Managed SOC
Managed XDR services: cross-layer detection through our Jakarta SOC
In short
XDR correlates signals from endpoint, network, cloud, and identity. Alpha Code operates it from our Jakarta SOC, with analysts who act on every finding.
Most detection tools watch one layer of your environment. The endpoint agent watches the endpoint. The firewall logs network events. The cloud platform logs API calls. Each tool does its job, but none of them can see what is happening across all four layers at the same time. That gap is where many serious intrusions go unnoticed long enough to cause real damage.
Extended Detection and Response, XDR, is built specifically to close that gap. It pulls telemetry from endpoint, network, cloud, and identity simultaneously, correlates the signals, and surfaces findings that no single-layer tool would ever produce on its own. Alpha Code does not sell XDR as a standalone product. We operate it as a capability within our 24/7 Jakarta Security Operations Center, so the correlation engine and the analysts who act on its findings work together from the same operations floor.
What XDR actually does
XDR is a correlation capability, not a monitoring dashboard. The distinction matters. A monitoring dashboard shows you what happened on each layer separately. XDR asks whether a pattern on one layer connects to something on another: whether the unusual process that ran on an endpoint at 2am is related to the outbound traffic spike that appeared on the network sensor an hour earlier, and whether the same user account showed a suspicious authentication from an unfamiliar location that same night.
Those three events, seen in isolation on separate tools, might each be dismissed as low-confidence noise. Seen together through cross-layer correlation, they describe an intrusion in progress. The correlation is the capability.
The architecture: how telemetry flows through the SOC
The diagram below shows how telemetry from four layers feeds the correlation core and how findings reach analysts for response.
Detection begins when the EDR agent on an endpoint records a suspicious process chain. The network sensor picks up an outbound connection from that same host a few minutes later. The cloud platform logs an API call from a service account that normally does not make calls at that hour. The identity system logs a password reset on the account associated with the affected user. None of these events, on its own, crosses the threshold for a high-confidence alert. The correlation core receives all four signals, matches them by time and asset, and produces a single consolidated finding: probable account takeover in progress, with lateral movement to cloud resources.
That consolidated finding lands in the analyst queue. An analyst reviews it, confirms the pattern, and decides on a response: isolate the endpoint, revoke the session token, and open an incident record. The whole chain from initial signal to analyst action takes minutes rather than the hours or days that manual correlation across separate tools would require.
Why multi-layer visibility changes what you can catch
Single-layer tools cannot see attacks that live across layers. Modern intrusions are designed precisely for this blind spot. An attacker who gains initial access through a phishing email may use the endpoint for only minutes before pivoting to cloud APIs or abusing legitimate identity credentials. After that pivot, the endpoint is quiet. Without visibility into what the identity system and cloud platform are doing next, the intrusion goes dark.
IBM found that breaches spanning multiple environments, meaning data stored or accessed across public cloud, private cloud, and on-premises systems, took an average of 283 days to identify and contain in 2024. Multi-environment breaches also cost more than USD 5 million on average, compared to the global average of USD 4.88 million across all breach types. The extended timeline reflects how difficult it is to correlate signals when each environment is monitored separately.
Organizations that had deployed XDR contained breaches in an average of 275 days, compared to 304 days for those without XDR, per Barracuda Networks' analysis of the IBM report. That 29-day reduction matters most for intrusions that would otherwise spread across layers before being noticed.
283 days
average time to identify and contain a multi-environment breach (IBM Cost of a Data Breach Report 2024)
275 vs 304 days
containment time with XDR vs without, per Barracuda analysis of IBM CODB 2024
40%
of breaches in 2024 involved data across multiple environments (IBM CODB 2024)
What cross-layer correlation catches that single-layer tools miss
Credential-based lateral movement
When an attacker uses stolen or forged credentials to move between systems, there is no malware file for the endpoint agent to detect. The activity looks like a legitimate login. XDR sees the combination: endpoint quiescence plus unusual authentication events plus cloud API calls from a new location, and surfaces the pattern.
Cloud-only post-exploitation
After gaining a foothold via a compromised endpoint, sophisticated attackers frequently pivot directly to cloud APIs and abandon the endpoint entirely. An endpoint-only tool goes quiet. XDR continues tracking the same identity and cloud session across the pivot.
Living-off-the-land via identity abuse
Attackers who use built-in system tools and legitimate credentials generate minimal endpoint noise. XDR correlates the low-signal endpoint events with identity privilege escalation and outbound network patterns that together indicate attacker behaviour.
Slow-and-low data exfiltration
Data exfiltration spread across days or weeks to avoid triggering volume thresholds is difficult to detect with rules written around a single layer. XDR tracks the cumulative pattern across network traffic metadata, cloud storage API calls, and authentication logs over time.
EDR vs XDR: what the scope difference means
| EDR (endpoint only) | XDR (cross-layer) | |
|---|---|---|
| Telemetry sources | Endpoint: process, file, registry, memory | Endpoint + network + cloud + identity |
| Attacker pivot to cloud | No visibility after pivot leaves endpoint | Tracks the same session across cloud and identity layers |
| Credential abuse detection | Limited, unless process behaviour is unusual on-device | Correlates identity events with network and cloud activity |
| Alert volume | Per-endpoint alerts, often high volume | Correlated findings, fewer but more actionable |
| Response options | Isolate host, quarantine file, rollback | All EDR actions plus cloud session revocation and identity remediation |
SIEM sits differently in this picture. A SIEM aggregates log data broadly and relies on rules your team writes and maintains to produce detections. XDR runs automatic correlation across the four telemetry layers listed above without requiring a rule to be written for each attack pattern. The two are complementary: a SIEM gives you broad log retention and compliance reporting; XDR gives you automated correlation for the detection and response workflow. Our SOC operates both.
How ACT operates XDR through the Jakarta SOC
XDR is not a tool we hand you and walk away from. It is a capability we operate continuously from our Jakarta Security Operations Center. Here is what that means in practice.
Our analysts connect XDR telemetry to the full context of your environment: your asset inventory, your user baseline, your cloud architecture, and your known maintenance windows. When the correlation engine flags a pattern, the analyst reviewing it already has that context. They know whether the cloud API call at 3am is a known deployment pipeline or something that has no legitimate explanation. That context is what separates a useful finding from a noisy one.
When a finding requires action, the response happens through the same team. Depending on your service agreement, that can mean host isolation via the EDR agent, cloud session revocation, Active Directory account suspension, or escalating to a full incident response engagement through our incident response team. The SOC operation also includes threat hunting: analysts use the XDR telemetry to look proactively for activity that has not yet triggered a correlation rule, particularly for attacker techniques documented in MITRE ATT&CK that your environment may be exposed to.
We run this alongside managed MDR, which covers the detection and response workflow more broadly, and agentic AI L1 triage, which handles automated alert filtering before correlated findings reach human analysts. For a broader comparison of what SOC service models offer, see our MDR vs MSSP comparison.
Capabilities included
References
- 1.IBM Security. Cost of a Data Breach Report 2024. IBM Corporation, July 2024.
- 2.IBM Newsroom. IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs. July 30, 2024.
- 3.Barracuda Networks. 2024 IBM Breach Report: More breaches, higher costs. Barracuda Networks Blog, August 20, 2024. (Source for XDR containment timeline figures: 275 days with XDR vs 304 days without.)
- 4.MITRE. ATT&CK Framework. The MITRE Corporation.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
No. XDR is a cross-layer detection and correlation capability, not a packaged product Alpha Code sells separately. We operate XDR as part of our SOC-as-a-Service from our Jakarta Security Operations Center. You get the detection coverage, the correlation, and the analysts who act on findings, together.
Related
Solutions
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.