A Q&A with the Director of Operations at Thetabyte

The mission of modernizing a Security Operations Center (SOC) is rarely simple, but when the client is the Nigerian National Petroleum Corporation (NNPC), the stakes are exponential. That is why NNPC contracted Thetabyte, a specialized cybersecurity services provider focused on large-scale enterprise SOC transformation, to lead this pivotal project.

NNPC is Nigeria’s state-owned national oil corporation and one of the largest energy companies in Africa. Its operations are critical, underpinning a large share of Nigeria’s economy, government revenue, and foreign exchange. Their environment presented extreme challenges due to its sheer scale, national importance, stringent regulatory requirements, and the need to integrate diverse legacy infrastructure.

I spoke with Ron Maman, Director of Operations at Thetabyte, who led the deployment of the Swimlane Turbine agentic AI automation platform at NNPC. Ron shares the behind-the-scenes story of how this solution enabled NNPC to overcome alert fatigue, achieve stringent compliance goals, and significantly reduce incident response times across its diverse infrastructure.

Keep reading for a Q&A style summary of my conversation with Ron, where he details Thetabyte’s experience with Swimlane Turbine.

What specific challenges was NNPC facing that drove the critical need for AI automation?

NNPC was battling three main challenges:

• alert fatigue
• fragmented tool sets, 
• lack of centralized visibility across their security operations. 

Manual processes consistently slowed incident response, and analysts were overwhelmed by repetitive, low-priority tasks. Additionally, they were not able to reliably correlate threat intelligence feeds with their existing SIEM alerts. This missing link resulted in significant blind spots in threat detection.

Why did you choose Swimlane Turbine over other competitive solutions?

We evaluated multiple platforms. The competing platforms simply lacked the visual, drag-and-drop flexibility for building complex custom playbooks that we found in Turbine. Turbine Canvas’s low-code/no-code interface and modular playbook design provide the easiest and most effective way to build and manage automation. 

The low-code playbook builder, along with its seamless API integration with virtually any tool, made it the ideal choice. It was also vital that the platform could support analysts across all levels (tier 1 through tier 3) with tailored playbooks, which Turbine handles exceptionally well.

Read Case Study

What features are you leveraging the most in Turbine?

Our favorite features in Turbine are Canvas and dashboards and reporting.

• Canvas enables rapid prototyping and deployment of complex playbooks without requiring deep coding expertise. It really accelerates our ability to deliver new automation.
• Real-time dashboards and AI-augmented reporting provide real-time metrics and KPIs, clearly presented to both our technical SOC analysts and NNPC executive stakeholders. It’s invaluable for demonstrating ROI and maintaining visibility.

What tools have you integrated with Turbine?

Swimlane made it easy for us to connect all the tools from NNPC’s security stack with one single click via the Swimlane Marketplace. The main ones are:

• Jira: Elastic: SIEM data alert ingestion and automated triage
  
• VirusTotal: Real-time threat intelligence enrichment
  
• Jira: Facilitates automated ticket creation and tracking for seamless SOC handoffs
  
• Proprietary Threat Intelligence tool: Because it has an API, we were able to integrate it within Turbine and get comprehensive, real-time enrichment and context for alerts.

What are the use cases you are using Turbine for?

We focused on two key, high-impact use cases within the NNPC environment

1. Automated Incident Triage and Enrichment
   Upon SIEM alert ingestion, Turbine immediately initiates automated enrichment playbooks. This involves querying external Threat Intelligence feeds for known malicious Indicators of Compromise (IOC) and performing internal asset database lookups to identify the affected owner, system criticality, and location. This provides analysts with a fully contextualized, high-fidelity alert package instantly.
2. Threat Containment and Remediation
   From Turbine dashboards, analysts have full visibility into automated functions such as IOC identification, data correlation, and the execution of remediation actions, including blocking malicious traffic directly at the perimeter firewall. Analysts have full control over the playbook from a single screen, enabling them to quickly execute necessary containment and defensive actions, such as IP blacklisting, without having to pivot or manually log in to disparate security tools across the stack.

What is an example of a problem Swimlane helped solve?

One significant challenge was the manual correlation of IOCs across disparate systems. Before Swimlane, analysts had to pivot manually between SIEM, EDR, and firewall logs.

With Swimlane, we implemented automated IOC correlation across all systems, reducing average investigation time from 45 minutes to under 10 minutes per alert.

Have you had a scenario where Turbine prevented a major compromise?

We had a malware campaign targeting NNPC employees. Turbine enabled us to detect and isolate the threat in under 5 minutes, successfully preventing any user compromise.

What outcomes have you achieved since implementing Turbine?

Within the first three months, we achieved a significant goal of automating over 60% of our Level 1 triage. That achievement immediately lifted significant pressure on our general analysts.

Since we’ve implemented Turbine, we saw a massive jump in our SOC efficiency:

• Our incident response time dropped by a huge 70%.
• Our Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) fell significantly.
• Analyst job satisfaction increased immediately, directly as a result of reducing the large manual workload.
• Audit trails and reporting instantly improved our compliance readiness.
  
  

Ultimately, Turbine provides security teams with the single greatest resource: freedom. As Ron Maman concludes:

“I would recommend Swimlane to my peers because it empowers security teams to do more with less. It automates the tedious tasks, accelerates critical response, and gives analysts the freedom to focus on what matters most.”