Executive Summary
Customer: A regulated utility company operating vital services across multiple Malaysian regions.
Industry: Utility (National Critical Information Infrastructure, NCII)
Challenges:
- Reactive & Delayed Response
- Alert Fatigue
- Limited Headcount & Expertise
- Navigating Compliance Requirements of the Cybersecurity Act
- End-User Behavior Risks
Sangfor Solution: Sangfor Athena MDR (Managed Detection and Response) Service
Customer Background
Our customer is a regulated utility company operating vital services across multiple Malaysian regions.
As a National Critical Information Infrastructure (NCII) organization, the company is directly governed by the Malaysia Cybersecurity Act 2024 and must comply with stringent cybersecurity and reporting obligations under the above act, NACSA direction, and IT risk management.
With a lean IT team of four, the Head of IT oversees both general IT infrastructure operations and cybersecurity responsibilities, while juggling day-to-day administrative, technical, and compliance functions. This limited capacity made 24/7 security monitoring, incident response, and compliance reporting highly challenging.
Our IT department is supported by only four dedicated professionals. They are responsible for both operational technology and cybersecurity functions. As our digital environment expands, the complexity and risks have grown rapidly. This increasing demand makes it challenging for such a small team to manage everything internally.
Head of IT
Cybersecurity Challenges
Despite using multiple cybersecurity tools, the company faced recurring challenges that limited its overall cyber readiness and compliance posture.
| Pain Points | Details |
| 1. Reactive & Delayed Response | Existing security controls were mostly reactive, with alerts only attended to after anomalies were reported by staff or incidents were observed the next business day. This often resulted in delays of up to 12 hours before any investigation could even begin, followed by up to an additional 4 hours of manual investigation work per incident, which commonly impacted daily IT operation workflows. |
| 2. Alert Fatigue | The team faced massive log volumes but lacked tools or time to analyze them effectively. Only high or critical-severity alerts were attended to, leaving medium- and low-severity incidents unreviewed. |
| 3. Limited Headcount & Expertise | With only 4 IT staff, including one part-time security handler, the company could not justify hiring additional cybersecurity personnel due to cost (estimated USD 71,500 – 95,300 per year for full SOC staffing, excluding technology toolsets required for SOC operations). |
| 4. Navigating Compliance Requirements of the Cybersecurity Act | As an NCII entity, the organization is subject to mandatory cybersecurity audits and reporting requirements under Malaysia’s Cybersecurity Act 2024. Without continuous monitoring and reporting capabilities, the company faced the risk of regulatory non-compliance and legal repercussions. |
| 5. End-User Behavior Risks | Users may unintentionally expose the environment to threats through unsafe practices, such as clicking phishing links, downloading unverified applications, reusing weak passwords, or connecting unsecured devices to the network. Even routine daily activities can trigger security alerts, including accidental access to restricted systems or generating suspicious network traffic such as ARP scans. |
Sangfor Security Solution
Recognizing the cost, resource, and compliance challenges, the company deployed Sangfor Athena MDR — a fully managed detection and response service offering 24/7 protection, real-time alert validation, and human-led response.
Operating from an ISO/IEC 27001–certified Global SOC, Athena MDR integrates Sangfor’s most advanced platform, EPP protection, and AI-driven Security GPT to provide unified visibility across endpoints, networks, and cloud workloads.
Through SLA-based service operations, the Sangfor MDR team ensures:
- Real-time detection and triage of alerts, verified by human analysts.
- Immediate containment actions using endpoint and network integrations.
- Weekly and monthly reports and reviews supporting audit and regulatory readiness.
Following deployment, Sangfor MDR now protects over 50% of the company’s core servers and endpoints, with a plan to achieve full coverage by 2026.
Solution Benefits and Outcomes
Security Posture Summary Before and After Athena MDR Deployment
| Pain Points | Before the Deployment | After the Deployment | Benefits |
| 1. Reactive & Delayed Response | Alerts were often checked and investigated only on the next working day, and longer over weekends and holidays, with investigations taking 30 minutes to 4 hours. The previous endpoint security vendor’s confirmation on suspicious files could take 2–3 days. | Improved response time by up to 96% with Athena MDR’s 24/7 monitoring and triage, ensuring responses starting from as fast as 30 minutes. | Proactive Security Operations Transformation |
| 2. Alert Fatigue | Hundreds of thousands of logs were generated, with only critical alerts reviewed manually. | 99.4% average noise reduction, cutting analysis time by approximately 500 staff hours per month. | Noise Reduction with Actionable Threat Intelligence |
| 3. Limited Headcount & Expertise | Only 4 IT staff handled all IT and security functions. An in-house SOC would require 4–5 additional personnel, costing USD 71,500–95,300/year, to operate effectively. | More than 83% savings in SecOps costs per year, across both CAPEX and OPEX, compared to building and maintaining an in-house SOC and hiring additional staff — while still ensuring expert coverage. | Optimized Security TCO & ROI |
| 4. Compliance Readiness | Required to comply with regulatory requirements but lacked proper processes, SLAs, and reporting structure. | Fast-tracked compliance, with MDR providing defense capabilities, audit-ready reporting, and SLA-backed incident response. | Regulatory & Governance Readiness |
| 5. End-User Behavior Risks | Users may unintentionally expose the environment to threats through unsafe practices, such as clicking phishing links, downloading unverified applications, reusing weak passwords, or connecting unsecured devices to the network. Lack of visibility into user actions made it difficult to detect early signs of compromised accounts or insider threats. High dependency on manual monitoring increased the chance of unnoticed risky behavior. |
Network traffic consisting of user activities are monitored and correlated across devices, applications, and networks. Suspicious behaviors like unusual login patterns, lateral movements, or abnormal traffic are immediately flagged. Faster identification of compromised accounts or insider incidents with 24/7 security team. |
Improved Visibility and Faster Detection of Risky User Behaviors |
1. Proactive Security Operations Transformation
With Sangfor Athena MDR, the organization achieved a full transformation from a reactive, tool-based approach to proactive, outcome-driven security operations.
- Faster Threat Validation and Response:
Before Athena MDR, the IT team could only review alerts during working hours, often resulting in delays of up to 12 hours between detection and response. With 24/7 monitoring and triage from Sangfor’s Global SOC, alert investigations are now completed within 30 minutes to 4 hours, depending on severity — up to 96% faster mean-time-to-notify (MTTN). - Round-the-Clock Monitoring:
Although visibility was maintained at all times, the reactive monitoring model by the lean IT team resulted in slower incident handling during periods outside normal working hours, weekends, and public holidays. Today, Sangfor Athena MDR provides continuous monitoring and SLA-bound escalation for all alert severities, ensuring no downtime in coverage and immediate human-led verification, even when attacks most often occur in the middle of the night such as 1:00 AM. - AI-driven Data Correlation and Alert Filtering:
Athena MDR processes a monthly average of 360 million logs from endpoints and network telemetry. Using advanced correlation and AI-powered noise reduction with our proprietary Security GPT, the platform filters false positives, removes repeated data, and reduces alert noise by over 90%, saving approximately 500+ staff hours per month that were previously spent on manual log reviews. - Focus on Real, Verified Threats:
Each verified alert is immediately validated by Sangfor’s analysts and communicated to the customer through instant messaging. This has helped eliminate time lost to manual email tracking, which took 2-3 days per communication update with previous vendor, and up to 10 minutes to attend to alert notifications received via email.
2. Noise Reduction with Actionable Threat Intelligence
Only validated, high-confidence threats are escalated to the customer’s IT team, allowing them to focus on real security threats rather than raw data triage. Across more than 20 months of MDR operation, the MDR service has maintained a 99.4% average false-positive filtering rate, meaning only 0.6% of alerts required real action. Our data also shows that our MDR platform consistently narrowed millions of signals into a few verified incidents per month — achieving an estimated 90–95% reduction in alert workload compared to the prior unmanaged environment.
3. Optimized Security TCO & ROI
By outsourcing to Sangfor Athena MDR, the customer avoided the cost and complexity of establishing its own 24/7 SOC.
- Significant Cost Savings:
Building an in-house SOC would have required four to five additional hires, costing approximately USD 71,500 – 95,300 per year, excluding infrastructure and tools. Through MDR, the company achieved over 83% OPEX savings annually, benefiting from enterprise-grade protection at a fraction of the cost. - High ROI and Breach Cost Avoidance:
These savings are further amplified when compared to potential business losses from a single week-long ransomware disruption, which could easily exceed hundreds of thousands in downtime and recovery costs. According to the IBM 2025 Cost of a Data Breach report, utility companies face, on average, USD 3.72 million in total damages from cyberattacks. Based on this figure, Sangfor’s MDR TCO model estimates an ROI exceeding 83% compared to an in-house SOC per year.
Source: MDR TCO Calculator
4. Regulatory Compliance & Governance Readiness
As a National Critical Information Infrastructure (NCII) entity regulated by NACSA, compliance with the National Cyber Security Act is a mandatory requirement.
- Audit-Ready Operations:
With Sangfor MDR, the organization can now demonstrate 24/7 monitoring, evidence-based alert tracking, and SLA compliance — all of which are key audit requirements under regulatory requirements and ISO 27001 standards. - Simplified Governance and Reporting:
MDR’s monthly incident reports and activity summaries provide traceable incident histories, root cause analyses, and improvement recommendations, enabling easier audit submission and board-level visibility – as highlighted by the Head of IT. - Faster Compliance Readiness:
The organization achieved full operational readiness in just one month — 94% faster than the estimated 18 months needed to build and operate its own SOC.
5. Improved Visibility and Faster Detection of Risky User Behaviors
Previously, the IT team had limited visibility beyond its endpoints, leaving visibility gaps in network telemetry, especially lateral/east-west traffic. Sangfor MDR’s unified monitoring across endpoint, network, and cloud layers now provides a 360° view of all activities, enabling early containment of potential intrusions.
- End-User Behavior Risk Mitigation:
Thanks to Sangfor’s comprehensive technology stack, which requires minimal individual agent deployments to obtain network telemetry, the MDR service has detected and contained multiple ARP (Address Resolution Protocol) scan anomalies from personal devices within the corporate network — potentially malicious events that previously went undetected when relying solely on endpoint security.
While an ARP scan is generally used for network discovery and asset identification, it can also help attackers map LAN setups and find weak points — and when combined with ARP spoofing, it can lead to man-in-the-middle (MITM) attacks, credential theft, lateral movement, and denial-of-service (DoS) attacks.
- Endpoint and Network Correlation:
Sangfor’s MDR platform correlates endpoint events with network traffic, improving detection accuracy for lateral movement or insider threats, especially malware from insecure BYOD connected to the same network as core IT applications.
The Athena STA network sensor allows fast detection of network threats, especially traffic that originates from hosts not installed with an endpoint security or secured by the company’s security policies.
6. Business Continuity Assurance and Positive Service Experience
The IT team now operates with greater confidence, supported by experts who provide around-the-clock coverage and clear, concise communication via instant messaging.
Since adopting Sangfor Athena MDR, the organization has recorded zero successful attacks. Continuous monitoring, immediate containment, and incident response have enabled the company to maintain uninterrupted service operations — a key priority for a national infrastructure provider.
The IT Head highlighted Sangfor MDR as “a reliable front-line partner” that not only detects and analyzes threats but also provides peace of mind by taking first action during incidents. The customer also praised instant messaging communication as a major improvement over traditional ticketing or email-based SOCs, enabling faster collaboration.
With MDR in place, we have a team to complement our internal first line of defense that monitors, analyzes, and advises us on what to do next, enabling us to work alongside the team knowing the environment is always being watched.
Head of IT
Positive Service Experience
The customer highlighted Sangfor’s human touch and communication efficiency as one of the top differentiators compared to previous vendors. The previous endpoint security vendor, for example, took up to 2-3 days to verify if a suspicious file is legitimate or malicious. Moreover, email communication from the security vendor and alert notification wasted up to 10 minutes for the IT team to open their computer, log in, and read the content, especially if they’re away from their PC during meetings, lunchtime, or after office hours.
Sangfor Athena MDR supports instant messaging updates instead of email-only communication. Incidents are acknowledged faster, and responses are more personalized. The company also benefits from a dedicated Customer Success Manager (CSM) who understands their environment, ensuring consistent communication and smoother coordination during incidents.
Key Decision Factors Behind MDR Adoption
The customer’s decision to adopt Sangfor Athena MDR was driven by a combination of visibility, compliance, and operational efficiency that addressed their most pressing cybersecurity challenges.
One of the most compelling factors was visibility — Athena MDR provides correlated telemetry from both endpoint and network layers, delivering a unified view of potential threats that other providers could not offer. This holistic insight gave the customer confidence that even stealthy lateral movements within their environment would not go unnoticed.
Equally important was data sovereignty. With all data stored and processed within Malaysia, Athena MDR ensured compliance with the country’s latest National Cloud Computing Policy (NCCP) and internal governance standards as required for external services. This local data residency capability not only reduced regulatory risk but also reassured the customer of greater control over their sensitive information.
Finally, the customer valued Athena MDR’s proactive monitoring and precise alerting. The 24/7 expert-led operations center continuously validates every alert to distinguish true positives from noise (i.e., false positives, non-relevant alerts, repeated alerts, etc.), allowing the customer’s IT team to focus on real threats instead of routine false alarms. This operational precision significantly improved response efficiency and optimized resource allocation, turning what was once an overwhelming alert load into actionable intelligence.
After moving to MDR, we finally have clearer, reliable, and much wider visibility of threats and responses than just relying on endpoint security. Previously, we had to check many different portals, but now everything comes from one accurate source — the cybersecurity experts in the Athena MDR team. The information (referring to alert notifications from the MDR team) we receive now is usable, trustworthy, and helps us take the right action.
Head of IT
Conclusion
This case study demonstrates how a national utility organization improved its cybersecurity maturity and compliance readiness with Sangfor Athena MDR.
By transforming from reactive controls to 24/7 human-led monitoring, the customer achieved:
- 95% faster response time for critical alerts.
- More than 83% annual OPEX savings compared to building an in-house SOC.
- Compliance readiness that complements NACSA’s cybersecurity audit framework.
- Continuous visibility across on-prem and cloud environments.
With Sangfor MDR, the customer can now operate with confidence, knowing their network, data, and systems are continuously monitored and safeguarded by Sangfor’s cybersecurity experts.
