Case Study

Infosys delivers security at scale with automation from Cortex XSOAR

Infosys, a global leader in next-generation digital services and consulting, rises to the challenge of 1 million events per second by turning to Cortex® XSOAR to automate and orchestrate its Cyber Defense Center operations worldwide.

In brief



Featured Product

Cortex XSOAR


IT Services

Organization Size

250,000+ employees


Global, with locations in over 50 countries


Infosys sought to eliminate as many manual processes as possible in its Cyber Defense Center operations to keep up with the growing volume of events.

    • Eliminate manual activities for Level 1 security incidents
    • Automate security response to reduce time to remediate
    • Consolidate dashboards for better visibility
    • Simplify scaling for a globally distributed team

Cortex XSOAR enabled Infosys to accelerate response and more effectively manage its own security and that of its customers.

Download PDF Share

Fulfilling a global need for protection

Being a leading digital services and consulting provider with more than 250,000 staff spread across 100 locations in over 50 countries worldwide means that Infosys has plenty to protect—even before taking into consideration its growing managed IT services practice for cybersecurity.

Most organizations are not well-positioned to handle the complex cybersecurity needs of today’s landscape. CISO and Head of Cyber Practise Vishal Salvi explained that today’s enterprises have started to distinguish between what is core and non-core to their skill sets, and for the vast majority, security is not a core competency.

Enterprises seek out Infosys to manage their cybersecurity because it’s more efficient and cost-effective to outsource this function to experts. With the landscape of sophisticated threats evolving daily, most organizations simply don’t have the resources to keep pace on their own.

Infosys has embraced this opportunity with its renowned Cyber Defense Center operations—a network of security operations centers (SOCs) in locations from Bangalore, Hyderabad, Pune, and Chennai to Bucharest and Indianapolis. These centers protect Infosys’ own vast business, covering virtually every industry sector.

Lakshmi Narayanan Kaliyaperumal, Vice President and Head of Cyber Security Technology & Operations at Infosys, leads the team responsible for the enterprise security architecture and is also accountable for developing security standards and guidelines for the entire infrastructure’s projected tools. Altogether, Lakshmi oversees a large team of cybersecurity technology and operations experts, all of them dedicated to protecting Infosys and its customers from a world of threats.

Infosys collects logs from more than 50 different types of log sources, reporting on upwards of 50,000 devices located in both on-premises data centers and the cloud. These logs generate an almost unimaginable inbound alert volume of one million events per second. This is a significant challenge, even for a large and expert global team.


Managing high alert volumes with manual work

Across its users, the time to remediation was ranging from four hours to as many as 48 hours, in some cases. It was imperative to reduce that time.

Also, with a globally distributed organization, incidents were coming in from different systems. Analysts had to use multiple consoles to really understand what was going on. It was a complex way to manage risks, and one that could lead to human error.

“We used to collect all these logs, but there are certain tools even if we collect the logs, that is not enough,” Lakshmi notes. “We had to log into the console. So, the first challenge was for the security analyst, whether it is a Level 1, Level 2, or Level 3, to log in to multiple consoles to get their view for their incident.” That was a significant deterrent from achieving the agility and effectiveness Lakshmi and the team sought.

Layer on top of that the human factor. Trying to stem the huge, continual wave of alerts had become an overwhelming task for the analysts, who were spending their time doing repetitive Level 1 work. Morale in the centers was low, and turnover was high. This made everything even less efficient due to long ramp-up times for new SOC employees. Enabling his team of security professionals to focus on the higher value incidents, rather than just the manual and repetitive Level 1 tasks, became one of the leader’s primary objectives.

Vishal and Lakshmi knew that to secure their own business and build a leading managed service practice, they needed to eliminate as much manual work as they could, leveraging automation to support the security needs of both Infosys and its security customers. They also needed a source of truth that would enable them to handle all incidents from a single platform. “We look for automation, orchestration, and integration in a very purposeful manner,” Vishal says.


Increase SOC efficiency

Infosys had to fulfill a number of primary requirements to help increase efficiency in its Cyber Defense Center operations, including:

  • Automate all Level 1 activities that are high-volume, manual, and repetitive in nature.
  • Automate more than half of Level 2 and Level 3 activities to reduce response times on more critical and complex events.
  • Provide deep role-based access control (RBAC) to enable partnerships with internal teams like HR and IT.
  • Automate data collection from disparate security systems.
  • Consolidate information in a single console so teams do not need to bounce between sources.
  • Ultimately, find a reliable partner. With its own global network to support and a constantly evolving threat landscape, Infosys needed a cybersecurity partner that could work closely with them to enable reliability and trust.

Having automated whatever they could internally, the Infosys team now needed new ways to manage all the repeatable manual tasks with a high degree of automation. This would allow the company to grow the team’s bandwidth for the deeper cognitive work vital in cybersecurity operations.


With Cortex XSOAR, Infosys achieves end-to-end security automation

With Cortex® XSOAR. Infosys has been able to improve the operational efficiency of its Cyber Defense Centers with automation that orchestrates security activities with configurable playbooks.


We found that Cortex XSOAR was the best fit solution for automating and getting us to the next level of hyperautomation that we were looking for.

Vishal Salvi, CISO and Head of Cyber Security Practice, Infosys

Before deploying Cortex XSOAR, Infosys had already been using a next-generation security information and event management (SIEM) platform and generating alerts from it. Infosys also had user and entity behavior analytics (UEBA) as well as cloud-based monitoring services already integrated into the SOC.

What wasn’t integrated was automated orchestration. As a result, when the SIEM generated an incident, it was manually assigned to an analyst who then had to figure out additional context and determine if the incident merited further investigation. Infosys had manual playbooks that directed security analysts’ actions, but they needed to digitize and automate those playbooks. That is what Cortex XSOAR enables.

Cortex XSOAR integrated with the existing Infosys security stack, making it easier to deploy. On top of that, Infosys had previously been manually calculating the mean time to detection and response (MTTD and MTTR)—a difficult and time-consuming task. With Cortex XSOAR, that calculation is automatic. Both leaders note the value and simplicity Cortex XSOAR provides.

“We found that Cortex XSOAR was the best fit solution for automating and getting us to the next level of hyperautomation that we were looking for,” Vishal says. “Given the success of that deployment and the amount of automation that we’ve been able to do, we’ve now extended that to all our managed security services. So now, all our Cyber Defense Centers across the globe use that layer of Cortex XSOAR to automate all their use cases.”


Automatically handles 100% of Level 1 incidents

Infosys can achieve its automation goals with Cortex XSOAR, having now automated 100% of Level 1 incidents. As an added benefit, over 70% of more intensive and complex Level 2 incidents are now automated as well. “One of the most important metrics for us is what percentage of our Level 1 and Level 2 work is getting automated, and we’ve done quite well now with Cortex XSOAR,” Vishal says.

Improves response times by an order of magnitude

Before implementing Cortex XSOAR, MTTR was between four and 24 hours, even for a Level 1 incident. Lakshmi says that now, with Cortex XSOAR and automated playbooks, MTTR numbers have gone down dramatically—all the way to real-time response.


Now, for most of the incidents which we have automated with Cortex XSOAR playbooks, the mean time to detection and mean time to response is zero. That’s the power of automation.

Lakshmi Narayanan Kaliyaperumal, VP, Head of Cyber Security Technology & Operations, Infosys

Speeds up training of new staff

In the past, onboarding new SOC staff was time-consuming. It typically took three to six months to train new analysts on security operations, and it could be much longer before they delivered the value of a more seasoned analyst. With Cortex XSOAR, training time is down to just four to six weeks. Additionally, automated playbooks from Cortex XSOAR ensure consistency, so those new analysts can act to the same standards as Infosys SOC experts.

Increases employee satisfaction

By eliminating manual tasks with Cortex XSOAR, Infosys has reduced employee turnover. Lakshmi observes that his analysts aren’t getting burned out anymore by repetitive, monotonous tasks. Now, those lower level tasks are being automated, which has led to improved employee retention.

Thanks to the increased automation from Cortex XSOAR, employees are focusing on higher level, more interesting tasks, Lakshmi explains.

Infosys has gained a solid, reliable partner

With Palo Alto Networks, Infosys isn’t just getting Cortex XSOAR. The company is getting a trusted partner who listens to and works with the Infosys team to continuously improve.

One aspect of this partnership involves Infosys participating in Palo Alto Networks customer advisory forums. The leaders are able to provide feedback that helps to further improve the overall security solution. Vishal notes that it’s always good to get more features and that Palo Alto Networks is always very responsive.

Cortex XSOAR automates security success

With Cortex XSOAR as part of the security operations stack, Infosys has been able to achieve its objective of focusing humans on higher level tasks while automation handles the scalability challenges of an increasing volume of data. No longer are incidents slowed down by manual processes and disparate systems. With digitized playbooks and orchestrated responses enabled by Cortex XSOAR, Infosys can offer the highest levels of assurance and service-level agreements to its cybersecurity customers.

“With Cortex XSOAR, you can automate so that the team only needs to focus on the incidents which are complex in nature,” Lakshmi points out. “This is how we are providing assurance to management, and to our customers. They know all the incidents are handled in a proper way. And we are not missing any incidents in a day. That’s very important.”

“We believe truly that the combination of Infosys and Palo Alto Networks can really be very potent in the industry,” Vishal adds, “to drive innovation and assure customers that we have their back.”

Visit us online to find out more about how Palo Alto Networks Cortex XSOAR can help automate opportunities for your organization.