Sign In Get a Demo Get pricing
Sign In Get a Demo

From 3-Day Breach Discovery to 10-Minute Detection on a 24/7 Betting Platform

From 3-day to 10-minute detection for leading iGaming company

CASE STUDY

From 3-Day Breach Discovery to 10-Minute Detection on a 24/7 Betting Platform

Request a Quote

Background

Our customer is a licensed iGaming operator running a production casino environment that accepts bets 24 hours a day, every day of the year. When the partnership with UnderDefense began in 2019, security monitoring covered only the production environment, and only during business hours of 8 hours a day, 5 days a week. The corporate segment sat outside SOC coverage entirely, with one internal engineer responsible for it alongside other duties.

For a regulated operator processing live wagers around the clock, this model left two structural gaps in coverage. Every night, the SOC was offline, and every weekend it was offline for two full days. The corporate segment had no continuous monitoring at any time, regardless of the SOC schedule.

In December 2020, the consequences of those gaps became concrete. Over the holiday period, the corporate segment was compromised. With monitoring inactive on that segment and staffing reduced for the break, the intrusion remained undetected for three days before anyone noticed the signal. By that point, an attacker had been operating inside the corporate network for the entire weekend without a single alert reaching a human analyst.

The Challenge

The iGaming company needed to close three operational problems at once, and it needed to do so without adding internal headcount.

First, the SOC had to move from 8×5 to 24×7 coverage so that production alerts on a live betting platform were triaged every hour of every day, including holidays.

Second, the corporate segment had to be pulled under the same monitoring umbrella as production, eliminating the single-engineer dependency that had failed in December 2020.

Third, as the company invested in new detection tooling over the following years, every new platform had to be onboarded into the SOC quickly and feed into one operational view, instead of fragmenting analyst attention across five separate consoles.

A licensed iGaming operator carries regulatory exposure on top of standard business risk. A multi-day undetected intrusion on production would translate directly into license, payout, and reputational consequences. The detection window had to drop from days to minutes, and it had to stay there during weekends and public holidays when attacker activity typically peaks.

Challenges, Key Results, and Outcomes of security upgrade for the leading iGaming company

About the client

Industry:

iGaming

Technologies and Tools:
UnderDefense MAXI Platform, 5 integrated security platforms across production and corporate environments

Key Results

  • 10-minute detection on a live production attack, replacing the 3-day discovery window that exposed the corporate segment in 2020
  • 24×7 SOC coverage extended to both production casino and corporate IT in a single contract change, with zero internal hiring required
  • 5 security platforms unified into one operational view inside MAXI, with one ownership model and one set of SLAs
  • 4,500+ alerts processed per month, with 94.5% triaged or filtered upstream before reaching the customer’s team
  • 250+ confirmed incidents per month moved into response and picked up against defined SLAs
  • Predictable triage windows tied to priority: 15 minutes for P1, 30 minutes for P2, 2 hours for P3, 4 hours for P4
  • Holiday and weekend coverage gap eliminated from the operating model

The Solution

After the December 2020 incident, the iGaming company shifted to 24×7 SOC coverage with UnderDefense and consolidated the corporate segment under the same monitoring umbrella as production. Both changes happened inside a single contract update, with no new internal headcount required on the customer side.

Over the following years, as the customer expanded its detection stack, UnderDefense onboarded each new platform into the SOC within weeks of acquisition. From 2024 onward, all connectors were unified inside the MAXI platform. MAXI became the single operational view across the full estate, showing alerts, incidents, ownership status, and SLA adherence in one place for both the customer’s team and UnderDefense analysts.

Recent production incident timeline

A recent attack on the production environment shows how the operating model performs today:
  • 03:01 – Attack activity begins in the production casino environment
  • 03:11 – First alert raised in MAXI (10 minutes from first attacker move)
  • 03:36 – Initial triage complete (25 minutes from first alert)
Compared to the 3-day discovery window of the 2020 corporate incident, attackers on the production estate are now detected approximately 1,000 times faster. The same response posture applies to the corporate environment, which previously had no continuous coverage at all.
Signal-to-noise model
The MAXI platform processes more than 4,500 alerts per month across the five integrated security platforms. Analyst review combined with MAXI automation filters 94.5% of those alerts upstream, before they ever reach the customer’s incident queue. The remaining 5.5% (approximately 250 incidents per month) are confirmed events that move into response and are picked up against severity-based SLAs.
Response SLAs
P1 · Critical ≤ 15 min
P2 · High ≤ 30 min
P3 · Medium ≤ 2 hrs
P4 · Low ≤ 4 hrs
Reporting cadence
Weekly review meetings cover incident volume, filtering ratios, SLA adherence, and tuning recommendations. Monthly reporting gives the customer’s security leadership a documented view of platform health, incident throughput, and coverage across all monitored sources.

Outcomes

Working with the iGaming company across six years of partnership, UnderDefense delivered four operational shifts that the customer’s CISO can point to directly:
  1. Coverage without hiring.
    Adding 24×7 monitoring on the corporate segment, on top of production, required zero new internal headcount at the iGaming company. The operating model absorbed the additional scope through the existing UnderDefense engagement.
  2. One queue across all sources.
    The detection signal from five security platforms feeds into MAXI as a single stream. The customer’s team works against one ownership model, one set of SLAs, and one weekly review cycle, regardless of which underlying tool generated the alert.
  3. Predictable response times.
    Every incident has a defined triage window tied to its severity. Monthly reporting shows SLA adherence alongside alert volume filtered and incidents handled, giving leadership a measurable view of SOC performance.
  4. Holiday and weekend coverage, solved.
    The 2020 gap that allowed a 3-day undetected intrusion no longer exists in the operating model. Production casino and corporate IT are both covered every hour of every day of the year.

How UnderDefense MAXI Builds Ultimate Security for iGaming Operators

A 24/7 betting platform cannot afford detection windows measured in days. Licensed iGaming operators carry regulatory exposure that compounds with every hour an intrusion stays undetected, and attacker activity does not pause for holidays or weekends.
UnderDefense MAXI consolidates detection signals from across the security stack into a single operational view, with analyst-led triage and automated filtering keeping the incident queue actionable. For our iGaming customer, this translated into a 10-minute detection window on live production attacks and a unified queue across five integrated platforms, delivered without expanding the internal team.
When your platform never closes, your monitoring shouldn't either.
Talk to an Expert