Telecom companies are usually among the most frequently targeted by cybercriminals, because they operate critical infrastructure. Their networks form the backbone of national communication: mobile, internet, emergency services and business connectivity all rely on their uninterrupted functioning. A failure, outage or a targeted cyberattack can have nationwide consequences, disrupting essential services, impacting public safety or economic activity.
To defend against cyberattacks, Sunrise has assembled a team of highly qualified specialists. The Security Operations Center (SOC) is responsible for protecting the company’s digital infrastructure, customer data, and internal systems against cyber threats. Its work combines real-time monitoring, incident response, threat intelligence, and preventive measures. Together, these activities help Sunrise detect attacks early, stop them quickly, and reduce their overall impact.
Keeping threats at bay: the core mission of the Sunrise Security Operations Center (SOC)
Every month, telecom companies like Sunrise process millions of requests hitting their commercial web pages. This data forms the foundation of security monitoring, enabling the company to detect patterns, anomalies, and potential attack waves at an early stage.
The Sunrise Security Operations Center relies on various search, analytics and event correlation solutions to collect and process vast quantities of technical data from across the Sunrise network. This open-source system stores a very large library with billions of individual records of security information that is constantly being updated.
These records come from many different places inside the digital infrastructure, from firewalls, web traffic filters, DNS services, login systems or VPN servers. Each of these sources provides small pieces of information about what is happening on the public-facing systems, and inside the company.
By bringing this data together in one place, the SOC gains the visibility it needs to protect Sunrise and its customers most effectively. The team responds quickly when spotting unusual behaviors, investigates possible threats, and analyses whether someone might be trying to attack or misuse Sunrise services or customers.
Thousands of malicious bots blocked every month
Alongside legitimate traffic, Sunrise has identified several thousand automated attempts each month by so-called «bad bots». These bots attempt to test stolen credentials, scan for vulnerabilities, or scrape website content. The SOC analyses traffic and distinguishes human login attempts from automated ones.
«Even on relatively quiet days, the system detects hundreds of automated login attempts within just 12 hours», says Adam Oczos, Head of Cyber Defense at Sunrise. During peaks, the system automatically triggers protective measures, blocks malicious requests, and alerts the team in real time.
In the most intense attack periods in 2025, Sunrise experienced targeted waves of automated login and attack attempts that sustained over several consecutive weeks. «On some weekends, we saw millions of such attempts», says Oczos.
Sunrise SOC blocks thousands of malicious bots every month, keeping real users and customers safe
These incidents often occur at night or during time windows that the attackers assume are less supervised, such as Friday afternoons or during holidays. Even a small number of successful logins can trigger further automated actions by attackers, including fraudulent transactions or attempts to harvest personal data.
For this reason, the SOC works closely with the internal fraud prevention team and customer support to investigate any suspicious login pattern immediately. Monitoring and high-level security measures are in operation around the clock, 24/7, every day of the year.
Geopolitical tensions have fostered the emergence of sophisticated attackers, particularly malicious botnets. The team dedicates heightened attention to these expansive networks of compromised devices, which are covertly controlled by threat actors aiming to disrupt organizations, conceal the true origin of attacks, or unleash massive surges of digital traffic capable of overwhelming sections of the internet.
«Botnets are used these days for anything from taking down infrastructure to validating users' credentials, or getting administrative access», says Adam Oczos. This is why the SOC actively monitors threat actors linked to regions such as Russia or Iran when their operations indicate a focus on telco infrastructure.
Some of the most well-known botnets include Aisuru-Kimwolf and ResHydra, of which experts say that they are capable of record-breaking attacks, influencing geopolitical tensions, or even threatening national infrastructure. «Before the concern was websites; now the concern is countries», the «Wall Street Journal» quotes Craig Labovitz, head of technology with Nokia’s Deepfield division.
Sunrise blocks attacks through shared intelligence
By combining fingerprinting techniques, web-application firewalls, and international threat intelligence feeds, Sunrise detects and blocks malicious activity. Traffic is routed through cloud-based filtering layers and internal security controls that automatically block harmful patterns.
Threat intelligence plays a central role as Sunrise collaborates with European telecom security groups, Swiss CERT organisations, and industry peers. These partnerships enable the exchange of the so-called Indicators of Compromise, IP blocklists, and emerging threat insights. The SOC integrates this information directly into its systems, allowing real-time detection and automated blocking of known malicious infrastructure.
In summary, Sunrise’s robust cyber security and cyber defence framework and collaborative approach have been and remain the key to keeping its business and customer data protected, even in these times where conflicts and wars are raging across the globe.