#RSAC26CISO SafeSpace at RSAC26
Alaris
Pricing
ROI Calculator
Get a demoTalk to Sales
Case Studies
MSSP Replacement

How a Global Tier-1 Bank Eliminated Three Outsourced SOC Providers

From $8.7M/year in MSSP contracts to a fully autonomous internal SOC in under six months

95%
Alert Triage Automated
↑ from 0%
9 min
MTTR
↓ from 6.2h
$5.4M
Annual Savings
vs. MSSP cost
3
MSSP Contracts Eliminated
100% removed
IndustryFinancial Services
Company Size45,000 employees
LocationNorth America & EMEA
Security Team4 internal analysts (post-deployment)
PublishedQ1 2026

Key Outcomes

95%Alert Triage Automated
9 minMTTR
$5.4MAnnual Savings
3MSSP Contracts Eliminated

The Challenge

Three MSSP providers, $8.7M annual spend, and a MTTR still measured in hours, the bank's outsourced security model was failing to keep pace with the threat environment.

The Solution

Alaris replaced all three MSSP contracts with a single AI-native platform that autonomously triages, investigates, and responds to security incidents, 24/7, with no tier-1 headcount.

Some organizations come to Alaris because they want to improve their security posture. This client came because their security model had fundamentally broken. They were one of the largest financial institutions in North America, 45,000 employees, operations across 32 countries, 62,000 managed endpoints, and they were spending $8.7 million a year on three separate outsourced SOC providers. Despite this investment, their mean time to respond was 6.2 hours. They had experienced three significant security incidents in 18 months that their MSSP providers had either missed or responded to too slowly. The CISO came to us with a simple mandate: fix this, or explain why it can't be fixed.

The Challenge: When Outsourcing Fails at Scale

The bank's security model had evolved organically over a decade. As the organization grew and acquired new entities, it onboarded separate security providers for different regions and business units. What started as a pragmatic solution to a resourcing problem became a structural liability.

The Three-Provider Problem

Three MSSP providers meant three separate data silos, three different alert formats, three escalation processes, and three different response SLAs, none of which coordinated with each other. When an attack spanned multiple regions or business units, the handoffs between providers created critical gaps. In one of the three significant incidents, an attacker had dwell time of 11 days across two regions before the bank's internal team, not the MSSPs, detected the lateral movement.

  • Provider A: responsible for North American corporate infrastructure, 28,000 endpoints
  • Provider B: responsible for EMEA operations, 21,000 endpoints, different SIEM and alert taxonomy
  • Provider C: responsible for cloud environments (AWS, Azure, GCP), no shared visibility with providers A or B
  • Internal team: 8 analysts spending 70% of time on escalation management and cross-provider coordination

In a tabletop exercise conducted before the Alaris deployment, the bank's security team simulated a cross-region ransomware attack. Under the three-provider model, it took 4 hours and 47 minutes from initial detection to begin containment. The exercise was conducted against a simulated attack that moved at 1/10th the speed of a real-world ransomware deployment.

The Cost Reality

The $8.7M annual spend wasn't the full picture. Each provider contract required dedicated integration and management overhead from the bank's internal team. The bank estimated that when internal coordination costs, tool licensing fees, and lost analyst time were included, the true cost of the three-provider model was closer to $12.3M per year, and it wasn't delivering results.

The Deployment: Six Months to Full Autonomy

Month 1Discovery & Integration Architecture

Mapped all telemetry sources, completed SIEM and tool integrations, deployed Alaris agents across all managed endpoints. Established behavioral baselines across all 62,000 endpoints.

Month 2Shadow Mode & Trust Building

Alaris ran in shadow mode alongside the three MSSP providers. Every AI disposition was validated against MSSP analyst decisions. AI accuracy in triage: 97.3%. MSSP accuracy: 91.2%.

Month 3MSSP Provider C Retired

Cloud environment coverage transitioned fully to Alaris. Provider C contract terminated. First month of autonomous cloud security operations with zero incidents.

Month 4Providers A & B Transition

North American and EMEA coverage transitioned to Alaris. Both provider contracts terminated simultaneously. Internal team reduced from 8 to 4 analysts.

Month 5–6Response Integration & Optimization

Full response automation deployed. Containment and remediation workflows integrated. MTTR reached single-digit minutes. Internal team redeployed to threat hunting.

The most technically complex part of the deployment wasn't the AI configuration, it was building a unified data model from three separate telemetry streams that had never been designed to work together. The bank's environments across the three providers used different SIEM implementations, different alert taxonomies, and different asset inventory systems.

Alaris's data normalization layer ingested all three streams and built a single unified knowledge graph of the bank's environment, for the first time in the bank's history, every endpoint, user, and network flow was visible in a single system with consistent context. This unified visibility delivered value immediately, even before the AI reasoning layer was fully operational.

We expected the AI to be the hard part. The hard part was actually convincing three MSSP providers to share data in a format we could use. Once we had unified visibility, everything else followed naturally.

, Director of Security ArchitectureAnonymized Bank Client

The Results: Twelve Months Later

95%Alert Triage AutomatedPreviously: 0% automated
9 minMean Time to RespondPreviously: 6.2 hours
17 minMean Time to ContainPreviously: 4.7 hours
2.1%False Positive RatePreviously: 34%
$3.3MAnnual Platform Costvs. $8.7M MSSP spend
0Security Incidents (Critical)vs. 3 in previous 18 months

The financial outcome was significant but not the most important result. The bank's security posture fundamentally changed. In the 12 months since full deployment, there have been zero critical security incidents. This isn't because fewer attacks are being attempted, external threat intelligence shows attack volumes targeting the bank have actually increased, consistent with industry trends. It's because the attacks that previously would have succeeded are being detected and contained in minutes rather than hours.

The Analyst Team Transformation

The bank's internal security team went from 8 analysts spending 70% of their time on provider coordination to 4 analysts spending their time almost entirely on threat hunting and security engineering. The four analysts who left the team did so voluntarily, taking senior positions at other organizations, a reflection of the increased capabilities they developed during the transition.

The remaining four analysts built and launched a formal threat hunting program that, in its first year, proactively identified and contained two advanced persistent threat (APT) campaigns that had not yet generated any detection alerts. Both campaigns were determined to be nation-state actors; neither campaign caused any data exfiltration.

We went from reacting to threats that were already inside our environment to finding and stopping threats before they became incidents. That shift, from reactive to proactive, is something I've been trying to achieve for fifteen years. It took removing the tier-1 bottleneck to make it possible.

, CISOAnonymized Bank Client

Technical Architecture: How It Works

For security architects considering a similar deployment, here's how the Alaris platform integrates with a complex multi-environment financial services infrastructure.

Data Ingestion and Normalization

Alaris ingested telemetry from 14 distinct data sources: endpoint EDR telemetry, three SIEM environments, cloud security posture management tools, identity and access management, network flow data, email security, web proxy logs, and multiple threat intelligence feeds. All data was normalized into a unified entity graph that maps relationships between users, devices, processes, and network flows.

Behavioral Baseline Construction

For each of the 62,000 endpoints and approximately 48,000 user accounts, Alaris built individualized behavioral baselines across 90+ behavioral dimensions. Baseline construction completed within 72 hours for 90% of entities; the remaining 10% (including high-value targets with unusual access patterns) required manual review and augmentation.

Response Integration

Response actions are executed through the Alaris Unified Actions Framework, integrated with CrowdStrike for endpoint containment, Okta for identity actions (account suspension, MFA revocation), Palo Alto Networks for network-level blocking, and ServiceNow for incident management. All response actions require cryptographically signed audit trail entries.

  • Host isolation: average execution time 4.2 seconds from alert to containment
  • User account suspension: average execution time 3.8 seconds including MFA revocation
  • Network-level blocking: average execution time 6.1 seconds across all regional perimeter devices
  • Incident ticket creation: automatic, with full investigation context attached, average 0 analyst-minutes required
Get Started

Ready to transform your security operations?

See how Alaris can deliver the same results for your organization. Get a demo with our security team.

Get a demo Explore the Platform

More Case Studies

SOC Efficiency18,000 Endpoints, 12 Hospitals, Zero Breaches: A Healthcare SOC Transformation
94% Alert Noise Reduction18 min Mean Time to Respond
Incident ResponseRansomware Contained in 4 Minutes: Protecting Critical Power Infrastructure
4:22 Ransomware Containment Time0 Production Systems Impacted