Case Study

How a Global Financial Services Company Built Vendor-Agnostic Blocking as a Service with Itential

A post-merger SOC team unified two networks, multiple SOARs, and a complex hybrid infrastructure behind a single Itential workflow – blocking any flagged entity in seconds.

Challenge

Manual swivel-chair blocking across Zscaler, Infoblox, and end systems left security threats with access for vital seconds – even minutes – across a complex post-merger network running multiple SOARs and two integrated infrastructures.

Solution

Built a universal middle layer with Itential where any security system can publish a payload – domain, IP, URL – and a single workflow orchestrates the blocking response end-to-end across every integrated SOAR and end system.

icon showing a checkmark on lines of text or code

Why Itential

A vendor-agnostic integration model lets the team choose any SOAR and any security vendor without changing the core process – exposing blocking as a reusable service across a global hybrid network.

The Challenge

Blocking & Cyber Defense in the Distributed Infrastructure Era

When an entity – a URL, domain, or IP address – is flagged for blocking by a network security system, that change has to be reflected across many end systems. Doing it manually, as the SOC team traditionally had, meant delaying vital seconds or even minutes while a potential threat maintained access to parts of the network.

In practice, blocking a single domain meant going to Zscaler, then swivel-chairing to Infoblox, then touching any end systems or integrated tools by hand. Every step took time, and the network’s size and complexity multiplied the cost of each one.

Two scenarios pushed automation to the top of the priority list. The team had begun adopting new SOAR solutions across parts of the network, which required additional integration work. And a recent merger left engineers managing two separate networks connected to each other – each with its own Zscalers and its own block lists. The goal was a framework where any SOAR could be leveraged, any new network could be added, and any blocking decision could be reflected accurately and instantaneously across every end system.

Three Forces Behind the Push to Automate

Each one extended the window during which a flagged threat kept access – and made the SOC team’s manual process more expensive every week.

Swivel-Chair Across Security Tools

Blocking a single entity meant working through Zscaler, then Infoblox, then every relevant end system by hand. Each step delayed the response and consumed SOC engineer time.

Multiple SOARs, No Unified Path

The team had started adopting new SOAR solutions across the network, but each one came with its own integration work. Without a common platform, each new SOAR meant another silo to maintain.

Post-Merger Network Sprawl

A recent merger left engineers managing two separate networks connected to each other – each with its own Zscalers, its own block lists, and its own operational pattern.

After the merger, it took our engineers a lot more manual time to block any flagged entity across all the different parts of the network. It was already something we wanted to solve, but it quickly became a top priority.

Director of Network Architecture

Global Financial Services Company

The team did not want to bet on a single SOAR. They wanted a platform that let them choose any SOAR – today and tomorrow – without rebuilding the blocking process every time.

Why Itential

Why They Chose Itential

An early step in the company’s security transformation was exploring SOAR platforms to coordinate and automate response. But leadership took a longer view – relying on a single SOAR would be a mistake. The chosen approach had to integrate with multiple SOARs and every relevant system in their infrastructure, in a way that kept processes consistent and unified. Five capabilities from the Itential Platform anchored the decision.

A Vendor-Agnostic Platform for Security Orchestration

Five capabilities sat at the center of the decision – together giving the SOC team a single, vendor-agnostic foundation for orchestrating blocking responses across every SOAR and every end system.

Explore the Platform

Rapid Integration With Network & IT Systems

End-to-end process orchestration across all network and IT systems, enabling zero-touch automation of blocking requests – without per-system custom integration work for every new SOAR or security tool.

Patented Integration Model for Future Flexibility

A patented integration model that preserved full flexibility for current and future technology decisions – so adopting new SOARs or migrating away from old ones did not require rebuilding the core process.

Automated Data Transformations

Any payload – a domain, a bad IP address, a URL, anything else – instantly translated to whatever format the downstream system required. No bespoke transformation code per integration point.

Built-In RBAC

Role-based access control built into the platform, so automations could only be run by trusted users and systems – meeting the audit and governance bar a global financial services company requires.

No-Code Development & Execution

A no-code development and execution environment that let non-developers build automations from their own domain expertise – turning SME knowledge into reusable workflows without a software engineering hand-off.

The Solution

A Universal Middle Layer for Blocking as a Service

Instead of building a large end-to-end system in-house, the team used Itential as a vendor-agnostic middle layer – one workflow that any security system can call, regardless of which SOAR or end system is involved.

One Workflow, Any Source

Any security system or service that needs to block an entity hands off a payload to the same Itential workflow – Zscaler, Infoblox, a new SOAR, an internal agent – without changing the core blocking process.

Payload-In, Block-Everywhere-Out

The workflow ingests the payload, translates it into every required downstream format through automated data transformations, and orchestrates the chain of actions needed to complete the block end to end.

Vendor-Agnostic by Design

Any SOAR or end system can be added or swapped without rewriting the orchestration. Vendor lock-in is eliminated, and the integration investment compounds rather than fragmenting.

Governed, Audit-Ready Execution

RBAC ensures only trusted users and systems can trigger blocking. Every execution is logged, traceable, and consistent with the governance bar required by a global financial services environment.

Itential’s vendor-agnostic integration model means we’re free to use lots of different security vendors without changing our core process. All the options are there and we can choose solutions based on really the technical need, confident that it’ll always work.

Director of Network Architecture

Global Financial Services Company

The Outcome

Threat Response Reduced from Minutes to Seconds

With blocking exposed as a reusable service across a global hybrid network, response time collapsed from minutes to seconds – and the integration investment compounds with every new SOAR, every new end system, and every new network the company adopts.

<1 Min

Threat Response Time

Reduced from minutes – sometimes several minutes – to seconds for any entity flagged across the global hybrid network.

2

Networks Unified

Two post-merger networks, each with its own Zscalers and block lists, brought under a single orchestrated process.

Any

SOAR or Security System

Vendor-agnostic by design – every SOAR, every end system, every new security tool integrates through the same workflow.

1

Universal Middle Layer

A single Itential workflow ingests payloads from any security source and orchestrates the blocking response end to end.

Blocking, Exposed as a Service

Any security system, agent, or service in the company’s distributed global network can now request a block as a service – with the integration investment compounding every time a new SOAR or end system is added.