 20–30%, while the lead analyst’s involvement decreased from nearly full-time to around 50%. This freed the team to refocus on core IT operations, IT risk strategy, and management.
3. Faster Investigation and Response Through Expert-Led Analysis
Athena MDR provided expert-led investigation, correlated endpoint and network telemetry, and structured remediation guidance. This helped the customer identify intrusion paths, analyze attacker behavior across multiple devices, and respond more confidently to complex incidents.
Average detection and response time improved to under one (1) hour, compared with previous complex investigations that could take one to two days or longer. This represents a more than 95% improvement and supports regulatory expectations requiring high-risk threats to be remediated within 24 hours.
For example, prior to Athena MDR, the customer’s last major security incident required several days for full investigation and cleanup. With Athena MDR and Sangfor IR support, a later incident of similar complexity was handled within 24 hours, including investigation, malicious artifact removal, and backdoor validation.
4. More Comprehensive and Responsive SOC Coverage
Athena MDR delivered broader monitoring coverage than the previous SOC service by including internal traffic, endpoint activity, authentication behavior, and correlated telemetry, instead of focusing mainly on internet-facing traffic.
The service also provided deeper investigation, more responsive support, and unlimited IR investigation under the MDR subscription. By including IR support as part of the subscription rather than treating additional cases as chargeable add-ons, Athena MDR gave the customer greater assurance that complex incidents could be handled quickly, thoroughly, and with better cost predictability.
5. Faster Reporting Preparation and Clearer Executive Communication
Athena MDR introduced structured weekly and monthly reports, proactive CSM updates, and clearer explanations of ongoing security events. These reports made it easier for the IT team to brief senior management with timely and actionable information.
The customer reduced the time required to prepare internal security reports and management updates by an average of 75%, allowing staff to spend less time rewriting SOC reports and more time on security improvement and risk management.
6. Faster and More Cost-Effective Path to Mature Security Operations
Athena MDR gave the customer immediate access to mature SOC and MDR capabilities from day one, without needing to build equivalent tooling, infrastructure, staffing, and processes internally. This helped avoid the estimated USD 63,000 to USD 75,000 annual tooling and infrastructure cost, excluding manpower.
Instead of spending three or more years building MDR-level visibility, analytics, and 24/7 operational capability, the customer was able to upgrade its security operations capability 35 times faster through Athena MDR’s fixed subscription model.
Key Takeaway
This case demonstrates how a large educational institution significantly improved its cybersecurity maturity through Sangfor Athena MDR. With enhanced visibility, faster response, reduced operational workload, and expert guidance, the customer now operates with greater confidence and stronger compliance readiness.
Athena MDR delivered:
- Sub-one-hour average detection and response
- Reduction of complex incident investigation time from multiple days to within one day
- Significant workload relief for internal IT security staff
- Comprehensive endpoint and network threat visibility
- Continuous 24/7 protection with real-time communication
- Significant cost avoidance compared with building an in-house SOC
The institution concluded that relying solely on internal staff to build a mature SOC would take at least three years, while MDR provides immediate, expert-driven protection and long-term peace of mind.
