🧾Abbreviations and Terminology Explanations Table

Introduction

The Security Operations Center (SOC) plays a central role in an enterprise’s cybersecurity defense. In Vietnam, major organizations in the banking, telecommunications, manufacturing, and retail sectors are gradually establishing SOCs to enable 24/7 monitoring and timely incident response. In 2023, Vietnam recorded an average of 1,160 cyberattacks per month against organizations — a 9.5% increase compared to 2022 [1]. The primary targets included government agencies, banking systems, financial institutions, industrial systems, and critical infrastructure [1]. Notably, more than 95% of phishing attacks targeted banks and financial organizations amid their rapid digital transformation [2]. These figures highlight the urgent need for an effective SOC capable of early detection and swift response to cyber threats.

However, the implementation of SOCs in Vietnamese enterprises faces several internal challenges. Common difficulties include a shortage of skilled personnel and budget constraints, a lack of supporting tools and technologies, complex cross-departmental coordination, and the need to ensure regulatory compliance [3]. Nevertheless, new opportunities are emerging as next-generation SOC technologies—such as artificial intelligence, automation, and XDR—promise to reduce alert fatigue, shorten response times, and enhance compliance.This report provides a detailed analysis of the key SOC trends observed over the past three years (2023–2025), including: the roadmap toward an “automated SOC” integrated with exposure management; SOC optimization for cloud and identity environments; measurement of SOC ROI through MTTD/MTTR before and after adopting unified platforms (XSIAM/Open-XDR) and automation; and the design of multi-standard compliance reporting processes (SEC, DORA, NIS2) integrated into SIEM/XDR systems. Each topic will be analyzed within the broader context and linked to four critical sectors: banking, telecommunications, manufacturing, and retail.

Autonomous SOC” Maturity Roadmap and Exposure Management

The Autonomous SOC represents a vision of a security operations center capable of detecting, investigating, and responding to threats almost automatically, minimizing human intervention. According to the Autonomous SOC Maturity Model proposed by SentinelOne (2024), the evolution process consists of five levels, ranging from Manual to High Autonomy [4].

• Level 0 – Manual Operations: Most security operation processes are performed manually. For example, a firewall alert requires analysts to manually collect logs from multiple sources and perform isolation or blocking actions themselves [4]. This model is slow and prone to missing complex attacks.
• Level 1 – Rules-Based Operations: Correlation rules are introduced to aggregate alerts from multiple sources for higher accuracy. SOAR tools are also implemented to partially automate investigation and response, reducing manual workload [4]. However, human analysts must continuously fine-tune these rules to adapt to emerging threats.
• Level 2 – AI-Assisted Operations: Artificial Intelligence (AI) and Machine Learning are integrated into the SOC to overcome the limitations of static rules. The system uses AI to automatically adjust detection thresholds based on feedback, reducing false alarms [4]. AI-powered virtual assistants can support natural language queries and threat hunting, helping analysts save time (for example, asking “Are there any unusual login attempts?” and the AI automatically finding the answer) [4].
• Level 3 – Partial Automation: This stage moves closer to full automation. AI systems leveraging Large Language Models (LLMs) can predict new attack patterns and automatically generate corresponding detection rules [4]. AI can also autonomously execute low-risk responses (such as creating tickets or forcing user re-authentication) without waiting for human intervention [4]. Human analysts primarily act as supervisors, handling high-risk decisions or complex scenarios.
• Level 4 – High Autonomy: This represents the anticipated future stage, where the SOC operates almost entirely autonomously. Advanced AI systems—potentially approaching Artificial General Intelligence (AGI)—can automatically detect, analyze, and respond to all threats continuously, 24/7 [4]. The human role is primarily strategic direction and periodic oversight. In this hypothetical state, AI can independently handle incidents – from detecting infections to isolating compromised machines, revoking leaked credentials, and updating firewall rules—all without immediate expert intervention [4].

Currently, most enterprises remain at Levels 0–2, while achieving Levels 3–4 remains a long-term goal. However, the roadmap suggests a “step-by-step” approach: start by automating small tasks, adopt AI-assisted analysis, and gradually move toward greater automation as technologies mature [4]. In Vietnam, major banks and telecommunications corporations are likely operating at Levels 1–2, already utilizing SIEM, SOAR, and some machine learning for anomaly detection. The next goal is to further integrate AI (such as security virtual assistants) to accelerate incident handling and reduce reliance on scarce cybersecurity experts – an effective way to address the shortage of skilled personnel.

Exposure Management is a crucial complementary element in modern SOCs, integrating asset risk context into the incident response process. Instead of merely “firefighting” each alert, a SOC should understand the system’s level of exposure to threats: which assets are vulnerable, how valuable they are, and which attack paths are most likely? Integrating this data into playbooks allows prioritization of truly critical alerts while automatically ignoring low-risk ones thereby reducing workload and focusing resources more effectively.Gartner emphasizes that incorporating exposure data into SOC workflows enables security teams to identify “what truly matters,” fine-tune detection rules based on business risk, and significantly reduce false positives and alert fatigue [5]. Specifically, Gartner’s 2025 report recommends developing a detection lifecycle based on real exposure data rather than isolated use cases, enabling SOCs to “prioritize by actual risk, reduce alert fatigue, and minimize unnecessary log collection” [5].

In practice, many organizations are “drowning” in alerts but do not know which ones deserve attention. Under the Continuous Threat and Exposure Management (CTEM) approach, SOCs not only look at events that have occurred but also assess why an event is dangerous—linking it to system weaknesses and business impact [6]. The CTEM approach shifts SOCs from reactive to proactive: instead of handling individual, isolated alerts, SOCs continuously map potential attack paths to critical assets, evaluate the effectiveness of controls, and remediate vulnerabilities before they are exploited [6].The result is a significant reduction in irrelevant alerts and increased alert accuracy, as each alert is tied to validated risk context [6]. For example, integrating vulnerability data and asset value into the SIEM allows the SOC to immediately determine whether an intrusion alert affects a critical server, enabling proper prioritization. Gartner provides an example: knowing that an endpoint generating an alert lacks endpoint protection or belongs to a critical system helps prioritize its handling more quickly—thereby significantly reducing MTTD and MTTR while improving SLA compliance [5].

Integrating exposure management into the playbook also paves the way for safer automated responses. When the SOC has enough context (critical assets? existing vulnerabilities? exposed accounts?), the AI system can act with greater confidence. For example, if malware is detected on a sensitive data server with an unpatched vulnerability, the XDR system can automatically isolate the server or revoke access without waiting for an analyst, as the context indicates high risk and the need for urgent action. Conversely, if an alert comes from a less critical workstation that has been fully patched, the system can automatically close the alert after a supplemental scan, avoiding unnecessary human intervention.A Rapid7 report on integrating Exposure Management emphasizes the need for two-way interaction between threat detection and vulnerability management: exposure data helps SOCs prioritize and detect more effectively, while information from SIEM (such as lateral movement alerts) should also feed back into risk management systems to reassess vulnerability priorities [5]. This feedback loop, combined with automated playbooks, helps accelerate response and minimize risk: For instance, when a critical vulnerability is found on a server under lateral attack, the automated workflow can immediately escalate the alert level or trigger a response without waiting for manual verification [5].

In summary, the trend toward an “automated SOC” requires organizations to gradually modernize their SOCs through progressive maturity levels while closely integrating continuous exposure management. In Vietnam, major banks and large enterprises have begun deploying SOAR, XDR,… and similar systems—forming the foundation for a future automated SOC. The benefits are evident: reducing alert fatigue by up to 95% (according to several AI-powered SOC platforms) [7], eliminating repetitive tasks, and allowing scarce security personnel to focus on critical incidents. Experts also recommend that Vietnamese organizations implement 24/7 cybersecurity monitoring systems, collect comprehensive system logs (retained for at least six months), and maintain dedicated personnel (or outsource managed services) to ensure timely detection and response to incidents [1]. These are the essential first steps toward building a modern, automated, and proactive SOC capable of preventing and mitigating cyberattacks.

Optimizing SOC for Cloud and Identity: Detecting SSO Abuse, Credential Stuffing, and Data Anomalies

Along with digital transformation, cloud computing and SaaS services are increasingly adopted by Vietnamese enterprises. Consequently, Identity and Access Management (IAM) has become a critical line of defense, as user accounts can serve as a “master key” for attackers if compromised. The 2024–2025 threat landscape highlights a sharp rise in identity-based attacks: according to Mandiant’s M-Trends 2025 report, “stolen credentials have become the second most common initial intrusion vector,” following only exploits, in attacks recorded during 2024 [8]. Particularly in cloud environments, data shows that 35% of cloud breaches begin with the use of stolen credentials nearly matching phishing at 39% [8]. This surge is fueled by the proliferation of information-stealing malware (infostealers) and leaked account data on underground markets, which provide ample material for credential stuffing attacks [8].

A typical attack example highlighted in M-Trends 2025 is the UNC3944 group. This group specializes in taking over user accounts through social engineering (calling under the guise of IT support to reset passwords and bypass MFA) and then exploiting Single Sign-On (SSO) functionality to expand their intrusion [8]. Specifically, once they obtain an account, UNC3944 links it to all applications integrated with SSO, allowing access to a wide range of cloud and SaaS services used by the organization [8]. The group also leverages SSO privileges to create new virtual machines on the cloud infrastructure (for subsequent operations) and adds their accounts to privileged groups, gaining access to multiple other SaaS applications [8]. With just a single SSO account compromise, attackers effectively gain a key to nearly the entire system—Mandiant describes this as a “windfall” for hackers, because centralized IAM platforms can grant wide-ranging privileges that previously would have required laborious lateral movement from one machine to another [8]. The emerging trend is that attackers are “skipping” traditional on-premises intrusion methods (e.g., compromising individual servers to reach domain admin) and instead targeting centralized management systems such as SSO or identity access gateways to take shortcuts [8].

In response to this situation, modern SOCs must prioritize close monitoring of login activity, access privileges, and data behavior across cloud environments. Key measures to optimize SOC for cloud and identity include:

• Monitoring Login and SSO Anomalies: Behaviors such as repeated failed login attempts (a sign of credential stuffing), logins from unusual time zones or countries, or a single account suddenly being granted access to multiple applications should be detected and alerted early by SIEM/XDR systems. M-Trends recommends enhanced monitoring of “centralized authorities” such as SSO gateways, as once compromised, they allow attackers to rapidly scale their intrusions [8]. In fact, many recent ransomware incidents have shown attackers using exposed SSO credentials to access virtual infrastructure management portals, create virtual machines, steal data, and deploy malware [8]. Therefore, SOCs should establish dedicated use cases for SSO activities—for example, triggering alerts when an account logs into multiple services within a short time frame, or when sensitive SSO configurations change (such as adding a trusted domain or creating a new application).
• Detecting Credential Stuffing * : Credential stuffing (the use of leaked login credentials to attempt logins on other services) poses a significant threat to industries such as retail and online services that manage large numbers of customer accounts. SOCs should leverage threat intelligence data (e.g., leaked account databases) combined with login monitoring to enable early detection. For instance, if hundreds of failed login attempts are observed from a single IP address within a short time frame, an automated playbook should be triggered to block that IP and enforce password resets for affected accounts. Mandiant also highlights the danger of * infostealers – malware designed to steal large volumes of credentials from infected machines – which serve as fuel for large-scale credential stuffing campaigns [8]. Additionally, sharing information about exposed accounts between security and business units (such as e-commerce teams) is critical to promptly alert affected users.
• Monitoring Data Anomalies: In cloud environments, data typically resides in service-based storage systems such as (S3, Blob Storage, or SaaS databases…) SOCs need tools capable of detecting anomalous data behaviors — such as unusual large-scale downloads, data synchronization from internal systems to external locations, or access to sensitive data during irregular hours. For example, in the UNC3944 incident, attackers exploited cloud synchronization tools to transfer data from the victim’s environment to their own cloud buckets, effectively hiding exfiltration traffic within legitimate noise [8]. This camouflage technique makes detection difficult without proper monitoring. Therefore, SOCs should collect logs from cloud services (such as object storage access logs and API call logs) and apply behavioral analytics. Mandiant recommends enabling comprehensive logging across cloud and SaaS platforms — for instance, virtual machine creation logs or file access logs — to improve detection of potential data theft activities [8]. Such log sources are also essential for incident investigations and compliance purposes, as frameworks like NIS2 require event information retention to support incident reporting within 24 hours [9].
• Protecting Identities and Cloud Applications in the Incident Response Process: When an incident is detected, the response playbook must include steps to verify the related accounts. For example, if malware is detected on a server, the SOC should automatically check whether that server uses any cloud service accounts or contains any API keys — as attackers can exploit such information. Mandiant has encountered situations where hackers discovered plaintext cloud access keys stored on compromised on-premise machines, then used those keys to directly access cloud storage and steal data [8]. The key lesson learned is that the SOC must coordinate monitoring across both on-premise and cloud infrastructures and handle incidents in an integrated manner. In such cases, if the SOC had an automated playbook that immediately revoked or disabled any associated cloud credentials when an on-premise server was compromised, it could have prevented the subsequent stages of the attack.

In addition to technical detection, it is also important to pay attention to the human factor in cloud and identity security. Hackers are increasingly targeting users with elevated privileges (such as cloud administrators or SaaS administrators) through sophisticated phishing schemes. Mandiant has observed a rise in social engineering attacks aimed at privileged cloud users , for instance, sending multiple fake MFA requests to trick them into approving one, or deceiving them into revealing their OTP codes [8]. Once these users are compromised, attackers can immediately escalate access to cloud resources without having to breach on-premise infrastructure — effectively bypassing many traditional defense layers [8]. Therefore, awareness training and attack simulations (such as phishing or MFA fatigue exercises) should be integral components of SOC planning, especially in industries like banking and telecommunications where employees have broad access privileges.

In summary, optimizing the SOC for a multi-cloud environment and unified identity requires a combination of multiple measures: from monitoring logins and SSO, detecting credential stuffing, to tracking data traffic and integrating cloud logs. Trends reported in M-Trends 2025 clearly indicate that attackers are aggressively exploiting identity and cloud vulnerabilities, as these provide significant advantages — enabling access to multiple systems simultaneously [8]. Vietnamese enterprises in the banking and financial sectors have already felt the impact, as they have become prime targets of phishing campaigns and information-stealing malware [2]. Therefore, banks are often the first to invest in Zero Trust solutions and advanced IAM systems, integrating them tightly into their SOC operations. Similarly, the telecommunications sector must protect centralized login systems (such as customer service portals) from credential stuffing attacks. In manufacturing, the rise of IoT and the migration of factory data to the cloud have introduced new risks — notably, in late 2023, several critical industrial facilities in Vietnam were hit by ransomware through VPN vulnerabilities, resulting in encrypted data [1]. Factories now need to consider monitoring both OT and cloud environments (for example, SCADA systems sending data to cloud-based analytics services).For the retail sector, the boom in e-commerce brings massive amounts of customer and transaction data stored in the cloud. SOCs in this field must be highly responsive to detect data leaks (such as when hackers sell millions of customer records on forums) and safeguard the online user experience by preventing account takeovers and fraudulent transactions.

Overall, cloud and identity have become the new “frontiers” that SOCs must manage. The key to success lies in tightly integrating cloud logs and controls into the SOC platform, leveraging AI and UEBA applications to detect user anomalies, and strengthening identity security discipline across the organization (including mandatory MFA and the principle of least privilege). These measures enable enterprises to stay ahead of emerging threats before they escalate into serious incidents.

Measuring SOC ROI: Comparing MTTD/MTTR Before and After XSIAM/Open-XDR and Automation

The effectiveness of a SOC is often measured through two key metrics: MTTD (Mean Time to Detect) – the average time to identify a threat, and MTTR (Mean Time to Respond/Resolve) – the average time to react to and fully resolve an incident. Reducing MTTD and MTTR directly translates into minimizing damage during cyberattacks. However, traditional SOCs that rely on siloed tools and manual processes often experience extended MTTD/MTTR, ranging from hours to days. The adoption of unified platforms (such as open XDR or XSIAM (AI-driven SecOps platforms) — combined with automated response workflows, has proven highly effective in dramatically shortening detection and response times, thereby enhancing the ROI of cybersecurity investments.

Recent figures are highly impressive: According to Stellar Cyber, MSSP providers using its Open XDR platform reported 8× faster MTTD and 20× improvement in MTTR compared to traditional SIEM-based models [10]. Similarly, Microsoft’s Forrester TEI study found that combining SIEM + XDR (Azure Sentinel + Defender) reduced investigation time by 65% and response time by 88%, thanks to seamless integration and automation [10]. In practical terms, this means that an incident that once required 10 hours to handle can now be resolved in roughly 30 minutes.

A real-world case: the Louisiana Office of Technology (USA), after modernizing its SOC with the AI-driven Cortex XSIAM solution (Palo Alto Networks), achieved an average incident handling time of < 2 minutes, down from over 24 hours previously [11]. That is, MTTR dropped to only 1/720 of before (!). At the same time, they estimated a 300% ROI from these modernization efforts [11]. Notably, 86% of incidents in Louisiana are now fully automatically resolved (auto-resolved) by playbooks, with humans only needing to monitor [11]. Another example, the Asante healthcare system (USA), when deploying the XDR + SOAR platform, also reported MTTR reduced to 24 minutes instead of weeks as before; at the same time, 99% of incidents are handled without manual intervention [12]. Thanks to automation, each analyst at Asante saves ~20 working hours per week (equivalent to 50% of their time) to focus on more strategic work [12]. These results demonstrate clear ROI in terms of saved time and effort, as well as minimized incident damage (since fast handling prevents incidents from escalating).

Going deeper, the ROI of a unified SOC is also reflected in improved defense quality: a reduced MTTD means earlier detection, allowing attacks to be stopped before causing significant damage. A reduced MTTR means faster recovery, decreasing the time systems are disrupted. In sectors like banking or telecommunications, where each minute of service disruption can result in substantial financial and reputational losses, reducing MTTR from hours to just a few minutes brings significant economic benefits (avoiding revenue loss and SLA violation penalties with customers). Moreover, a highly efficient SOC handles more incidents with the same team, meaning the organization optimizes personnel costs – a crucial factor when skilled cybersecurity engineers are both scarce and expensive. Asante’s experience shows that even with a team of only 8 managing 35,000 endpoints, they remain secure thanks to 99% of incidents being automated [12].

In Vietnam, measuring SOC ROI is increasingly gaining attention, especially in corporations and banks when they try to convince leadership to invest in new SOC technologies (next-generation SIEM, SOAR, XDR). The most effective way to persuade is by comparing before-and-after KPIs. For example, before deploying XDR, the average MTTD could be several hours (due to many missed alerts); after deployment, it can drop to tens of minutes thanks to centralized detection and AI assistance. Or the number of incidents handled per week increases from dozens to hundreds due to automation, while employees’ overtime hours decrease. A bank applying SOAR to handle eBanking fraud alerts could show that previously one analyst could process 10 alerts/day, but now handles 100 alerts while still having time for other tasks – a ~10× increase in personnel ROI. These quantitative figures are very convincing for leadership regarding the value of a SOC.

Besides MTTD/MTTR, SOC ROI is also reflected through the reduction of major incidents (avoidance ROI). A good SOC can prevent incidents before they escalate into data breaches or service outages. For example, if a SOC helps avoid a customer data leak (which could incur fines of millions of USD under the law), the avoided cost itself is an “hidden” but significant ROI. Statistics show that cyberattack damages in Vietnam in 2023 amounted to approximately VND 390,000 billion (~3.6% of GDP) [1], [13] – if an effective SOC reduces even 1% of that for businesses, it already represents a considerable ROI.

However, it should be noted that ROI does not come solely from technology but also from processes and people. To fully leverage the power of XDR/AI, organizations must restructure SOC processes flexibly, continuously optimizing playbooks based on incident lessons. At the same time, investment in training is needed so personnel trust and effectively use automation (as Asante’s CISO said: “We are very confident letting it run automatically, because we have verified it works correctly” [12]). When technology and people are aligned, the SOC can achieve true “autonomous”and maximize ROI.

In summary, the deployment of unified and automated SOC platforms has demonstrated clear effectiveness over the past three years. Organizations in Vietnam, especially in banking and telecommunications – where fast response times are critical – can expect significant improvements by following this trend. MTTR/MTTD metrics will continue to be key indicators: for example, targets of under 1 hour for MTTD and under 15 minutes for MTTR for common incidents can be achieved with AI assistance. SOC ROI is measured not only in financial percentages but also in the peace of mind knowing that the organization can respond to attacks many times faster than before.

Multi-standard compliance reporting (SEC/DORA/NIS2): Integration of SIEM/XDR and automated reporting according to SLA timelines

Alongside threat response, modern SOCs – especially in the financial sector and critical infrastructure – must also meet increasingly stringent regulatory compliance requirements. The period 2023–2025 has seen numerous new regulations requiring organizations to report cybersecurity incidents within very short timeframes. Notable examples include:

• SEC (U.S.) Regulation 2023: The U.S. Securities and Exchange Commission requires public companies to file Form 8-K within 4 business days from the determination of a “material” cybersecurity incident [14]. This means that companies must quickly assess the severity of the incident and disclose it almost immediately once the material nature is confirmed.
• DORA (EU) – Digital Operational Resilience Act 2023/2025: Applicable to financial institutions in the EU, it requires reporting major ICT incidents within 1 day (24 hours) of detection, an intermediate report within 3 days (72 hours), and a final report within 5 days [15], [16]. DORA emphasizes operational resilience, thus imposing strict rules on incident response and notification processes.
• NIS2 (EU) – Network and Information Security Directive 2, effective 2024/2025: Applicable to multiple essential sectors (telecommunications, energy, healthcare, transport, finance, etc.). NIS2 establishes a “24-hour early warning system,” meaning companies must submit an initial notification to regulators within 24 hours of detecting a significant incident and provide a detailed report within 72 hours [15], [16]. The objective is to ensure authorities are informed almost immediately to coordinate response actions if necessary.

These “SLA” timeframes (24h, 72h, 4 days, etc.) place significant pressure on security and compliance teams. Drafting a compliant incident report (e.g., describing the incident, attack type, impact, mitigation measures, etc.) within just a few days requires rapid collection of both technical and non-technical information. If done manually, SOC teams can become overloaded, not to mention the risk of errors. Therefore, the emerging trend is to automate the compliance reporting process integrating it directly into SOC operations.

Integrating SIEM/XDR with the compliance process means that event data, logs, and analysis results from the SOC are automatically aggregated into reports that conform to regulatory templates. This is feasible because an incident report typically requires information such as event timelines, related IPs, affected systems, exploited vulnerabilities, and exposed data – most of which are already available in the SIEM/XDR during incident investigation. The key advancement here is setting up automated playbooks so that when an incident is flagged as critical (e.g., based on XDR priority levels), the system pulls the necessary information from various sources (logs, CMDB, malware analysis results) and populates the report template.

For example, an internationally operating bank in Vietnam could configure a playbook so that if an incident affects more than 10,000 customers, it automatically extracts information from case management including incident description, detection time, and steps already taken and populates a report template following DORA/NIS2 formats. A compliance officer would then receive this draft almost immediately, needing only to review and add any necessary details before submission to regulators. Automatically filling such templates saves significant time and ensures no sections are missed (since the system populates according to a predefined template). Gartner also recommends: “Automate logging and reporting – use AI-driven analytics to streamline compliance reports,” meaning AI-based tools can automate logging and report generation, reducing manual effort [15].

Another key benefit of integrating compliance into the SOC is ensuring the accuracy and consistency of information. When reports are generated directly from raw SIEM data, the risk of misinterpretation or copying errors is greatly reduced. Moreover, since SIEMs typically store logs in compliance with legal requirements (e.g., NIS2 mandates retaining event evidence for audits) [9], generating reports from these logs provides comprehensive coverage and traceability of data sources, which is essential for later inspections. A log management tool for NIS2 highlights that centralized log information “plays a critical role” in meeting the 24-hour reporting deadline—because with detailed logs, organizations can confidently issue early warnings within 24 hours even if the full investigation is not yet complete [9]. In other words, the SOC supplies whatever data is available to issue timely warning notifications within 24 hours, and then continues to update the report as more investigation results become available.

The same applies to the SEC 4-day requirement: companies must quickly assess the “material impact.” If the SOC has a pre-established workflow to quantify damage (e.g., number of affected records, downtime duration, estimated financial loss), determining materiality becomes faster and more evidence-based, enabling the legal team to prepare the Form 8-K on time. Google Cloud recommends that companies establish internal procedures for detecting, classifying incidents, and triggering SEC reporting within the 4-day window [14], [17]—with the SOC serving as the source of initial data and classification.

To realize compliance automation, current SOAR/automation solutions often include built-in GRC modules. For example, the Swimlane platform recommends creating low-code playbooks to monitor DORA compliance: from ICT risk management and periodic checks to Incident Reporting—where workflows automatically ensure “timely notification to authorities” when an incident occurs [18]. Swimlane emphasizes that automating incident classification and notification processes helps organizations meet deadlines without increasing headcount [18]. Similarly, a European security service company (Secnora) offers a “Fast Incident Reporting support, from the initial 24-hour notification to the final report,” enabling clients to fully comply with DORA/NIS2, from the first 24-hour alert to the final report within a few days [16]. This demonstrates that the market is actively addressing the demand for automated compliance reporting as an extension of SOC capabilities.

In Vietnam, banks and financial institutions (subject to DORA if they operate in the EU) have begun paying attention to building such workflows. Even organizations not bound by international regulations benefit from automating incident reporting to local authorities. The Vietnamese Cybersecurity Law requires reporting certain types of incidents to the Ministry of Information and Communications, the State Bank, etc. (though not as stringent as NIS2). Having pre-defined reporting playbooks enables a systematic response instead of ad-hoc firefighting. Moreover, most compliance frameworks share a common feature—leveraging automation allows organizations to “consolidate compliance requirements from multiple frameworks into a single overview” [18]. In other words, a single incident can generate reports for multiple standards (e.g., submitting to Authority A using Template A while simultaneously retaining logs for Audit B).

To ensure successful implementation, organizations need to prepare complete input data: for example, an up-to-date CMDB to identify systems considered critical under NIS2, or mapping assets that contain sensitive data to determine materiality for SEC reporting. The SOC must collaborate with risk management and legal teams to define criteria for what constitutes a “major incident” that requires reporting. Once these criteria are encoded into playbooks, the system operates smoothly: detection → classification → triggering the reporting and notification workflow. Compliance reporting thus ceases to be a standalone task and becomes an integral part of a standardized incident response process.

In summary, integrating multi-standard compliance into the SOC delivers dual benefits: meeting legal deadlines (avoiding penalties) and strengthening internal security discipline. In the 2023–2025 context, when the “golden window” for incident reporting is measured in hours, organizations that proactively automate reporting can preserve their reputation and avoid sanctions. Sectors such as banking and finance in Vietnam should lead the way, as they are part of the global value chain and must comply with international standards (e.g., DORA, NIS2). Telecommunications and infrastructure companies will also be subject to NIS2 if they expand into the EU. Preparing now—by upgrading SIEMs, ensuring comprehensive log storage, and building reporting playbooks—will enable organizations to turn compliance into a strategic advantage rather than just a burden [15].

Industry Trends for SOC: Banking, Telecommunications, Manufacturing, Retail

As noted earlier, each industry has unique characteristics that influence SOC strategy:

• Banking – Finance: This sector is the top target for cybercriminals in Vietnam. Statistics from the first half of 2023 show that over 95% of fraud incidents targeted banks [2]. Banks face threats ranging from phishing and malware to multi-layered DDoS attacks [2]. As a result, they often lead in establishing well-structured SOCs, equipped with XDR solutions, AI, and strict compliance (major Vietnamese banks have achieved ISO 27001 certification and comply with the State Bank’s circulars on information security).The 2023–2025 trend is for banks to prioritize more automated and intelligent SOCs capable of handling high attack volumes (for example, using AI chatbots to assist analysts or automatically managing fraudulent transactions in internet banking). They also lead in compliance: international expansion requires DORA adherence, and foreign listings require SEC compliance. Consequently, banking SOCs are deeply integrated with risk management and legal teams to ensure timely reporting.Another critical aspect is the massive volume of sensitive data (customers, transactions) managed by banks. SOCs in this sector focus strongly on data protection and leak prevention, both via technical controls (DLP, UEBA) and human monitoring (insider threat supervision). It is no coincidence that NCS experts identified “human factors” as the #1 weakness, accounting for 32.6% of incidents in Vietnam in 2023 [1]; banks are actively enhancing awareness training and conducting attack simulations to mitigate human risk.
• Telecommunications: Major telecom companies (Viettel, VNPT, MobiFone, etc.) are both attack targets (as part of critical national infrastructure) and security service providers for clients (e.g., MSSP offerings). Telecoms typically operate highly developed internal SOCs that monitor wide-area networks and defend against large-scale DDoS attacks targeting core networks and service gateways.A key trend is integrating telecom SOC operations with service quality monitoring: for example, a DDoS attack on 4G/5G infrastructure is not only a security issue but also impacts user experience, so the SOC must collaborate closely with the NOC for rapid response.Regarding identity, telecoms manage millions of customer accounts (portals, apps), making them vulnerable to credential stuffing and SIM swap attacks… — hence the need for anomaly detection solutions in SIM registration, call forwarding, and similar activities. In addition, Vietnamese telecom operators are expanding internationally, so compliance with NIS2 (for EU infrastructure) and international telecom security standards (ITU-T) is becoming a key focus. Telecom SOCs must meet strict audit requirements, such as maintaining detailed network event logs and immediately reporting any public network disruption caused by attacks.
• Manufacturing – Industrial: Historically, factories and manufacturing companies attracted little attention, but recently they have become targets for ransomware and industrial espionage. In Vietnam, industrial systems ranked among the top attack targets in 2023 [1]. The main challenge for SOCs in this sector is covering both IT and OT (Operational Technology) environments. Many factories deploy SOCs to monitor office networks but leave SCADA/ICS systems unmonitored, allowing hackers to infiltrate via PLCs or control stations.The 2025 trend is IT-OT convergence in SOCs: using OT monitoring solutions (e.g., Nozomi, Dragos) integrated into a unified SIEM. M-Trends also reports APTs targeting production data and personnel (e.g., APT28 stealing employee information and technical documents) [8]- showing that industrial cyber espionage remains active. Therefore, SOCs in manufacturing need proactive threat hunting, especially in FDI companies with proprietary technology. Regarding ROI, manufacturing often faces limited budgets and IT staff, making unified and automated SOCs critical to optimize resources. Outsourced SOC services (MSSPs) may be a viable option for many small- and medium-sized manufacturers to share costs. Additionally, if the organization operates critical infrastructure (power, water, raw materials), NIS2 mandates enhanced SOC capabilities and regular reporting to government regulators.
• Retail – E-commerce: The retail sector experiences frequent customer data and payment card breaches, both globally and in Vietnam. With the widespread adoption of the O2O (online-to-offline) model, large retailers operate POS systems, websites, and mobile apps, interacting continuously with customers—expanding their attack surface. Top threats include credential stuffing targeting shopping accounts, web skimming (malicious scripts on payment pages), and brand-phishing attacks. Consequently, retail SOCs must be capable of detecting anomalous transactions (e.g., mass purchases using stolen accounts), monitoring website source code for injected scripts, and protecting mobile app APIs against exploitation. In 2023, Vietnam sounded the alarm on widespread personal data leaks [1]- much of which likely originated from hacked e-commerce platforms or retail chains. Compliance with personal data protection regulations (PDPL) further drives retailers to enhance SOC capabilities and incident reporting processes, including notifying customers in the event of data exposure.On the positive side, retail is highly agile in adopting cloud technologies, with many systems hosted on the cloud, providing opportunities to implement cloud-native SOCs and leverage integrated cloud security services (WAF, CASB) for monitoring. The ROI of SOCs in retail is reflected in maintaining customer trust—preventing major data breaches that could damage reputation (drive customers to competitors).

Overall, a SOC cannot follow a “one-size-fits-all” model and must be tailored to the risk profile of each industry. Banks prioritize response time and regulatory compliance; telecommunications focus on system availability; manufacturing emphasizes protecting operational processes; and retail concentrates on safeguarding customer data and transactions. Despite these differences, all sectors converge on the need for modernized SOCs equipped with AI, XDR, and automation to handle complex, real-time threats. Research and data from 2023–2025 reinforce the belief that well-directed investment in SOCs helps organizations minimize incidents, improve operational efficiency, and meet global standards, thereby enhancing competitiveness and resilience against cyberattacks.

Conclusion:

Over the past three years, Security Operations Centers have undergone significant transformation in response to the surge of cyber threats and evolving compliance requirements. For Vietnamese enterprises, building and optimizing a SOC is no longer optional but a prerequisite for protecting digital assets and brand reputation. This study has highlighted several key trends:

• Towards More Automated and Intelligent SOCs: The increasing application of AI and automation enables SOCs to efficiently handle massive volumes of alerts, reduce human workload, and achieve significantly faster response times than before. Global five-level SOC maturity models indicate that the ultimate goal is a SOC capable of largely autonomous operations, with humans overseeing strategic decisions.
• Integrated Exposure Management for Proper Prioritization: By incorporating risk context—such as critical assets, vulnerabilities, and attack paths—into the analysis workflow, SOCs can filter out the most relevant alerts and avoid being overwhelmed by thousands of noisy signals. This approach enhances detection quality and ensures that automated responses are both safe and effective.
• Adapting to Cloud Environments and Identity Security: As IT shifts to the cloud, attackers have also changed tactics, targeting accounts and access rights. SOCs must cover multi-cloud infrastructures and focus on monitoring anomalous user behavior, SSO access, and data movement. Identity has become the new perimeter, making identity protection a core SOC function.
• Improving ROI through Platform Consolidation and Automation: Real-world evidence shows that modern SOCs can reduce incident handling time from hours to minutes, automate the majority of common incidents, saving manpower and limiting damage. Investments in XDR, XSIAM, or similar solutions prove worthwhile when measured by MTTD/MTTR and opportunity cost. It is essential for organizations to continuously measure and compare pre- and post-deployment performance to clearly assess value and adjust SOC strategies accordingly.
• Aligning SOC Operations with Compliance Requirements: Regulations such as SEC, DORA, and NIS2 present new challenges but also serve as a driver for SOCs to enhance rapid detection and accurate reporting. Integrating compliance workflows into the SOC through SIEM/SOAR tools not only helps organizations avoid penalties but also fosters professionalism and transparency in incident response. Response time now encompasses not just remediation but also timely notification to partners, regulators, and customers—requiring SOCs to fulfill both objectives concurrently.

For specific industries, the overall picture shows increasingly sophisticated threats and no such thing as a completely “safe zone.” Banking and telecommunications — having been prime targets from early on — are leading the way in SOC modernization, setting examples for other sectors. Manufacturing and retail — which previously paid little attention to security — have awakened after major ransomware and data breach incidents, and are now accelerating their SOC capability building, either through MSSP partnerships or industry alliances.An encouraging sign in Vietnam is that support from domestic cybersecurity companies (VNCS, NCS, Bkav, CMC, Viettel Cyber Security, etc.) is helping transfer modern SOC knowledge and solutions to enterprises more rapidly.

In Conclusion, SOC is not a one-time project but a journey of continuous improvement. Organizations should view the SOC as the “brain center” of their cybersecurity, requiring long-term investment and flexible adaptation to evolving contexts. Over the past three years, we have witnessed remarkable progress—AI and automation have already transformed SOC operations. The next three years will undoubtedly bring further changes, whether through more advanced AI or emerging threats from quantum computing and IoT. Proactive research and trend monitoring will determine the maturity of each organization’s SOC. This report aims to provide a comprehensive overview, helping Vietnamese enterprises—especially in banking, telecommunications, manufacturing, and retail—shape SOC strategies that ensure strong defense, regulatory compliance, and cost optimization amidst both challenges and opportunities ahead.

References: The data and insights in this report are compiled from reputable sources covering 2023–2025, including Mandiant’s M-Trends 2025 report (via Google Cloud), Gartner recommendations, studies from Palo Alto Networks, Rapid7, Swimlane, as well as actual cybersecurity statistics in Vietnam from NCS, the Ministry of Information and Communications, and industry reports [1], [2], [4], [10], [11], etc. (detailed citations are provided within the text). These sources provide an objective basis for the analyses and recommendations presented, illustrating both global and domestic SOC landscapes and guiding enterprises in strengthening cybersecurity capabilities amid a period of heightened challenges.

References:

[1] https://ncsgroup.vn/trung-binh-1-160-vu-tan-cong-mang-moi-thang-ngan-hang-la-dich-nham/

[2] https://baotintuc.vn/khoa-hoc-cong-nghe/hon-95-cac-cuoc-tan-cong-lua-dao-nham-vao-linh-vuc-ngan-hang-tai-chinh-20231010111253789.htm

[3] https://vncs.vn/vi/tin-tuc/detail-bi-quyet-xay-dung-ke-hoach-soc-nam-2025-hieu-qua-cho-to-chuc-va-doanh-nghiep-385

[4] https://www.sentinelone.com/blog/introducing-the-autonomous-soc-maturity-model/

[5] https://www.rapid7.com/blog/post/3-ways-gartner-says-exposure-management-is-reshaping-secops/

[6] https://thehackernews.com/2025/06/ctem-is-new-soc-shifting-from.html

[7] https://swimlane.com/solutions/mitigate-alert-fatigue/

[8] https://services.google.com/fh/files/misc/m-trends-2025-en.pdf

[9] https://logmanager.com/blog/it-compliance/nis2-compliance-log-management-siem/

[10] https://inspiraenterprise.com/beyond-siem-embracing-unified-xdr-for-smarter-security/

[11] https://www.paloaltonetworks.com/customers/louisiana-scales-security-using-ai-driven-cortex-xsiam

[12] https://www.paloaltonetworks.com/customers/modernized-soc-revolutionizes-asante-visibility-efficiency

[13] https://laodong.vn/cong-nghe/13900-vu-tan-cong-mang-trong-nam-2023-gay-thiet-hai-hon-390000-ti-dong-1353084.ldo

[14] https://www.sec.gov/newsroom/press-releases/2023-139

[15] https://nextitsecurity.com/decoding-nis2-and-dora-the-compliance-playbook/

[16] https://secnora.com/blog/dora-vs-nis2-vs-psd2/

[17] https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214

[18] https://swimlane.com/blog/dora-cybersecurity/