Skip to content

How Threat Campaign Detection Helps Cut Through Alert Fatigue

Security fatigue gets attention for a reason. Phishing emails, authentication prompts, and constant vigilance all take a toll. But alert fatigue is the deeper, more destructive force. It overwhelms analysts, delays response, and creates blind spots that adversaries exploit.

Security teams today are buried under noisy alerts and fragmented tooling. False positives waste time. Manual triage eats up valuable analyst hours. Eventually, burnout sets in and threats slip by. It is not a hypothetical risk. Some of the most significant breaches in recent years have been traced back to missed warning signs that were buried in overwhelming alert noise.

This is not just a technology problem. It is a process problem shaped by outdated systems.

 

Why Alert Fatigue Persists

Most security teams still depend on traditional SIEMs. These systems rely on static rules and high-volume alerting. That worked when data volumes were small and threats were simple. Today, it fails.

Teams now process more log data than ever, but legacy tools cannot keep pace. Searching across large datasets becomes painfully slow. Storage costs escalate. Licensing models force trade-offs between visibility and budget. Many organizations are forced to drop logs just to stay within limits.

At the same time, attackers are more subtle. They stretch campaigns over weeks. They blend in. They do not set off single, high-fidelity alarms. They leave a trail of weak signals that are only meaningful when seen together.

According to the 2025 Verizon Data Breach Investigations Report, alert overload contributed to delayed detection in more than half of all breaches. When threat signals get buried in noise, organizations don’t just lose time—they lose ground.

 

Campaign-centric Detection is the Shift That Matters

Instead of relying on single alerts, Graylog helps teams link related activity into threat campaigns. This approach cuts through noise and focuses analyst attention on actual adversary behavior.

Campaign-centric detection connects isolated events to uncover a full attack narrative. That means fewer alerts, but each one is more meaningful. Analysts spend less time chasing dead ends and more time stopping real threats.

This matters now more than ever. A 2025 SANS SOC survey found that alert triage consumes more time than any other task in the detection and response cycle. Fifty-eight percent of teams named it their biggest drain, far surpassing investigation and response. Analysts need better signal quality, not more noise.

The impact of campaign detection is immediate:

  • Stronger signals with less clutter
  • Threat visibility aligned with business context
  • Faster, more confident decisions in the moment

 

Recent campaigns like Volt Typhoon and Midnight Blizzard show how attackers rely on quiet, persistent techniques. Campaign correlation helps those techniques stand out.

 

Traditional SIEMs Cannot Keep Up

Legacy SIEMs were not built for behavior-based detection. They count events, not context. They generate alerts, not answers.

A campaign-centric model does more than log what happened. It helps analysts understand why it happened and how it fits into a broader adversary strategy. That context changes the way security teams work, and the way they communicate with the business.

Buyer expectations are shifting fast. According to Gartner, security teams are no longer satisfied with SIEMs that overwhelm users with disconnected alerts and rigid rule logic. Instead, there is growing demand for tools that support campaign-based detection and are built with the analyst experience in mind. This reflects real operational pain—burnout, alert fatigue, and the cost of slow investigations—not just a wish list for better features.

This change also benefits leadership. When analysts can frame threats as connected campaigns rather than isolated events, they offer clearer insights into what happened, why it matters, and how to respond. That makes security risks easier to explain, and easier to defend at the executive and board level.

 

Better Outcomes for the Entire Team

The move to campaign-centric detection brings measurable benefits:

  • Less burnout across Security Operations teams
  • Smarter logging decisions without budget surprises
  • Clearer threat narratives for executive stakeholders

 

This shift is not about tuning rules. It is about enabling people to do their best work. By giving analysts better context and fewer distractions, campaign thinking delivers more efficient operations, faster response, and higher confidence.

Campaign-based detection is working. And for teams that want to stop reacting to individual alerts and start understanding adversary behavior, this is the clearest path forward.

Cut through alert fatigue. See how Graylog Security helps analysts detect real threats, not just noise.

 

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

G2 names Keepit a Leader in SaaS backup

What is threat detection and response (TDR)? A comprehensive explanation

What is threat detection and response (TDR)?

Threat detection and response (TDR) is about taking cybersecurity from a reactive to a proactive state. Instead of relying on damage control and post-breach cleanup, TDR prioritizes spotting cyber threats early and shutting them down before attackers compromise your infrastructure, steal data, or disrupt operations.

The logic is simple enough — why wait for a cyberattack to strike? Monitor constantly, detect threats early, and close the gaps on your attack surface before attackers exploit security risks.

In this article, we’ll break down the different parts of a TDR process, how it works, and how you can empower your team to be more proactive in spotting and shutting down cyber threats. We’ll also explore key challenges, best practices, and real-world examples to show why TDR is growing in importance to security operations center (SOC) teams and CISOs.

What is threat detection and response (TDR)?

Threat detection and response (TDR) is a cybersecurity approach that prioritizes detecting potential threats in real time and acting quickly to eliminate them. It uses data from across your IT environment (such as endpoints, networks, or the cloud) to detect cyber threats alongside external threat intelligence sources to spot potentially malicious activity — and shut down attacks before they spread.

These days, most cyber threats don’t barge in the front door. Attackers log in with stolen credentials, move laterally through cloud environments, or abuse legitimate tools and vendors to stay hidden. With an attacker already in the door, perimeter security tools like firewalls and antivirus aren’t enough. What’s needed is a system that can identify threats, spot ongoing intrusions in real time, and shut them out fast.

TDR connects multiple layers and data points of your tech stack — network traffic, endpoint detection, identity systems — into one system of monitoring and response. It combines signature-based detection, behavioral analysis, and real-time telemetry to spot security issues and trigger the response process.

When needed, security operations teams step in. But increasingly, malware detection and threat response rely on automated systems powered by machine learning.

To respond effectively to advanced persistent threats, TDR should run 24/7 across your environment. Currently, the average time to identify a breach is 194 days. A comprehensive threat detection process enables you to find that breach quickly, deploy a solution, and lock it down before it spreads. As the system grows and learns, threat hunting becomes faster, and anomaly detection rates rise.

Today, TDR is a core part of government-level cybersecurity frameworks — from the EU’s NIS2 directive to the NIST Cybersecurity Framework in the US. Therefore, TDR plays a critical role in protecting infrastructure, meeting compliance requirements, and maintaining trust with customers, partners, and employees.

In short, advanced threat detection and response means you don’t wait for the alarm to go off. You look for signs or hear footsteps, and move before damage is done.

Why is threat detection and response important?

The impact of late detection is more than technical — it’s financial. According to IBM’s 2024 Cost of a Data Breach Report, organizations that took more than 200 days to detect a breach paid 28% more on average than those that identified it in under 30 days. That’s millions lost to downtime, remediation, regulatory fines, and long-term reputational damage. A weak response plan can compound the damage.

As we mentioned above, even the best firewalls and antivirus tools can’t catch everything. Attackers don’t always break in — sometimes, they just log in. Stolen credentials or session cookies, misconfigured cloud assets, and shadow IT (unapproved tech used at work) can give threat actors clandestine access.

Cyberattacks also rarely happen in isolation. Once inside, threat actors move laterally — exploiting overlooked assets and jumping between endpoints, SaaS environments, or identity systems. Without real-time threat detection across your stack, these movements go unnoticed until it’s too late.

Threat detection and response brings together telemetry, advanced threat detection, and automation to reduce dwell time and stop threats mid-action. Whether through endpoint threat detection and response or identity threat detection and response, it helps security teams detect threats at every layer — before damage spreads.

Recent regulations have raised the bar for incident readiness, and a threat detection and response program is becoming a legal and operational necessity. It protects your infrastructure, your data, your customers, and your bottom line.

What types of threats can TDR detect and mitigate?

Some of the threat categories a modern TDR setup can detect and mitigate:

  • Credential-based attacks. The majority of breaches now start with compromised credentials. TDR systems detect compromised credentials by monitoring deep and dark web sources like forums, Telegram groups, ransomware blogs, and illicit marketplaces. TDR systems flag unusual login activity, impossible travel logins, or repeated failed attempts that might signal password spraying or account takeover.
  • Insider threats. Whether malicious or accidental, employee actions can expose sensitive data. Insider threat detection tools within TDR help spot irregular file access, unusual privilege escalation, or data exfiltration attempts.
  • Malware and ransomware. TDR systems use both signature- and behavior-based detection to catch known malware strains or infostealer variants. They can also detect early signs of ransomware and isolate systems before encryption spreads. When combined with dark web monitoring, TDR can help identify stolen credentials or malware kits being traded online — giving teams an early warning before attacks begin.
  • Lateral movement. Once inside, attackers don’t hang about. TDR tracks movement between endpoints, cloud environments, and identity systems to flag suspicious traversal and stop attackers before they reach high-value assets.
  • Supply chain attacks. When third-party software or hardware is compromised, attackers can bypass your perimeter. TDR helps uncover the downstream impact and lets you respond quickly to isolate affected systems.
  • Cloud misconfigurations. Cybercriminals can exploit poorly configured cloud storage or IAM policies without triggering traditional alerts. TDR monitors these environments for anomalies that signal misuse.

The threat landscape is vast, but TDR helps shrink your blind spots. Whether it’s endpoint, network, cloud, or identity, an advanced threat detection and response posture lets you spot, contain, and stop potential threats at each layer.

How does threat detection and response work?

TDR acts like a reflex system for cybersecurity: it helps identify threats quickly, analyzes the risk, and responds in real time to stop damage. A comprehensive TDR process connects telemetry, analysis, and response across your entire environment to stop threats early and keep your operations secure.

Most modern TDR systems follow a six-stage loop:

1. Continuous monitoring. The first step is your sensory layer. Telemetry flows in from endpoints, identity providers, network detection systems, OT sensors, SaaS APIs, and more. The broader your visibility, the smaller your blind spots. High-value sources include VPN gateways, cloud audit logs, external vulnerability scans, and identity threat detection and response systems.

2. Detection. Here’s where the real-time analysis begins. Different engines look for different signals to detect threats:

Detection Type

Detects

Based on

Strengths

Weaknesses

Signature-based

Known threats

Known patterns (such as hashes)

Fast, precise, low false positives

May miss new or unknown threats

Behavioral

Known tactics and attack behavior

Rules and heuristics

Flags suspicious patterns

May miss advanced or novel attacks

Anomaly-based

Deviations from normal

Baseline of typical behavior

Can find stealthy, unexpected threats

Higher false positives

AI-based

Known, unknown, and evolving threats

Machine learning models

Adaptive, sees complex attack signals

Needs good data; unclear how it makes decisions

Together, these approaches provide advanced persistent threat detection without drowning your team in false positives.

3. Correlation and triage. Not every alert is worth your time. A failed login at 3 AM might be nothing — or the start of something bigger. TDR platforms connect the dots: unusual login behavior, unfamiliar geolocations, high-value assets, and threat intelligence feeds. This step filters the noise and sharpens your focus on real security risks.

4. Response. When threats are verified, automated advanced threat detection and response tools take over. Playbooks in SOAR (security orchestration, automation, and response) platforms can isolate compromised hosts, revoke access tokens, block threats and malicious traffic, or trigger forensic snapshots. Analysts step in to handle edge cases.

5. Recovery. Once contained, the focus shifts to restoring systems safely. This step includes patching exploited bugs, rotating credentials, rebuilding from backups, and validating system integrity. Immutable backups and staged restores help reduce downtime — especially during ransomware events.

6. Feedback and improvement. Every incident feeds back into the system. Detection logic, IAM policies, and overall security preparedness all evolve based on what was learned. Metrics (detailed below) track progress. Over time, your system becomes a persistent threat detection platform — always adapting, always improving.

This loop runs constantly across on-premises, cloud, and hybrid environments. It brings together visibility, speed, and action into one unified motion — detecting and shutting down security threats before they become disasters.

How do you enable threat detection and response in your organization?

Unfortunately, you can’t enable threat detection and response by buying a single tool or flipping a switch. It has to be built step by step, by integrating technologies, processes, and skilled professionals into a system that sees more, reacts faster, and gets smarter over time.

Start with visibility. If you can’t see it, you can’t protect it. That means collecting telemetry from every critical surface:

  • Endpoints and mobile devices.
  • Servers, containers, and virtual machines.
  • Networks, including internal traffic, remote access points, and VPNs.
  • Identities, cloud accounts, and SaaS integrations.
  • Operational technology (OT) and internet of things (IoT) devices.

Threat exposure management tools like NordStellar, combined with endpoint threat detection and response, give you coverage to spot both outside attacks and insider threats.

Attack surface management and external vulnerability scanning help expose gaps.

Meanwhile, account takeover prevention and session hijacking prevention close off common entry points.

Next up, integrate and analyze. Use a threat detection platform — or a combination of SIEM, extended detection and response (XDR), and SOAR — to process incoming data, apply AI threat detection, and trigger automation. Strong threat intelligence and vulnerability management help refine detection logic and prioritize the right response solutions.

Finally, don’t overlook what you can’t immediately see — your threat exposure roundup will include compromised data on the dark web and credentials leaked in data breaches.

But tools are only part of the picture. You also need:

  • Clear incident response playbooks.
  • Defined roles and escalation paths.
  • Regular tabletop exercises and training.
  • Feedback loops to learn from every incident.
  • Coverage monitoring to spot blind spots or telemetry gaps.

Many organizations turn to managed detection and response solutions (MDR) to fill skill gaps or maintain 24/7 coverage. This service combines platform expertise, threat hunting, and response support, which are especially useful for small or stretched teams.

And don’t forget culture. TDR only works when everyone knows how to escalate suspicious activity, when security teams collaborate with IT and DevOps, and when detection logic evolves as fast as attackers do.

Done right, TDR becomes more than just a collection of response tools. It becomes muscle memory — proactive, automated, and embedded in your operations. That’s what transforms security from reactive to proactive.

Threat detection types and methods

Threats come from every direction — endpoints, networks, cloud apps, and inboxes. Here’s how different approaches work, and what they cover.

  1. Endpoint detection and response (EDR). EDR continuously monitors individual endpoints, logs behavior, and automates responses based on predefined security policies. Essential for spotting and containing threats at the perimeter — before they spread further.
  2. Network detection and response (NDR). NDR tools monitor lateral movement across your network — detecting security risks that other traditional firewalls or antivirus tools might miss. Using AI and ML, they help spot threats in real time, without relying on signatures.
  3. Signature-based threat detection. Signature-based detection matches known patterns (such as code snippets or file hashes) to flag malicious activity. Strong against known threats, but often misses new or evolving vectors.
  4. Cloud detection and response (CDR). CDR focuses on securing your cloud infrastructure, such as virtual machines, serverless functions, and containers. It combines elements of EDR, NDR, and signature-free (not relying on patterns) detection to catch threats specific to cloud environments.
  5. Extended detection and response (XDR). XDR unifies data from across your stack (endpoint, network, email, and cloud) to detect, prioritize, and respond to threats with less noise and more context.
  6. Managed detection and response (MDR). MDR lets you deploy a ready-made security team without the overhead. Ideal for organizations without a full in-house security ops center.
  7. Email threat detection. Email is still the #1 attack vector. Email threat detection tools scan inbound, outbound, and internal messages to catch phishing, malware, and impersonation attempts before they hit inboxes.

Common TDR challenges

Threat detection and response promises speed, clarity, and control — but the road to a mature implementation is a winding one and full of potential pitfalls. Even with strong tooling, many security teams face real-world challenges that limit the effectiveness of their threat detection system.

  • Alert fatigue. TDR systems can generate thousands of alerts per day. Without strong correlation and prioritization, your security teams drown in the noise, overlooking critical signals buried in low-risk chatter. Over-alerting leads to burnout, slower response times, and missed security threats. Alert fatigue should not be underestimated.
  • Siloed systems. Endpoints, identity providers, firewalls, and SaaS apps often run on separate stacks. If telemetry isn’t centralized and correlated, teams miss the full picture. Siloed tools mean attackers can move laterally without being spotted and hide out indefinitely.
  • Lack of context. An alert alone isn’t enough. Teams need to know what it means, what’s at stake, and how to respond. Without context — asset value, user identity, threat intel — analysts can’t triage or act efficiently.
  • Talent shortage. The cybersecurity skills gap makes it hard to build or scale security operations centers. Many organizations lack in-house expertise to manage complex TDR workflows, tune detection rules, or analyze threats in real time. In these cases, managed response solutions can be effective.
  • Overreliance on tools. TDR systems are powerful, but they’re not a silver bullet. Even the best security tools, if poorly configured or outdated, can leave blind spots. Automation also needs guardrails. Otherwise, it risks cutting off critical systems during false positives.
  • Incomplete coverage. Not all assets are monitored equally. OT environments, shadow IT, remote devices, and legacy systems can slip through the cracks. A single blind spot can render an otherwise strong TDR stack ineffective.

Supplementing your coverage with data breach monitoring and dark web monitoring can help reduce blind spots.

About NordStellar
NordStellar is a threat exposure management platform that enables enterprises to detect and respond to network threats before they escalate. As a platform and API provider, NordStellar can provide insight into threat actors’ activities and their handling of compromised data. Designed by Nord Security, the company renowned for its globally acclaimed digital privacy tool NordVPN.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Performance Characteristics of DNS Tunneling

In the constantly evolving landscape of cyber threats, DNS tunneling remains one of the stealthiest and most underestimated attack vectors. By exploiting the fundamental role of DNS as a communication protocol, attackers are able to bypass traditional security defenses, create covert channels, and exfiltrate sensitive data.

We continue our series of articles on DNS Tunneling, where in previous pieces we’ve covered the essence of DNS tunneling and data exfiltration, explaining why it’s dangerous, how it works, and how surprisingly easy it is to execute. In this third article, we turn our attention to a critical and often overlooked factor: the Performance Characteristics of DNS Tunneling. Many assume these tunnels are too slow to matter, but the reality paints a different picture.

One might assume that using DNS for data transfer is extremely slow, since DNS is not designed for bulk data, and indeed, many DNS tunnels operate at low bitrates. However, the performance of DNS tunneling can vary widely depending on how it’s implemented and the network conditions. In the worst case, DNS tunneling is quite sluggish, for example, a security study noted a typical bandwidth of around 110 KB/s (0.11 MB/s) for DNS tunnels, which is minor compared to normal network speeds. Many real-world malware samples using DNS tunnels send data sparingly to avoid detection. However, under optimal conditions, DNS tunneling can achieve surprisingly high throughput, even exceeding tens of megabits per second, or more.

Some of the open-source tools have modes or techniques to maximize DNS tunnel bandwidth. For instance, the tool Iodine can operate in what’s called “raw mode,” where it sends DNS packets directly to an authoritative server, bypassing the usual recursive resolver behavior. Before establishing the tunnel, Iodine checks which types of DNS packets are suitable for carrying payloads and automatically tests encoding options to find the most efficient one.

Iodine checks which types of DNS packets are suitable for carrying payloads

Once a working encoding is found, the tool tests the maximum possible payload size per packet by adjusting the downstream fragment size to ensure optimal throughput without fragmentation or packet loss.

Test the maximum possible payload size per packet

In a controlled test environment, Iodine’s raw mode was shown to push over 50 Mbit/s through a DNS tunnel. In one benchmark, a 10MB file was transferred in just one second, demonstrating that DNS tunnels can achieve speeds rivaling legitimate network traffic under ideal conditions.

We transferred a 10MB file in just one second

This was achieved by using large DNS packets and fast, direct query loops. If multiple parallel queries are used and the attacker controls the entire path, throughput can climb even higher. In theory, with extensions like EDNS0 allowing larger UDP payloads (~4KB per DNS message) and multiple queries in flight, a DNS tunnel could reach hundreds of megabits per second. In fact, security engineers have demonstrated that in ideal lab conditions (e.g., a local network with no DNS resolver in the middle), DNS tunneling can exceed 200 Mb/s of data transfer. That is comparable to or higher than many corporate internet connections, indicating that DNS tunneling is not just a trickle of data, it can be a firehose under the right circumstances.

On the other hand, the moment a DNS tunnel has to go through a typical recursive resolver, as in most real scenarios, performance drops dramatically. Even when all unknown outbound connections are completely blocked at the firewall level, the speed drops significantly, but the tunnel still remains operational.

Even when all unknown outbound connections are completely blocked at the firewall level, the speed drops significantly, but the tunnel still remains operational

This illustrates how persistent DNS tunnels can be even in tightly restricted network environments. Continuing the Iodine example, when the tunnel was forced to use a normal DNS server, which breaks data into many small queries and adds latency, the bandwidth plummeted from 50 Mbit/s to around 400 kbit/s (0.4 Mbit/s) . That’s a huge drop, illustrating that real-world tunnels often face overhead. Additionally, many public DNS resolvers and corporate DNS servers will cache responses and rate-limit similar queries, further capping throughput. Attackers must balance speed with stealth, aggressive high-volume DNS tunneling might be faster, but it’s also more likely to be noticed by intrusion detection systems due to unusual traffic patterns. Therefore, in practice, many malicious DNS tunnels operate in the realm of a few kilobits to a few hundred kilobits per second, slow enough to stay under the radar, but still fast enough to gradually siphon significant data, for example, even 100 kbit/s can exfiltrate ~1 MB of data in 80 seconds, which over hours or days can leak gigabytes).

In summary, DNS tunneling performance ranges from very slow to surprisingly fast. With careful optimization (direct authoritative queries, larger DNS messages, parallelism), tunnels can reach tens or even hundreds of Mbps. This means an attacker who isn’t worried about being noisy could transfer substantial data (e.g. streaming stolen data out). Conversely, stealthy attackers will accept lower speeds to avoid detection. From an organizational standpoint, this variability means you cannot assume a DNS tunnel is harmless because “it’s too slow to be useful”, it might not be slow at all. Even a slow tunnel is dangerous if it’s stealing your data, and a fast tunnel is outright alarming because of how much it can take in a short time.

DNS tunneling isn’t just a theoretical risk or an exotic attack seen only in advanced persistent threat scenarios. It’s a real, versatile, and increasingly accessible method used for data exfiltration and command-and-control operations. As we’ve shown, DNS tunnels can range from barely detectable low-bandwidth trickles to high-speed channels capable of transferring hundreds of megabits per second under the right conditions. This variability makes them dangerous: slow enough to slip under the radar, fast enough to cause real damage.

SafeDNS offers advanced Network-layer protection specifically designed to detect and block tunneling attempts in real time. Our DNS Security 2.0 module identifies abnormal query patterns, excessive subdomain usage, and suspicious data encoding behaviors common in tunneling. With automated threat intelligence, encrypted DNS support (DoH/DoT), and integration into SIEM platforms, SafeDNS helps organizations detect both stealthy and aggressive tunnels before damage is done. Whether attackers are dripping out data or opening the floodgates, SafeDNS ensures your DNS is no longer a blind spot, but a proactive defense line.

 

 

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Change Management in Pandora ITSM with Full Traceability and Custom Workflows

With version 106 of Pandora ITSM, a critical feature has been introduced for technology environments operating under security frameworks, regulatory compliance, and efficient management: Change Management. This new module allows changes to be registered, approved, implemented, and closed in a structured way, with full traceability and responsibility control.

 

New ITSM Feature: Integrated Change Management

Controlling changes in IT is no longer optional. It’s a requirement for minimizing operational risks, avoiding human errors, and complying with standards such as ISO 27001, ENS, or SOC2. Many serious incidents originate from poorly managed changes: urgent interventions without documentation, informal approvals, or tasks that fall outside the scope of operational oversight.
The new Change Management feature in Pandora ITSM structures this entire process. From a single interface, you can define the change, document it, assign it, monitor it, and close it, ensuring that every action is properly recorded. The system is designed to adapt to different types of changes (routine, planned, or critical) and fit the realities of each team: roles, permissions, automations, and specialized teams.

Its complete integration with tasks, tickets, inventory, and projects makes it a natural part of the ITSM ecosystem, rather than a standalone component.

What Can You Do Now with Pandora ITSM?

Change Management is not just a record—it’s a complete work cycle with its own statuses, validations, and rules. In Pandora ITSM, the cycle starts with the creation of a request where you can define key fields such as priority, risk, impact, manager, and responsible team.
From there, the change can include:

  • Linked inventory items directly associated with the change.
  • Attached files containing technical documentation or approvals.
  • Non-billable internal notes, useful for coordination without affecting SLAs.
  • Association with specific tickets and tasks, with granular control over time and effort tracking.

Each change follows a defined state flow (New, Authorized, Scheduled, Implement, Review, Closed), with automatic transitions based on task execution. Managers can review the progress at any time, view actual time spent, and audit every step from the Tracker section.

Additionally, you can create reusable change templates, automate notifications based on events, and define change teams with role-based access controls. This allows you to manage everything from low-impact technical changes to critical interventions that require coordination across multiple departments.



Supported Change Types

The system supports three change types, aligned with IT change management best practices:

  • Standard Change: Routine, low-risk changes that can be pre-approved and executed without additional review—for example, a scheduled system reboot.
  • Normal Change: Changes that require formal assessment before execution, involving planning, approval, and final validation.
  • Emergency Change: Critical changes that must be executed immediately due to operational or security reasons, but are still documented and traceable.

The change type defines the initial flow of the process. For example, a standard change moves directly to the Authorized state if created from a template, skipping unnecessary steps while maintaining full traceability.

Automate and Control the Entire Workflow

One of Pandora ITSM’s key strengths is its ability to automate change management without sacrificing control. Some of the core features include:

  • Change templates that pre-configure fields like priority, risk, or impact based on the type of intervention.
  • Custom states for tasks and changes, with built-in logic and validations.
  • Automatic notifications that alert teams when there are pending tasks or required actions.
  • Change teams with hierarchical structure, group email notifications, and advanced access control through ACLs.
  • Workunits to record exact time spent, link it to tasks, and consolidate it into reports.

This entire ecosystem is managed from the Changes Administration sections, where you can define types, states, priorities, risks, templates, and notifications.

What Makes It Different?

Unlike other tools that treat change as a standalone component, Pandora ITSM fully integrates change management with all key operational processes:

  • Linked to inventory, allowing full visibility into affected assets.
  • Connected to projects, enabling change tasks to be part of larger initiatives.
  • Integrated with tickets, so incidents can generate changes, and changes can be tracked through actual execution.
  • Leveraging ITSM’s permission structure, ensuring that no user acts outside of their defined role.

This transforms change management into a true governance and efficiency tool, far beyond basic compliance. The complete log of actions, decisions, tasks, and time spent allows teams to pass audits, evaluate performance, and continuously improve control over the technical environment.

Closure

With this new feature, Pandora ITSM brings change management from theory into real operational practice. It’s no longer about filling out a form or logging a task in a shared Excel file. Every change is controlled from start to finish, with roles, validations, documentation, and monitoring—all fully integrated into your organization’s actual workflows.
In environments where compliance, traceability, and service stability are critical, having a solution that automates, logs, and controls changes is not a competitive advantage—it’s an operational necessity.
Available starting with version 106.
You can find more details in the official Pandora ITSM documentation or log into the console and explore the Changes menu.

Pandora-favicon-2025

Pandora FMS’s editorial team is made up of a group of writers and IT professionals with one thing in common: their passion for computer system monitoring. Pandora FMS’s editorial team is made up of a group of writers and IT professionals with one thing in common: their passion for computer system monitoring.

 

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

Nord Security

Is your GWS backup provider letting you down?

Are you truly in charge of your data, or are you just renting space from a provider who calls the shots? It’s like your backup service – the very thing meant to protect you – becomes the source of your biggest headaches.

Technical hiccups, planned obsolescence or ulterior motives?
Currently, I’m hearing a lot of horror stories from prospects that genuinely alarm me. Here are just some of the challenges they’ve encountered with their current (and, given their experience, soon to be previous!) providers:

  • “Service unavailable.”
  • “Cannot find any snapshots with data.”
  • “Exports yield an error.”
  • “Support team is ignoring queue.”

These aren’t just minor glitches; they’re catastrophic failures that can bring your operations to a grinding halt. Backups are your safety net should you become the victim of a cyberattack or experience any other sort of data loss – something businesses worldwide have to plan for as part of their business continuity strategy.

If your backup provider can’t (won’t?) restore your data or release it to you when you decide to move on, you’re not just experiencing a technical issue. You’re being held to ransom. It does make you wonder: If you can’t get to your data, why keep it safe in the first place?

The problem with black box backups: Are you just hoping for the best?
Many traditional cloud backup solutions operate on a “black box” principle. You send your data off, assume it’s safe, and hope for the best. But when things go wrong, the lack of transparency and control can leave you in a desperate situation.

Invisible data:

  • Do you actually see your data being backed up? Can you verify its integrity? Or is it a leap of faith into an opaque system?

Recovery roulette:

  • The ultimate test of any backup is recovery. If you can’t reliably retrieve your files, what’s the point of backing them up in the first place?

Maintenance mayhem:

  • Lengthy “planned maintenance” windows that coincide with critical data access needs, or worse, outright outages, demonstrate a profound lack of respect for your business continuity.

Support silence:

  • When you’re in a crisis, you need immediate, effective support. Being ignored or being put in a seemingly endless queue is simply unacceptable. In crisis situations, you are already spinning lots of plates – you don’t need to add more. What you need is a team that understands the urgency and responds quickly.

It’s time for a different approach: Backups on your own terms
The good news is, there’s a better way. Imagine a backup solution where you are genuinely in control. Where your data isn’t just stored remotely, but is accessible, visible, and recoverable on your terms. True data ownership, excellent support, and staying ahead of security threats are paramount.

You need a solution that prioritizes:

  • True data ownership: You retain full command over your valuable information, always.
  • Reliability you can trust: No more guessing games about whether your backups are actually working or if your data is truly safe.
  • Proactive support: When questions arise, you get answers and solutions, not silence.
  • Effortless recovery: The ability to retrieve your data swiftly and seamlessly, every single time.

Don’t let your critical business data be held for ransom by unreliable services. It’s time to demand more from your backup solution.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.