I recently had the opportunity to visit the Kyndryl offices in Madrid, where together with other journalists specialized in technology, we attended a simulated cyber attack through an immersive experience. From the War Room of the Kyndryl SOC, we witnessed what they call Tabletop, that is, a realistic simulation of a crisis from the SOC. The company assures that the exercise is the same one that they carry out with their clients in the SOC, so that they can be prepared to react in the most effective way, with cyber resilience, in the face of a cyber attack.

According to the Kyndryl Readiness Report 2025, three in five managers globally say that this year they feel more pressure than last to obtain a return on investment in AI, and that its main use case is cybersecurity. In Spain, 71% claim to have suffered some interruption in their activity related to cybersecurity.

Kyndryl’s objective with this exercise is to show organizations everything that happens behind closed doors when the company suffers an attack, and why it is necessary to have a team of SOC experts to protect, react and recover with the least possible damage to the company.

Kyndryl SOC Data

Prior to the drill, the company offers us a guided tour of the SOC, which is built under the standards of the high-level National Security Scheme. The room is isolated at the connectivity level, with its uninterruptible power supply systems to withstand power drops between 8 and 10 hours. Karen Gaines, vice president and director of Kyndryl’s security and resilience practice in Spain and Portugal, explains to us that Kyndryl’s SOC belongs to the National SOC Network, and has the main certifications (ISO, CSIRT and FIRST), taking advantage of the company’s structure, collaboration and alliances established with cybersecurity solution manufacturers and large hyperscalers.

The SOC uses tools such as SIEM (Microsoft Sentinel) to correlate events and detect anomalies, as well as the OpenCTI (Threat Intelligence) tool that allows them to be proactive, investigating groups of attackers and applying that information to security systems. In fact, the Threat Intelligence team is dedicated to identifying threats and transferring them to systems to prevent breaches, adapting to new technologies such as AI. Kyndryl relies on proprietary or client technologies, offering managed services or support for existing tools. All operators work in a unified console (RTIR) to manage security incidents in the SOC, applying playbooks or escalating to higher levels.

Kyndryl has a total of seven SOCs globally, in addition to two dedicated rooms located in the facilities of two large banks to provide its own service. The Madrid SOC, where 75 people work, has a replica in Salamanca to guarantee high availability.

With AI, shadow IT increases

Nacho Hontoria, head of security services at Kyndryl in Spain and Portugal, explains to us that “the critical incidents team is the one that sets the security guidelines, while the IT teams help to reverse the situation. Ransomware attacks tend to have the greatest impact due to their ability to encrypt the servers,” he confesses. In fact, “90% of attacks usually occur through a person, such as Shadow IT. For this reason, it is important to know how to catalog the data well and apply governance to it,” he says.

The Threat Intelligence team is dedicated to identifying threats and transferring them to systems to prevent breaches, adapting to new technologies such as AI

Hontoria explains that attack alarms usually occur when they reach systems that are well protected, once they have accessed the unprotected part. “For this reason we are doing awareness exercises, since although companies are aware, the user or employee is usually the critical point of access.”

The manager explains the evolution that the SOC has had in the world of cybersecurity, going from being a reactive team to trying to be one step ahead. “Being proactive and identifying threats everywhere is key to being able to move into our systems and avoid these types of breaches that occur.” He also adds that with AI Shadow IT is increasing, to the point that controls on the toxicity of the “prompts” are being introduced to ensure that data is not leaked.

Cyber ​​attack exercise

The incident simulation exercise from the SOC seeks to increase awareness, especially in the senior management environment, testing response protocols and detecting deficiencies before real incidents occur. Senior management roles (CEO, Legal Director, Communications Director, Operations, CISO and Technical Leader) are assigned to participants, and the exercise is led by a SOC expert, with technical support to resolve doubts and blockages, encouraging the free expression of ideas.

The event escalates so that in less than 48 hours, the attackers make public stolen information, confidential sources, internal emails, as well as personal client data. Thus, the incident becomes a reputational, legal and ethical crisis. The pressure in the media and social networks is immediate.

Karen Gaines, vice president and head of Kyndryl’s security and resilience practice in Spain and Portugal

Both Paco Guirado, associate director, security and resiliency Kyndryl Consult in Spain and Portugal, and Blanca Ruiz, senior cybersecurity consultant at Kyndryl in Spain and Portugal, guide us in the simulation exercise on the steps that must be taken: detection of the cyber incident, the crisis committee, consultation on the incident response manual, or access to backups.

Kyndryl’s cyber resilience approach to attacks is delivered through the Kyndryl Cyber ​​Resilience Framework

Guirado highlights the role played by the SOC incident response team, a group of people who live doing forensic analysis and that not all companies can afford to have on staff. It is essential to mediate the impact and the countermeasures that must be applied.

Kyndryl’s cyber resilience approach to attack is applied through the Kyndryl Cyber ​​Resilience Framework, helping affected companies not only resist and recover, but also manage processes, guide people and foster communication. The five pillars on which it is structured are the following:

1.- Identification: analyzing vulnerabilities and risks specific to the scenario

2.- Protection: proposing the necessary layers of protection; from access to networks and data.

3.- Detection: They simulate the early detection mechanisms that would have allowed the attack to be stopped before it escalated.

4.- Answer: They evaluate strategic decisions and coordination between departments: communication, legal, IT.

5.- Recovery: They demonstrate how a prepared infrastructure, with backups, hybrid platforms and forensic response, allows activity to be recovered in the shortest time possible.

In conclusion, the company highlights that cyber resilience is not a product, but a strategy. Communication is key. The regulations help, as long as they are followed well, and the role of each and every department is decisive for the good final result.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.