Case Study

Turkcell Cyber Defence Center SOARs with Palo Alto Networks

The leading Turkish telecommunications provider, Turkcell, has standardised on the Palo Alto Networks Cortex XSOAR platform, enabling agile and efficient incident management within its multitenancy managed services security provider (MSSP) service. This innovative security orchestration, automation, and response (SOAR) solution streamlines end-to-end incident lifecycle for more than 100 managed security customers, using playbooks and unified visibility to increase productivity and drive business growth.

In brief




Telecommunications and technology services


Istanbul, Turkey



Organisation Size

More than 39 million customers


Turkcell was experiencing up to 300 alerts per day across its MSSP service. Each incident was managed manually, with a commensurate delay in the incident closure process. This was impacting customer incident notification service level agreements (SLAs).

    • Respond even faster to incidents, take action, and stay protected.
    • ­Free CDC team from workflow complexity to focus on other strategic tasks.
    • ­Scale CDC to support a fastgrowing number of clients and endpoints.
    • ­Monitor efficiency with detailed metrics and dashboards.

Palo Alto Networks Cortex XSOAR

Download PDF Share


Connecting Turkey, together

Turkcell is a converged telecommunication and technology services provider headquartered in Turkey. It serves more than 39 million customers with voice, data, TV, and value-added consumer and enterprise services on mobile and fixed networks.

In response to advanced cybersecurity threats and data privacy regulations such as the Turkish KVKK personal data law, Turkcell launched the Cyber Defence Center (CDC). Established seven years ago, the CDC comprises a team of 28 people tasked with planning, analysis, and incident response. Besides securing Turkcell’s internal operations, the CDC supports more than 100 enterprise customers on a fully managed or co-managed MSSP basis.

With more than 550 data sources, the CDC processes eight billion data logs every day. These are filtered down to three billion and then aggregated into 1.8 billion logs. These eight billion logs are filtered, aggregated, and correlated down to 400 million logs, which can result in up to 300 daily alerts requiring action.


Until recently, we sent incident notifications to CDC customers by email using manually created email templates. This process dramatically delayed our incident closure process. This, in turn, impacted our customer incident notification SLAs.

–Dr. Emin Islam Tatli, Director of Turkcell Cyber Security


Respond even faster to incidents

Faced with a growing number of MSSP clients and endpoints to manage, the Turkcell CDC needed to automate monitoring. The specific requirements were to:

  • Respond even faster to incidents, take action, and keep customers protected.
  • Free CDC team from workflow complexity to focus on strategic tasks.
  • Scale CDC to support a growing number of customers and endpoints.
  • Monitor efficiency with metrics and dashboards.


Our SOC analysts needed the flexibility to segment multitenant client data quickly and easily. Palo Alto Cortex XSOAR is scalable, flexible, and offers unified security automation. In my mind, it represents the ‘gold standard’ for security operations. It provides a vast number of pre-built integrations to get us started quickly. And we can add new tenants, hosts, and customers to Cortex XSOAR quickly and easily.

–Dr. Emin Islam Tatli, Director of Turkcell Cyber Security


Modern, agile security orchestration and automation

Turkcell deployed Palo Alto Networks Cortex XSOAR in the CDC to deliver modern, agile security orchestration, automation, and response. The platform unifies alerts and incidents from almost any customer source on a single system for lightning-quick search, query, and investigation.

The initial deployment of Cortex XSOAR took approximately one week.

“The speed of the system is remarkable,” says Cihan Yuceer, Cyber Defence Center Associate Director, Turkcell. “We can automate multiple incident tasks in just a few clicks, such as blocking URLs on a proxy or blocking IPs on a firewall. Using the Cortex XSOAR search tool, our analysts can notify customers immediately and accelerate the investigation process.”

The multitenancy support is also vital in this MSSP scenario. “Customer data is separated into individual hosts and tenants, although we have a single view of every tenant. We can manage alerts whatever the source, take action on threat intelligence, and automate response for any type of customer situation,” says Yuceer. Security information and event management (SIEM) data from MSSP customers is integrated directly into Cortex XSOAR. Yuceer continues, “XSOAR complements SIEM for incident response. Connecting the two supports the selection of the best workflow to respond to the incident. XSOAR automates the execution of the workflows that respond to the incident, significantly reducing our response time.”

Playbook automation is also helping to standardise processes and reduce the mean time to repair (MTTR). “For all incidents, we use one custom playbook,” says Yuceer. “It orchestrates the most critical tasks such as formatting incidents or customer email notifications. We have XSOAR incident reminders and incident closure playbooks as part of the security operations service. Using these playbooks, we are closing the incident handling process without any analyst intervention.”


The speed of the system is remarkable. We can automate multiple incident tasks in just a few clicks, such as blocking URLs on a proxy or blocking IPs on a firewall. Using the Cortex XSOAR search tool, our analysts can notify customers immediately and accelerate the investigation process.

–Cihan Yuceer, Cyber Defence Center Associate Director, Turkcell

For the managed service customers, this security automation is transparent. They can opt to receive periodic reports via Cortex XSOAR, but need not use it to view incidents, receiving notification via email instead. Comanaged customers have the option to monitor their dashboards and reports - and even watch their incidents in real time - via Cortex XSOAR. “It’s all about letting them focus on what matters, while the CDC takes care of their security,” says Yuceer. To support Turkcell’s resilient cybersecurity vision, Turkcell team has also developed the BOZOK Cyber Threat Intelligence (CTI) platform, which includes data leakage, brand protection, and vulnerability modules.


Automating responses to 47% of incidents

Cortex XSOAR is transforming the way the Turkcell MSSP service manages customer security. The benefits include:

  • Reduced MTTR: Pre-built and customer playbooks enable the team to standardise actions and reduce MTTR, enforcing processes across use cases and between teams with ease.
  • Valuable MSSP selling proposition: The platform is a valuable differentiator during MSSP sales negotiations. Tatli explains, “The multitenancy, data separation, and ready-to-use integration features are real differentiators for the MSSP service. Bundling our bespoke ‘Dbot’ threat intelligence service with Cortex XSOAR creates a real advantage against our competitors.”
  • Complete automation: A broad range of Cortex XSOR integrations and content packs across different security use cases make it easier for Turkcell to orchestrate and automate incident response workflows and processes across the MSSP environment.
  • Scalable security automation: The Turkcell MSSP service currently supports 100+ customers and is growing fast. Cortex XSOAR enables the team to create playbooks and enforce policy at both the controller and tenant levels, allowing the CDC to quickly onboard new customers, offer different levels of service, and expand into additional management options. Moreover, threat intelligence can be tied to incidents in real time and distribution automated to enforcement points at scale.


We are automating 47% of incident responses using Cortex XSOAR. By connecting case management, the CDC manages alerts across all sources, standardises processes with playbooks, and responds automatically - increasing analyst productivity and freeing time for more strategic tasks. All security incidents are managed from one location.

–Ozan Karaduman, Technical Team Lead, Cyber Defence Center, Turkcell

Visit us online to discover how Palo Alto Networks Cortex XSOAR can help automate opportunities for your organisation.