Why do companies often overestimate their IT readiness?

This is not just theory. It is what we see in practice, and it reflects the approach of many players in the Baltic market, with some exceptions. It means one thing: the systems “work”, but the company is not protected.

IBM’s 2025 study, which covers more than 600 organizations, confirms this with numbers: on average, a company detects a security breach after 158 days. In almost five months, an attacker can move freely through systems, collect data, and prepare the next step, while the IT team believes everything is fine.

Worry-free IT maintenance: the security foundation that is often forgotten

When people talk about cybersecurity, attention usually goes straight to technology: EDR, SIEM, XDR, firewalls. But there is a basic principle that is often ignored: a properly maintained and configured IT environment is less vulnerable.

This is where ITSM, or IT service management, comes in. It is not just a bureaucratic process. It is the first line of defense for security.

This means systems have up-to-date updates, access rights are correctly configured, and infrastructure is documented. Such an environment creates a smaller attack surface from the start.

Attackers look for the easiest paths: unpatched vulnerabilities, forgotten user accounts with too many permissions, and systems that the IT team has “forgotten” about.

The ENISA 2025 European threat landscape report confirms this. Attackers start actively exploiting new vulnerabilities within days after public disclosure, often even before the vendor has prepared a fix. In an organization where software updates are not a structured process, this window stays open for weeks.

Within the worry-free service, the most important security components are:

• Change management
  Every infrastructure change is documented, assessed, and approved. Unauthorized changes are one of the earliest indicators of an attack.
• Asset management
  You cannot protect what you do not know you own. Unlisted devices and systems are blind spots.
• Access management
  Accounts left active after employees leave, excessive administrator rights, and shared passwords are not only technical issues. They are process issues.
• Incident management
  A structured process ensures that incidents are recorded, analyzed, and used to improve protection instead of being forgotten after the immediate problem is solved.

SOC and ITSM are not competing solutions. They depend on each other.

SOC shows what is happening in real time. Worry-free IT maintenance ensures that the environment being monitored by the SOC is properly managed and documented. Without this connection, a SOC analyst cannot quickly understand whether a specific system change is authorized or a sign of an attack.

SOC is not a product. It is a process and a set of technologies!

A simplified understanding dominates the market: “we will install SIEM” or “we will buy EDR/XDR”, and then SOC is ready. This may be the most dangerous misconception we see among potential clients.

SIEM and XDR provide visibility. They are not SOC.

SIEM collects and correlates events. XDR protects endpoints and detects threats. They are necessary, but they are not enough.

By itself, SIEM is only a log system with search functions. XDR without context generates alerts that no one processes.

A real SOC is a combination of processes, people, and technologies working together. It answers the question: do we understand what is happening in our environment right now, and can we respond tonight, at this exact moment?

Modern attacks test exactly that.

More than 80% of phishing campaigns in Europe now use AI-generated content. These attacks are more accurate, more personalized, and harder to recognize than ever before.

Supply chain attacks remain unnoticed for an average of 267 days.

Ransomware operators intentionally activate attacks at night and before holidays because they know most organizations do not have active monitoring during those times.

Against these cyber threats, it is not enough to have technology that was installed two years ago and has not been touched or improved since. An active process is needed.

Datakom SOC is built around eight functional pillars. Together, they cover the full attack lifecycle, from Initial Access to Exfiltration, based on the MITRE ATT&CK framework. If one pillar is missing, it creates a blind spot that attackers can use.

1. EDR / XDR — endpoint and extended detection
   This is the foundation. Palo Alto Cortex XDR combines endpoint, network, and identity telemetry in one analysis platform.
   This is Datakom’s existing operational base. The role of the other seven pillars is to expand and strengthen it.
2. SIEM — unified data collection and correlation
   Microsoft Sentinel or Elastic SIEM collects events from all sources: endpoints, cloud, identity, network, and OT.
   Correlation helps detect attack patterns that separate systems would not see on their own. Without SIEM, XDR sees only part of the picture.
3. SOAR — automated response
   Playbook-based automation ensures that critical actions, such as isolating a device, blocking an account, or escalating an incident, happen in seconds, not minutes or hours.
   SOAR is the difference between “we noticed it” and “we contained it”.
4. IAM — identity and access management
   Most attacks use compromised identities, not technical vulnerabilities.
   The IAM pillar ensures that SOC can see every authentication attempt, privilege escalation, and unusual access pattern, and can respond before damage is done.
5. DLP — data loss prevention
   The final stage of an attack is data exfiltration.
   DLP monitors the movement of sensitive data to external locations, cloud services, and removable storage devices.
   Without DLP, SOC may detect an attack but not understand what the attacker has already taken.
6. WAF — web application protection
   Public applications are one of the most common initial access vectors.
   The WAF pillar protects web applications and APIs in real time, blocks OWASP Top 10 attacks, and provides visibility into who is accessing public services.
7. Vulnerability management — proactive risk reduction
   SOC responds to what has happened. Vulnerability management helps prevent it from happening.
   Regular scanning, CVSS-based prioritization, and patch management recommendations reduce the attack surface before attackers find it.
   Remember: ENISA data shows that vulnerabilities are exploited within days after public disclosure.
8. Threat Intelligence — context that makes everything else more effective
   Threat intelligence from sources such as Unit 42, MISP, and CERT.LV helps SOC understand what is happening in the Baltics and globally.
   It shows which attackers are active, what methods they use, and which industries are being targeted.
   Without context, an alert is only noise. With context, it becomes a signal for action.

Together, these eight pillars form what Datakom calls a complete SOC. It is not a technology installation. It is a live defense process that operates continuously and develops together with the threat landscape.