Intrado just announced that it has moved its Security Operations Center to Palo Alto Networks Unit 42 Managed XSIAM and the headline metric that defines why this decision matters is specific enough to be stated at the outset: mean time to detect and mean time to resolve have both dropped from hours to under two minutes for 98% of all cases.

In most industries, that metric improvement would be an impressive security efficiency story. In emergency communications infrastructure, it is a life-safety achievement.

Why 9-1-1 Infrastructure Is One of the Highest-Value Targets in Critical Infrastructure Security

The threat environment targeting emergency communications infrastructure has a specific character that distinguishes it from general critical infrastructure targeting and understanding that character clarifies why Intrado’s security posture requires the level of investment and sophistication that a Unit 42 managed SOC represents.

Emergency communications infrastructure is valuable to threat actors for two distinct reasons that often operate simultaneously. The first is ransom leverage. An organisation that cannot tolerate downtime that has no acceptable degraded state, no fallback period during which systems can be offline faces maximum financial pressure when ransomware successfully disrupts their environment. The inability to accept downtime is the leverage that ransomware operators seek, and 9-1-1 infrastructure has it in absolute terms.

The second is strategic disruption. Nation-state actors and sophisticated criminal organisations targeting critical infrastructure increasingly seek to compromise the communication and coordination systems that emergency response depends on not necessarily to extract ransom immediately, but to establish persistence, understand response capabilities, and create the option to disrupt those systems at a strategically chosen moment. Pre-positioning in emergency communications infrastructure provides adversaries with visibility into public safety operations and the capability to degrade response at critical times.

Charles Gifford, Intrado’s CISO, articulated the stakes with the directness they deserve: there is no room for error in public safety. Every call, connection, and system must be available when it matters most. That statement is not a marketing commitment. It is a description of the literal requirement that Intrado’s security architecture must satisfy continuous availability of systems whose unavailability has immediate human consequences.

For nearly fifty years, Intrado has been trusted with that responsibility. The evolution of its security posture to reflect the current threat environment is not optional growth. It is the necessary response to a threat landscape that has changed more in the past five years than in the preceding four decades combined.

What Unit 42 Managed XSIAM Actually Delivers

The architecture that Intrado has deployed with Unit 42 represents a fundamental departure from the traditional SIEM and SOAR model that has defined enterprise SOC infrastructure for the past decade and understanding why that departure matters requires understanding what the traditional model gets wrong for environments like Intrado’s.

Traditional SIEM platforms collect and correlate security event data from across the environment. They generate alerts that human analysts review, triage, and investigate. The detection-to-response chain requires human intervention at multiple stages alert triage, investigation, escalation, and response coordination all involve analyst decisions that add time to every step. In a typical enterprise environment, mean time to detect measured in hours and mean time to resolve measured in hours or days represents acceptable performance given the security investment required to do better.

In emergency communications infrastructure, hours-long detection and resolution timescales are not acceptable. They represent windows during which a threat that should have been contained is instead propagating through systems whose availability cannot be compromised. The gap between what traditional SOC architecture produces and what Intrado’s environment requires is not a tuning problem. It is an architectural one.

The Cortex XSIAM platform that Unit 42 Managed XSIAM is built on addresses that architectural gap by unifying data across all security sources and applying AI-driven protection and agentic automation to enable near real-time detection and response. The unification of data is the foundation rather than security signals flowing to separate tools that each apply their own correlation logic and generate their own alert queues for human review, XSIAM brings all security data into a single platform where AI can apply correlation logic across the complete picture simultaneously.

The agentic automation layer is what compresses the detection-to-response timeline from hours to minutes. Automated investigation, automated triage, and automated response execution for defined threat categories remove human-speed processing from the critical path of the most common case types allowing the 98% of cases that follow recognisable patterns to be detected, investigated, and resolved automatically, while human analysts focus their attention on the novel, complex, and high-severity events that require expert judgment.

The reduction of what the press release characterises as infrastructure complexity the elimination of the separate SIEM, SOAR, and threat intelligence platforms that traditional SOC architecture requires is a consequence of unification rather than the primary goal. A single platform that does what three separate platforms did, with better detection outcomes and faster response, produces less management overhead as a byproduct of better architecture rather than as a result of cutting corners on capability.

The Two Minutes That Define the Achievement

The specific metric that Intrado has disclosed mean time to detect and mean time to resolve both under two minutes for 98% of cases deserves examination in the context of what achieving it actually required.

Reducing MTTD from hours to under two minutes is not a tuning improvement to an existing security architecture. It is an order-of-magnitude change that requires fundamentally different detection logic, different data integration, and different automation capability. The baseline hours-level performance that most enterprise SOC environments consider acceptable reflects the time required for alert generation, human review, initial investigation, escalation, and response coordination when all of those steps involve human processing. Compressing that to under two minutes requires removing human processing from most of those steps for most case types.

The 98% figure is the qualification that makes the metric credible rather than selective. Any SOC can achieve fast mean times for a small subset of case types by automating only the simplest, most repetitive cases while manually processing everything else. Achieving sub-two-minute resolution for 98% of all cases means the automated detection and response capability is effective across the overwhelming majority of the threat case types that Intrado’s environment faces not just the easiest ones.

The remaining 2% represents the cases that require human expert involvement novel threats, complex attack patterns, high-severity incidents that warrant analyst attention beyond automated response. Unit 42’s managed service provides that expert capacity as part of the 24/7/365 SOC coverage, ensuring that the cases requiring human judgment receive it without the detection and response delay that characterises the broader case volume.

For Intrado’s customers the public safety answering points, government agencies, and enterprise clients that depend on Intrado’s systems the metric improvement translates directly into the performance and reliability they experience. Threats that previously might have affected system availability for hours while security teams worked through detection and response are now contained before they reach the level of impact that service disruption requires.

What This Means for the PSAPs and Public Safety Agencies That Intrado Serves

The downstream beneficiaries of Intrado’s security posture improvement are not the enterprise buyers and technology evaluators who will read this announcement. They are the dispatchers, first responders, and members of the public who depend on 9-1-1 systems functioning reliably at the moments they are needed most.

Public Safety Answering Points PSAPs are the facilities that receive 9-1-1 calls and dispatch emergency services. They are entirely dependent on the communications infrastructure that Intrado operates. A PSAP that loses connectivity to the routing and communication systems behind its 9-1-1 service cannot receive emergency calls. Dispatchers cannot communicate with responders. The coordination infrastructure that makes emergency response possible fails.

The threat actors targeting emergency communications infrastructure understand this dependency. It is the source of their leverage. A ransomware attack that disrupts a PSAP’s connectivity for hours during the detection and response process is an attack that succeeds in its disruption objective even if the underlying compromise is eventually contained. Reducing the detection and response window from hours to minutes is not just an improvement in security metrics. It is a reduction in the window during which a successful attack can achieve its disruption objective against the public safety infrastructure that Intrado’s systems support.

Intrado’s framing of this as a mission-critical reliability and continuity achievement rather than simply a security efficiency improvement reflects an accurate understanding of the stakes. In emergency communications, security and service availability are not separate objectives that compete for investment priority. They are the same objective expressed from different angles. A system that is secure but unavailable fails its public safety mission. A system that is available but compromised also fails its public safety mission. The Unit 42 partnership addresses both dimensions simultaneously through an architecture that combines continuous availability with the fastest possible threat containment.

The Evolution Beyond Traditional SIEM and SOAR

The announcement’s characterisation of the XSIAM model as representing an evolution beyond traditional SIEM and security orchestration approaches is worth examining specifically, because it reflects a genuine architectural shift rather than a marketing reframe of existing capability.

Traditional SIEM platforms were designed for a different threat environment and a different scale of security data. They were built when the primary security intelligence value was in log correlation finding connections between events logged by network devices, servers, and applications that individually looked innocuous but together indicated malicious activity. Human analysts were the intelligence layer that transformed correlated events into actionable detections.

The security data environment has changed fundamentally since SIEM architecture was established. Modern enterprise environments generate security telemetry at volumes that human analysts cannot process in the timescales that current threat dynamics demand. The automation layer that SOAR platforms added to SIEM addressed part of the response speed problem but left the detection latency problem largely unresolved SOAR automates response to alerts that SIEM generates, but if the SIEM is slow to generate the alert, faster response to a late alert produces at best modest improvement in overall detection-to-resolution time.

AI-native detection that processes unified security data continuously without the alert queue that human-reviewed SIEM depends on removes the latency that accumulates in every human review step. Agentic automation that can execute response actions without requiring analyst approval for defined threat categories removes the latency that accumulates in every manual coordination step. The combination produces the hours-to-minutes improvement that Intrado has documented not as an incremental tuning achievement but as the natural result of removing human-speed processing from the critical path of the most common case types.

The reduction of management complexity that comes with unified platform architecture replacing three separate tools with one that does more is a consequential secondary benefit for an organisation like Intrado whose security team needs to direct its capacity toward the strategic initiatives and innovation that public safety communications requires rather than toward the care and feeding of a multi-platform SOC infrastructure.

Fifty Years of Public Safety Trust And the Security Architecture That Protects It

Intrado’s nearly five decades of service to public safety communications is not incidental context for this announcement. It is the foundational commitment that makes the security investment meaningful beyond the enterprise IT terms in which most SOC announcements are evaluated.

An organisation that has spent fifty years building and operating the infrastructure that communities rely on in their most critical moments has an institutional understanding of what reliability and continuity actually require that no amount of enterprise security best practice can fully substitute for. The decision to deploy Unit 42 Managed XSIAM reflects that understanding not as a technology preference, but as a recognition that the threat environment has evolved to the point where the security architecture protecting fifty years of public safety infrastructure needs to evolve to match it.

The communities served by the PSAPs, government agencies, and emergency response systems that depend on Intrado’s infrastructure do not know that the company has deployed a Unit 42 managed SOC. They do not need to. What they need is for the 9-1-1 call they make in the worst moment of their lives to connect, to route correctly, and to reach someone who can help them.

That outcome depends on Intrado’s infrastructure being secure, available, and resilient against the threat actors who have specifically targeted emergency communications as high-leverage critical infrastructure. The two-minutes metric is not a technology specification. It is the security commitment that makes the public safety mission possible and the investment in Unit 42 managed capability is what makes that commitment credible against a threat environment that has spent decades getting more capable while Intrado’s responsibility to the public has remained unchanged.

Research and Intelligence Sources: Intrado

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com