Darwin Cayetano Vásquez

Preemptive Cybersecurity within Security Operations Centres (SOCs) represents a fundamental shift in digital defence. It focuses on anticipating and neutralising threats before they can be executed, enhancing organisational protection and resilience. _____ Today's cyber threats demand more than detection and response. Organisations now require a defence model that acts in advance, neutralising threats before they can be executed. Preemptive Cybersecurity applied within a Security Operations Centre (SOC) enables the early identification, anticipation and blocking of attacks, shifting the defensive posture from reactive to truly proactive. ■ Gartner identifies preemptive Cybersecurity as the future of the discipline, moving beyond conventional detection-and-response models. In this article, we use the term preemptive Cybersecurity to describe a defence model capable of neutralising threats before they are activated. Preemptive Cyber Security in the SOC Preemptive Cyber Security services integrated into the SOC combine advanced threat intelligence, predictive analytics and AI-driven automation. These services recognise risk patterns, anticipate malicious behaviour and stop attacks before they reach critical systems. Key applications Continuous monitoring and predictive telemetry analysis to anticipate intrusion attempts. Correlation of Cyber Threat Intelligence (CTI) with campaign prediction models. Preemptive blocking of malicious infrastructures (domains, IP addresses, suspicious files). Execution of containment playbooks before an attack can materialise. Advantages over traditional approaches Reduced incidents by stopping threats in their early stages. Greater operational resilience by minimising business disruptions. Improved SOC team efficiency by reducing alert overload and false positives. Enhanced customer trust and regulatory compliance. Challenges in implementing preemptive Cyber Security Balancing automation with human oversight helps avoid unnecessary interruptions by validating critical alerts and fine-tuning automated responses, ensuring continuity of essential services. Adapting the SOC strategy to a more proactive and preemptive model requires a prevention-driven culture and the ability to act quickly on early warning signs. To avoid the risk of overload from inaccurate predictions, it is necessary to optimise algorithms and apply effective filtering to maintain operational efficiency and prevent analyst fatigue. Having specialised analysts in CTI and predictive models is key to interpreting data, refining models, and making informed decisions on potential threats. Use case: preemptive SOC in a telecommunications company A regional SOC specialised in telecommunications implemented a preemptive Cyber Security service powered by artificial intelligence and global threat intelligence. The service consisted of three key components: A predictive engine fuelled by data from active campaigns and machine learning models. An automated blocking system for malicious infrastructures, integrated directly with next-generation firewalls (NGFWs) and email services. A team of intelligence specialists who validated predictions and adjusted the model parameters. The SOC detected early patterns of targeted phishing, correlating metadata from suspicious emails with campaigns found on underground forums. As a result, more than 10 domains were blocked before reaching user inboxes. In addition, by analysing vulnerabilities in routers and exposed ISP systems, the team anticipated zero-day exploitation attempts. The platform generated preemptive indicators and executed isolation playbooks in under two minutes. The process was backed by weekly intelligence reports for management, highlighting emerging threat trends and preventive actions taken. Results achieved 72% reduction in phishing incidents over six months. Two critical vulnerability exploit attempts were prevented before official patches were released. 40% decrease in incidents requiring manual escalation to level 2 teams. Recommendations Adopt a SOC service model that includes early prediction and neutralisation capabilities. Define clear prevention metrics, such as attack attempts blocked before execution. Invest in analyst training focused on predictive and preemptive threat intelligence. Integrate preemptive Cyber Security into your business continuity strategy to maximise its value. ■ What is Future of SOC? At Telefónica Tech, we transform traditional SOCs into intelligent, automated, and predictive Cyber Security centers, capable of anticipating threats. View infographic → Conclusion Preemptive Cyber Security marks a paradigm shift in how SOCs address modern threats. It’s not about reacting—it’s about staying ahead of the adversary. These preemptive services, powered by AI and advanced threat intelligence, position the SOC as a strategic and proactive force, capable of protecting organisations from attacks before they even occur. This approach not only enhances resilience, but redefines the very nature of modern cyber defence. Cyber Security The strategic role of the SOC in enterprise Cyber Security management August 20, 2025

Attack surface management (ASM) represents a key capability in protecting today’s digital environments. Organizations are facing exponential growth in their digital footprint —cloud assets, exposed services, unauthorized technologies, and third-party relationships— which increases their exposure to cyber threats. The ASM service, enhanced with Artificial Intelligence (AI) and delivered as a managed solution integrated into Security Operations Center (SOC) operations, enables continuous external visibility, contextual risk analysis, and automated responses to detected vulnerabilities. The AI-powered ASM service provides continuous visibility, contextualizes risks, and automates responses to vulnerabilities. ASM as a managed service with advanced AI capabilities This service combines continuous discovery, cognitive risk analysis, and orchestrated automation, without requiring clients to acquire specific technology platforms. AI embedded in the service helps identify digital exposure patterns, correlate emerging threats, anticipate attack scenarios, and prioritize mitigation actions with greater accuracy and agility. Key applications Autonomous discovery of exposed digital assets (cloud, domains, APIs, IoT, shadow IT). Contextual risk assessment using intelligent scoring engines. Exposure correlation with threat intelligence (CTI) and predictive models. Activation of automated responses (alerts, containment, isolation or blocking) based on client policies. Advantages over traditional approaches Elimination of blind spots through uninterrupted external monitoring. Enriched analysis with machine learning models and behavior-based detection. Proactive reduction of attack vectors without constant manual intervention. Delivered as a managed service with specialized analysts who validate findings and support decision-making. Challenges in delivering intelligent ASM services Filtering findings to distinguish between technical exposures and actual operational risks. Seamless integration with the client’s internal SOC processes. Change management in highly dynamic cloud environments. Training client personnel to fully leverage the intelligence generated by the service. Use case: intelligent ASM service in a banking institution A banking institution implemented a managed ASM service powered by AI to gain control over its external attack surface. The service combined continuous discovery with AI-driven analysis, prioritization by criticality, and automated actions aligned with its defense plan. Critical exposures were reported and validated by expert analysts, and containment measures were carried out in coordination with the bank’s SOC team. Results achieved Detection of over 800 unregistered assets within the first 60 days. 38% reduction in critical exposed surface within a quarter. Activation of automated actions (DNS blocking, targeted alerts, remediation alerts) in over 70% of critical findings without manual intervention. Recommendations Adopt AI-powered managed ASM services as a core element of your SOC strategy. Establish collaborative processes between the service provider and internal analysts. Incorporate ASM intelligence into risk assessment models and cyber security architecture decisions. Measure the value of the service not only by the volume of findings, but by its impact on reducing exposed surface and preventing incidents. Conclusion The AI-powered managed ASM service transforms external digital visibility into a strategic advantage. Through continuous discovery, contextual analysis and intelligent automation, organizations can stay ahead of attackers, close gaps in real time, and strengthen their security posture without adding operational complexity. The AI-powered managed ASM service transforms external digital visibility into a strategic advantage. ASM as a service is not just about external monitoring, but a proactive, precise, and agile capability within the modern cyber defense ecosystem.

Automation has become a cornerstone of Cyber Security Operations Centers (CyberSOCs). SOAR (Security Orchestration, Automation and Response) platforms have evolved from simple playbook execution tools into intelligent systems. In their new generation, SOAR platforms integrate Large Language Models (LLMs), enabling more contextual, autonomous orchestration with continuous learning capabilities. This transformation is redefining how cyber analysts engage with threats, data, and systems. ■ SOAR (Security Orchestration, Automation and Response) streamlines Cyber Security by integrating data and tools into a unified system that accelerates incident response and enhances collaboration across SOCs. This allows organizations to defend against cyber threats more quickly and effectively, consolidating multiple data sources and tools into a cohesive environment. Next-generation SOAR: conversational AI for contextual automation LLM-powered SOAR platforms allow analysts to interact with systems using natural language, generate and modify playbooks, interpret alerts, draft reports, and even propose responses to complex threats. Key applications Automated playbook generation based on natural language descriptions. Incident summarization and automatic creation of technical reports. Threat prioritization based on operational and critical context. Adaptive response suggestions grounded in frameworks like MITRE ATT&CK and detected TTPs. SOAR has evolved from a mere execution tool into an intelligent system capable of learning and adapting. Advantages over traditional SOAR Reduced reliance on manual coding. Improved interpretability of events and decision-making. Continuous learning through human feedback. Challenges in integrating LLMs into SOAR Validation of automated actions: Prevent LLMs from making unsupervised, undesirable decisions. Hallucinated findings: Risk of inaccurate interpretations or fabricated responses. Prompt privacy and security: Sensitive query data must be rigorously protected. Cultural adaptation and training: Analysts must develop new skills to interact effectively with generative AI. LLM language models offer more contextual and autonomous orchestration, redefining operations in CyberSOCs. Use case: Implementing LLM-powered SOAR in an MSSP A Managed Security Services Provider (MSSP) integrated a next-gen SOAR platform with LLMs to automate incident handling and client communications. Analysts could query the system using natural language to get threat summaries, validate automated steps, and adjust playbooks in real time. Outcomes achieved 48% reduction in Mean Time to Investigate (MTTI) Improved quality and speed of incident reports. 60% increase in automated resolution of low-severity incidents. Recommendations Set up validation controls for actions suggested by LLMs. Incorporate algorithmic governance frameworks and decision auditing. Foster co-creation between analysts and AI through effective prompt design. Ensure data privacy and security in interactions with LLMs. Conversational AI integration enables the drafting of reports, interpretation of alerts, and proposal of responses to complex threats. Conclusion The integration of LLMs into SOAR platforms marks a new era in Cyber Security automation—more intelligent, contextual, and collaborative. This technology not only boosts efficiency but empowers analysts with conversational capabilities that transform their operational approach. The goal is not to replace humans, but to build a powerful synergy between expert knowledge and generative artificial intelligence.

Cyber Threat Intelligence (CTI) is one of the cornerstones of proactive defense against digital attacks. At the tactical level, CTI focuses on equipping security teams with insights into malicious actors' tactics, techniques, and procedures (TTPs)-enabling faster, more accurate detection and real-time response. AI is reshaping the way we analyze massive data sets in this space, boosting both threat pattern identification speed and precision. Tactical yhreat intelligence and Its impact Tactical intelligence delivers actionable insights into recent attacks' tools, tactics, and techniques. Its goal is to optimize detection rules on SIEM, EDR, and XDR platforms, enabling a more effective response and strengthening real-time defense strategies. Key use cases Real-time correlation of Indicators of Compromise (IoCs). Development of SIEM/XDR detection rules based on attack patterns. Automated containment across next-generation firewalls (NGFWs) and cloud, network, and endpoint protection systems AI in threat identification and mitigation AI has significantly improved tactical CTI efficiency by automating the analysis of large data volumes, identifying emerging threats, and reducing false positives. Some of the most impactful applications include: 1. Machine learning for pattern recognition Supervised and unsupervised machine learning models analyze network traffic and security events to detect anomalous behavior patterns. 2. Natural language processing (NLP) for threat analysis NLP extracts key insights from threat intelligence reports, dark web forums, and threat feeds, automatically generating reports on new attack techniques. 3. Automated incident response AI-powered Security Orchestration, Automation, and Response (SOAR) platforms execute predefined playbooks to mitigate threats within seconds. Challenges to applying AI to CTI Despite its many advantages, using AI in tactical threat intelligence also presents significant challenges: False positives and alert fatigue: Some models generate large volumes of alerts, many of which are benign—leading to analyst fatigue and reduced effectiveness. Advanced evasion techniques: Attackers are developing methods to bypass AI-based detection, such as adversarial machine learning. AI is in attackers' hands: Generative AI is already used to craft polymorphic malware and highly personalized, realistic phishing campaigns. Resource and expertise requirements: Implementing and maintaining AI solutions requires robust infrastructure, intensive processing capabilities, and specialized teams skilled in both data science and Cyber Security. Use case: early ransomware detection with AI in a regional SOC A regional SOC implemented a hybrid model combining supervised machine learning and behavioral analysis within its XDR platform to detect ransomware-related activity. During the testing phase, the system analyzed 25 million daily events across endpoints and servers. The model was trained using both real-world and simulated attack data. It successfully identified early-stage ransomware behavior—such as unusual mass file access and suspicious processes like vssadmin.exe—with a 97.4% detection rate and a 42% reduction in false positives compared to traditional methods. Thanks to automated SOAR playbooks, containment was triggered in under 60 seconds after detection, effectively halting ransomware spread and minimizing operational impact. Recommendations To fully harness AI potential in CTI, we recommend: Adopting explainable AI models to enhance threat detection transparency. Explainable AI helps Cyber Security analysts understand how and why specific decisions are made—critical for assessing alert reliability and fine-tuning models. Integrating threat intelligence with the MITRE ATT&CK framework to improve event correlation. This standardized framework categorizes attacker TTPs, helping analysts detect suspicious behaviors and prioritize responses more effectively. By correlating these events with a standardized framework such as MITRE ATT&CK, a clearer picture of threats can be obtained and responses prioritized more effectively. Leveraging SOAR platforms to automate security responses and reduce the operational burden on SOC teams. These tools execute predefined playbooks containing incidents in seconds, allowing analysts to focus on data interpretation and the continuous improvement of detection systems. AI should be viewed as an enhancement—not a replacement—for human expertise. Conclusion AI integration into tactical threat intelligence has transformed the way organizations detect and mitigate cyberattacks. The ability to automatically identify, analyze, and respond to emerging threats enhances security postures and dramatically shortens incident response times. However, AI is not a silver bullet. The role of a Cyber Security analyst remains irreplaceable. Human experience, intuition, and critical thinking are essential to interpret alerts in context, make strategic decisions, and continually refine detection models. AI should be seen as a powerful ally—not a substitute—for human judgment. Cyber Security Cyber Security automation with AI to anticipate and neutralize threats March 17, 2025