How Elastic Security and Kyndryl deliver faster, smarter managed SOC operations

Elastic Security unifies security information and event management (SIEM) and endpoint & extended detection and response (EDR & XDR) in a single, AI-powered platform. It detects threats with advanced analytics, enriches investigations with contextual intelligence, and applies AI to correlate signals, prioritize risks, and generate incident narratives that accelerate investigation and response. Features like Attack Discovery automatically analyze streams of alerts; correlate them across users, hosts, and timelines; and present a coherent view of an attack — transforming noisy data into actionable security stories.

Kyndryl operates a global network of SOCs that integrate seamlessly with customer environments. Its analysts manage incidents with consistent processes, playbooks, and automation from a single pane of glass, providing 24/7 visibility and rapid response without forcing tool changes.

Kyndryl Bridge is an AI-powered, open-integration digital business platform that allows customers to integrate, observe, and orchestrate across their entire technology environment — essentially, it’s Kyndryl’s executive dashboard layer. It aggregates telemetry and KPIs from security and operational platforms (including SOAR) into role-friendly views — including MTTR, case volumes, SLA conformance, and automation rates — so CISOs and operations leaders can track risk and performance in one place.

The alliance is strategic on both sides and built to deliver measurable outcomes. Customers who use Elastic alongside Kyndryl’s services benefit from richer threat context, faster detection-to-response cycles, more effective automation, and clearer executive visibility. For Kyndryl, Elastic provides higher-fidelity signals and automation-ready incidents, enhancing SOC efficiency and enabling analysts to focus on what matters most.

Using Elastic Security and Kyndryl together, customers can now experience the following benefits:

• Better outcomes with Elastic: Kyndryl’s SOC can integrate with different SIEM platforms, but the greatest advantages for the customers are delivered when Elastic is part of the solution. Elastic’s AI-driven detections and contextual analytics give Kyndryl richer signals and context to work with, leading directly to faster investigations, higher automation coverage, and stronger security outcomes.

• Shorter time to value: Use a bring-your-own-license model with no data relocation. Kyndryl pulls incidents and alerts — not raw data — minimizing disruption and data-transfer costs.
• Consistency at global scale: The same SOAR-first processes, playbooks, and KPIs apply across Kyndryl SOCs (Americas, EMEA, APAC/India), with Kyndryl Bridge exposing leadership views.
• AI that moves the needle: Elastic’s AI capabilities, including Attack Discovery, raise fidelity and collapse triage time. Kyndryl validates once and then codifies remediations, progressively removing manual steps until safe automation.

1. Elastic Security (SIEM/EDR)

• Detections via rules, analytics, and AI-assisted attack discovery and triage

• Case/alert artifacts and investigative context available via UI and APIs

2. Kyndryl SOAR

• Ingests incidents (or alerts where required) from Elastic via the Elastic SOAR connector

• Runs standardized playbooks, performs query/enrichment steps (many executed back against Elastic via APIs), and orchestrates actions across the estate

3. Kyndryl Case Management

• The authoritative record of each incident’s lifecycle

• Tracks investigation progress, captures required approvals, and provides a collaboration space for analysts and customer stakeholders according to policy

4. Kyndryl Bridge

• Consolidated KPI/telemetry layer for security and operations (e.g., MTTR, case aging, automation coverage), primarily fed from SOAR plus select direct sources

SOaap is the operating model that integrates all these planes into one framework. Rather than a collection of tools, SOaap orchestrates the flow of Elastic’s detections into playbooks, captures analyst and automation decisions in case management, and rolls metrics up into Kyndryl Bridge dashboards. It is the architecture that delivers consistency, measurability, and efficiency at global scale.

• No SIEM data movement: Raw logs and security data typically remain within the customer’s chosen Elastic environment (on-premises or cloud). Kyndryl pulls only the resulting incidents, alerts, and metadata required for response.

• BYOL or MSSP-provided: If the customer owns the Elastic license, they retain full control of the deployment while Kyndryl overlays SOaap services. If Elastic is provided as part of a Kyndryl-delivered MSSP service, Kyndryl procures and operates the platform on the customer’s behalf. In this model, data is hosted in the geographic location selected by the customer, but it is fully managed and processed by Kyndryl within the managed service scope.

1. Detect in Elastic
Detections and analytics produce alerts. Elastic Security’s AI capabilities — including Attack Discovery — group related alerts into a situation/attack narrative with entities, a timeline, and the set of relevant alerts. Customers can choose their preferred AI model for this process, including options deployed fully on-premises, ensuring compliance, data sovereignty, and architectural flexibility.

2. Ingest to Kyndryl SOAR
Kyndryl SOAR connects Elastic on a short cadence via the joint connector and pulls incidents. Each record is normalized into Kyndryl’s case schema.

3. Playbooks and enrichment
Standardized Kyndryl playbooks execute: threat-intel lookups, user/host context, Elastic back-queries, evidence attachment, and risk scoring.

4. Case handling and collaboration
Kyndryl SOAR opens and/or updates the Kyndryl Case Management record. Customer stakeholders collaborate and approve actions there if required by policy.

5. Actioning and remediation
Kyndryl SOAR orchestrates actions, including Elastic queries and updates, EDR isolate, identity lockdown, and network controls. Runbooks begin with human-in-the-loop approvals, and steps are graduated to automation as fidelity is proven.

6. Reporting to Kyndryl Bridge
Kyndryl SOAR emits case KPIs and telemetry to Kyndryl Bridge for leadership dashboards (e.g., MTTA/MTTR, case aging, automation coverage, top use cases by volume/impact). Kyndryl Bridge also surfaces relevant customer-facing security views.

Throughout this flow, SOaap acts as the operational backbone that binds all components of the joint solution into a single, cohesive process. It seamlessly transitions AI-curated incidents from Elastic into orchestrated response playbooks, so that every decision and remediation step is captured and auditable within the case management system and telemetry and outcomes are automatically fed into Kyndryl Bridge dashboards. By connecting detection, enrichment, orchestration, case lifecycle management, and reporting into one continuous workflow, SOaap transforms individual tools into a coordinated security operations capability.

1. Detection in Elastic Security

• Multiple failed logins followed by a successful one from a suspicious location trigger Elastic Security rules.

• Elastic Security, using Attack Discovery, groups these alerts with related signals: new device fingerprint, abnormal geolocation, and unusual access to sensitive files.
• Instead of leaving 50+ separate alerts for analysts, Elastic Security produces a single incident narrative describing a likely credential compromise with lateral movement.

2. Ingestion into Kyndryl SOaaP

• The incident is pulled into Kyndryl SOAR via the connector.

• The incident is enriched automatically: Threat intel lookups confirm the IP address is on a known malicious list, and user context shows no recent password reset.

3. Case management and collaboration

• A case is created in Kyndryl Case Management.

• The customer’s policy requires approval before disabling accounts, so the case routes automatically to the customer’s security lead for sign-off.

4. Actioning and remediation

• With approval, Kyndryl SOAR executes containment: locks the compromised account, forces a password reset, and isolates the endpoint via EDR, which Elastic provides as part of its Security solution.

• Simultaneously, the SOAR queries Elastic Security again for any related activity (pivoting across entities).

5. Reporting and learning

• All actions, timing, and approvals are logged in the case record.

• KPIs such as MTTR and time-to-containment are pushed into Kyndryl Bridge for CISO dashboards.
• The pattern (failed logins + suspicious geo + new device) is marked as a validated high-fidelity use case; next time, much of the workflow can be auto-remediated safely.

Outcome: What would normally take hours of manual correlation across dozens of alerts is compressed into a few minutes — from Elastic Security’s attack narrative to orchestrated response in SOaap — with clear visibility for the customer and measurable efficiency gains for the SOC.

Outcomes customers are seeing today:

• Sharper signal, less noise: Elastic’s detections and AI context turn noisy alert streams into high-fidelity incidents that Kyndryl can act on immediately.

• Speed with confidence: Mean time to acknowledge/respond drops as more steps graduate to automation — with approvals and auditability intact.
• Protection that keeps improving: Each validated incident feeds back into detections and playbooks, hardening response and raising the automation ceiling.
• Executive clarity: CISOs get unified, role-ready dashboards in Kyndryl Bridge — security posture, SOC performance, and automation impact in one place.

The Elastic and Kyndryl alliance is more than a technical integration; it is an operating model built on shared commitment to efficiency, scalability, and measurable outcomes. Elastic delivers AI-powered security analytics and attack discovery that elevate the fidelity of security signals. Kyndryl operationalizes those signals across its global SOC network, applying standardized playbooks, case management, and Kyndryl Bridge reporting.

Together, they enable significant improvement in MTTR, greater automation coverage, and more transparent executive reporting. Customers benefit from the innovation cycle of Elastic Security and the global reach and rigor of Kyndryl SOC operations, joined through SOaap as the common framework.

This alliance creates a repeatable, scalable approach to managed security — one that is flexible to customer choice of data residency and AI models but consistent in its outcomes: faster detection, safer automation, and clearer accountability.

The collaboration is just beginning to show its potential. As Elastic continues to expand AI-driven detection and investigation capabilities, and as Kyndryl scales them across its global SOC network, the alliance will keep advancing the state of managed security. The trajectory is clear: tighter integration, higher automation confidence, and stronger security outcomes for customers worldwide.

Discover more about the Elastic and Kyndryl alliance.