The Client: A pan-European, systemically important bank (Top-4 by assets) operating across retail, corporate, investment, and payments businesses. The bank’s SOC supported dozens of BUs, hybrid infrastructure (mainframe + on-prem + multi-cloud), and stringent internal risk policies.

• Fragmented telemetry & tooling: Multiple point products, inconsistent schemas, and siloed teams led to slow investigations and missed correlations.
• Alert fatigue: Analysts faced thousands of daily alerts; high false-positive rates created “noise blindness,” delaying response to real threats.
• Audit burden: Evidence gathering for UK/EU regulators (FCA/PRA; EU supervisory authorities) was manual, non-repeatable, and time-intensive.
• Operational resilience pressure: Growing expectations to demonstrate disruption tolerance, threat-led testing readiness (e.g., CBEST/TIBER-EU), and robust incident playbooks.

• Centralize visibility across all environments (incl. mainframe and middleware).
• Automate triage and response to compress MTTR without growing headcount.
• Move to continuous compliance—be “audit-ready” all the time.

• Cloud-native, API-first, Kubernetes-based (deployed on AWS EKS) for elastic scale and HA.
• Multi-tenant & access-segmented by region/BU for data sovereignty and least privilege.
• Open integration fabric to snap into enterprise identity, middleware, ITSM, and alerting systems.

• Lantez Ingestion & Normalization: Real-time and batch collectors for applications, servers, containers, databases, network devices, cloud services, WSO2, and mainframe (via bank’s existing log collectors/HALCYON feed or equivalent). Normalizes heterogeneous formats (text/JSON/XML/proprietary) into the Lantez schema for consistent correlation.
• Lantez Correlation & Analytics Engine: Rule-based correlation + AI anomaly detection with MITRE ATT&CK mappings. Cross-domain patterning (mainframe ↔ cloud ↔ network) in milliseconds; risk scoring prioritizes analyst focus.
• Lantez SOAR: Pre-built and customizable playbooks automate >75% of incident workflows: isolate endpoints, kill processes, block IPs/domains, rotate credentials, disable compromised accounts, update firewalls/WAFs, notify business owners. Integrates with ITSM to open/resolve incidents with full context; OpenText used for SMS/email alerts to on-call teams.
• Lantez Dashboards: Role-based, real-time views for SOC analysts, CISO, compliance, and board. Threat heatmaps, kill-chain timelines, and KPI tracking (MTTD/MTTR, incident volumes, dwell time, control health).
• Lantez Compliance & Evidence Engine Continuous control monitoring mapped to UK/EU frameworks (e.g., FCA/PRA operational resilience, DORA, NIS2, GDPR), plus PCI DSS and ISO/IEC 27001. One-click regulator-ready reports with traceable evidence (control → test → artifact → log trail). Control exceptions trigger remediation workflows with owners and due dates.
• Identity & Governance Okta SSO & RBAC, fine-grained data-domain authorizations, full audit trails on console actions. Encryption in transit and at rest; immutable log options for forensic integrity.

• Identity: Okta (SSO/RBAC)
• Middleware: WSO2 Integrator (business transaction/error monitoring)
• Alerts & Messaging: OpenText (SMS/email)
• ITSM: Bank’s ticketing platform (auto case creation, status sync)
• Cloud: AWS (EKS, object storage for tiered retention)

• ≥ 12 months online retention for rapid investigations, with tiered archival to meet internal policy and regulatory requirements.

• Week 0–1: Scope & discovery; integration plan; connectivity & IAM scaffolding
• Week 2: Log source onboarding (pilot sets across on-prem, cloud, WSO2, mainframe feed); baseline dashboards
• Week 3: Correlation rules & AI models tuned; SOAR playbooks adapted to bank SOPs; ITSM/OpenText wired
• Week 4: Go-live in production; hypercare; KPI baselines locked; handover to Lantez Managed SOC team

• Total time to value: < 4 weeks from kickoff to production insights

• Phishing wave: Auto-quarantine + domain block + ticketing + SMS notification executed in seconds via SOAR; no customer impact.
• Lateral movement attempt: Cross-domain correlation (VPN + EDR + service account anomalies) triggered rapid isolation; dwell time reduced dramatically.
• Compliance evidence: PCI DSS and ISO/IEC 27001 control attestations produced with linked log artifacts; latest UK/EU audit cycle completed with zero material findings.

• UK FCA/PRA Operational Resilience: Mapping of important business services (IBS) telemetry to resilience KPIs; evidence of incident handling, impact tolerances, and communications.
• EU DORA (in force 2025): Logging/monitoring coverage across ICT assets; incident classification/notification support; playbooked response and vendor/third-party observability.
• EU NIS2: Enhanced incident detection/response capabilities; governance reporting; risk and control monitoring across essential services.
• GDPR (EU) / UK GDPR: Data minimization in telemetry, role-based access, audit trails; breach detection/notification support and evidence capture.
• PCI DSS & ISO/IEC 27001: Control monitoring and one-click evidence for logging, monitoring, and incident response domains.
• Threat-Led Testing Readiness: Artefact capture and replay to support CBEST/TIBER-EU engagements.

• Outcome: Compliance teams now demonstrate continuous adherence with defensible, time-stamped evidence mapped to each control, reducing both audit effort and regulatory risk.

• Risk Avoidance: Faster detection and containment materially reduces the probability and impact of high-severity incidents.
• Efficiency Gains: Automation replaces repetitive analyst tasks; capacity scales without proportional headcount.
• Time to Value: Production insights in <4 weeks; payback <12 months driven by reduced incident impact and audit efficiencies.

• Purpose-built for BFSI: Native modules for high-throughput ingestion, real-time correlation, and continuous compliance against UK/EU regimes.
• Automation-first: SOAR playbooks aligned to bank runbooks; >75% of workflows automated.
• Enterprise-grade integrations: Identity (Okta), middleware (WSO2), ITSM, OpenText alerting—no disruption to established processes.
• Operational resilience by design: EKS-based elasticity, multi-tenant isolation, immutable evidence options, strong crypto, full auditability.

• Start with fidelity, not volume: Normalize and enrich the most critical telemetry first; quality > quantity accelerates wins.
• Automate the obvious early: Codify “run-book” responses into SOAR within week 2—this is where MTTR collapses.
• Tune with the SMEs: Joint tuning sessions (SOC + IT ops + app owners) sharpen signal/noise and trim false positives fast.
• Make compliance continuous: Treat controls as living objects with owners, tests, and expiry; let the platform surface exceptions automatically.

• Expand playbooks to additional business lines and third-party integrations.
• Automate the obvious early: Codify “run-book” responses into SOAR within week 2—this is where MTTR collapses.
• Adopt continuous purple-team drills to keep models and playbooks sharp against evolving TTPs.
• Deepen operational resilience metrics and board-level risk reporting tied to IBS.
• Data lifecycle reviews per region to align retention and minimization with evolving guidance.

• Detection: MTTD, % high-fidelity alerts, anomaly hit-rate
• Response: MTTR by severity, auto-containment rate, playbook success rate
• Quality: False-positive %, correlation coverage (% assets/log sources)
• Compliance: Control pass/fail trends, evidence freshness, audit SLA adherence
• Resilience: Incident-to-recovery times by IBS, peak-load stability, failover test results