Skip to main content

New

Forrester Wave Leader, Q2 2025

Access report
About usPartnersSupport|Login
Elastic logo
Start free trialContact sales

How migrating to Elastic Security helped a digital safety software company cut incidents by 85% with UnderDefense

UnderDefense brought a two-person security team to full-coverage security operations with Elastic Security.

By
Emily Chioconi
Summary
  • A SaaS provider of enterprise digital safety software migrated from a noisy legacy QRadar deployment to Elastic Security on Elastic Cloud with the support of UnderDefense, an Elastic partner. 
  • The migration combined a full log ingestion audit, more than 100 custom detection rules mapped to MITRE ATT&CK, and 25 purpose-built Kibana dashboards serving analysts, IT, and executives.
  • Security incident volume dropped 85% and mean time to respond fell 61%, measured against the legacy QRadar baseline, shifting a two-person security team from reactive triage to proactive threat hunting.
  • Audit-ready data retention on Elastic frozen-tier snapshots closed a long-standing compliance evidence gap while lowering storage costs.

This blog tells the story of a SaaS company whose platform delivers enterprise digital safety, serving organizations that depend on the service being available and trustworthy around the clock. Its infrastructure reflects that mission: The environment is weighted toward servers, virtual appliances, and cloud workloads with a comparatively small employee fleet. Its product protects other companies, so its own security operations carry direct commercial weight, which is also why the company appears here anonymously.

With the support of UnderDefense — an Elastic partner — the company migrated from a noisy legacy QRadar deployment to Elastic Security on Elastic Cloud.

UnderDefense specializes in Elastic Security deployments, detection engineering, and managed security operations. Organizations considering a similar migration can learn more at underdefense.com.

Overcoming system challenges

Security at the company is run by a team of two. That team is responsible for monitoring the full environment, responding to incidents, and producing the evidence that auditors and enterprise customers request. The company had operated for years without a major breach; yet, by 2026, the tooling underneath that record was working against the people who relied on it.

The legacy QRadar deployment ingested data indiscriminately. Every log source and every system event flowed in, and the detection logic was configured broadly enough that alerts fired constantly. With two people on the security team, the only viable response was triage by severity: High and critical alerts were reviewed while everything below that threshold accumulated unactioned.

Beneath the alert volume sat a structural problem. There was no data lifecycle management, no clear picture of which log sources added detection value and which added cost and noise, and no retention policy that satisfied audit requirements. When auditors asked for evidence, the team compiled it manually, a process that exposed both the compliance gap and the limits of the team’s operational bandwidth.

Main challenges

  • Unfiltered log ingestion: All data sources flowed into QRadar without optimization, inflating storage costs and generating noise without adding detection value.

  • Alert overload: The team could only action high and critical alerts; medium and low queues went unreviewed, creating blind spots.

  • Fragmented visibility: Security data lived across disconnected views with no unified dashboard for analysts, IT, or leadership.

  • Generic detection coverage: Detection rules were broad defaults, untuned to the company’s infrastructure, data sources, or threat model.

  • Compliance and audit exposure: Log retention fell short of auditor evidence requirements, creating regulatory and customer-facing risk.

  • Manual stakeholder reporting: Security status had to be compiled by hand, consuming analyst time and introducing reporting lag.

Achieving unified security operations with Elastic

Under the leadership of the company’s head of security and with the support of UnderDefense, the company undertook a full migration from QRadar to Elastic Security, deployed on AWS via Elastic Cloud.

Before a single detection rule was written, UnderDefense conducted a log ingestion audit, mapping every data source to determine what needed to be retained, what could be dropped, and what required correlation. This step reshaped the cost model and the noise profile of the environment before Elastic went live. The core platform itself was architected and running within a couple of days; native connectors and APIs brought data sources online quickly, and tuning continued as a planned, continuous process from there.

Detection engineering followed. UnderDefense enabled Elastic’s out-of-the-box rule set, tuned it to the environment, and then built more than 100 additional custom detections aligned to the company’s specific infrastructure and data. Each detection was mapped to the MITRE ATT&CK® framework, which surfaced blind spots and showed exactly where new rules, data sources, or tooling were needed. In parallel, 25 Kibana dashboards were designed for three distinct audiences: security analysts, IT operations, and C-level stakeholders.

Key implementations

  • Cloud-native Elastic Security on AWS: Full migration from on-premises QRadar to Elastic Cloud with log ingestion scoped to relevant data sources across servers, virtual appliances, and cloud workloads

  • Custom detection engineering: More than 100 detection rules built and tuned to the environment with MITRE ATT&CK coverage mapping used to identify and close visibility gaps

  • 25 purpose-built Kibana dashboards: Role-specific views for security analysts, IT teams, and executives, delivering a single pane of glass with everything visible on login

  • Compliance-grade data retention: Elastic frozen-tier snapshots configured to meet audit evidence requirements at optimized storage cost, replacing the expensive always-warm retention of the legacy environment

Before the migration, the two of us had time for high and critical alerts and nothing else. Now we run threat hunting sessions instead of clearing queues, and when an auditor asks for evidence, we pull it on demand. Our data went from a pile of hay to an organized library, where you walk to the shelf and pick up the exact page you need.

Head of Security, digital safety SaaS provider

Results and benefits

Detection quality

  • 85% reduction in security incident volume compared with the legacy QRadar baseline, following migration and detection tuning

  • More than 100 custom detection rules, each mapped to the environment and the MITRE ATT&CK framework

Response speed

  • 61% reduction in mean time to respond (MTTR)

  • Analyst capacity shifted from reactive alert triage to threat investigation and proactive threat hunting

Visibility and operations

  • 25 purpose-built Kibana dashboards providing unified visibility across all infrastructure layers with no window-jumping or ad hoc querying needed for daily work

  • Automated stakeholder reporting delivered directly from the platform, replacing manual compilation

Compliance and audit readiness

  • Audit-ready log retention via Elastic frozen-tier snapshots with the full evidence trail available on demand

  • Lower storage cost for audit-grade retention with frozen-tier snapshots replacing the always-warm storage model of the legacy environment while delivering the same evidence value

Team leverage

  • A two-person security team now operates with coverage depth that previously required significantly greater headcount

  • UnderDefense analysts work alongside the internal team, carrying detection engineering, platform maintenance, and around-the-clock monitoring

To explore what this coverage model looks like for a team of your size, reach out to the UnderDefense team.

Elastic Security and UnderDefense business impact

Analysts now run proactive threat hunting sessions. One session traced an unremarkable VPN connection back to a proof-of-concept project from years earlier; the channel had stayed silently active ever since, and the team investigated and closed it before anyone could use it.

Documented, reproducible audit evidence strengthens the company’s own sales motion since its enterprise customers ask for exactly this kind of proof during procurement. And the move to Elastic Cloud removed the maintenance and storage management burden of the on-premises legacy deployment.

UnderDefense and Elastic continue to expand AI-assisted detection and investigation in the environment, pairing Elastic’s AI capabilities with UnderDefense’s agentic AI SOC platform. Queries that took an analyst 5 to 10 minutes to structure and run now return enriched results in about a minute.

The deployment shows that a mid-market organization with a lean security team can reach enterprise-grade coverage by pairing Elastic’s open, cloud-native security platform with the detection engineering and operational depth of an experienced security operations partner. For organizations ready to have that conversation, contact UnderDefense.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial