- Axiata Cyber Fusion Centre began as an internal defence capability, but evolved into a regional operation
- HELIOS, a patented platform designed to improve threat detection, attribution, and the resilience of critical digital infrastructure
What did Singapore Telecommunications Ltd (Singtel) try to do via a US$810 million acquisition in 2015, and fail, that Axiata Group Bhd is doing today at less than 2% of that cost? Build a cybersecurity business as a new revenue stream.
Here are the facts. In 2015, Singtel acquired US-based cybersecurity firm Trustwave for US$810 million to accelerate its push into cybersecurity services, especially managed security. Eight years later, in 2023, after deciding to refocus on Asia Pacific and taking significant impairment charges, Singtel sold the business, which had become a non-core asset, for an undisclosed sum.
Axiata, by contrast, took a different path, one that was more measured and did not begin with a clear goal of turning cybersecurity services into a new business, but that it has now announced as a new revenue stream, based on the successful track record of growing its cyber capabilities.
The senior leadership team, led by Jamaludin Ibrahim, President and Group CEO, announced in 2017 a strategy to transform Axiata from a telco into a next-generation digital champion, with a number of digital businesses being established. Crucially, leadership also had the foresight to understand that the transition from telco to digital player required a strong cybersecurity pillar, and that without this capability, the transformation would fail.
Instead of making an acquisition to mark its cybersecurity ambitions, as Singtel did, Axiata established the Group Chief Information Security Officer (CISO) office in 2017 to oversee its own needs across the 10 countries in which it operated, with a customer base of over 320 million. With such a large customer base across multiple markets, it took the practical step of outsourcing its initial cybersecurity needs, including running a Security Operations Centre (SOC) out of Sri Lanka in 2018, where Axiata had a strong presence via its ownership of telco Dialog Axiata and a digital lab.
“It was a baby step,” said Suresh Sankaran Srinivasan (pic, right), Group Head of Cybersecurity at Axiata, who joined in July 2020 and spent his first two years working remotely from India due to the pandemic.
Suresh, whose prior role was as Partner at EY India, where he helped build its cybersecurity capabilities, joined at the right time. Axiata’s shift to building its cyber capabilities in-house had been set in motion earlier, in 2019, when it established a Chief Risk office, with Abid Adam (pic, left) appointed Chief Risk Officer in February 2020. Abid was previously the Group CISO.
Suresh, who reports to Abid, noted the significance of Axiata establishing the Chief Risk office. “It is usually a function set up by financial institutions, but here you have a telco with the foresight to establish such a function, with cybersecurity, privacy, enterprise risk, ethics and integrity, and compliance all collapsed under it.”
Significantly, along with creating the Chief Risk office, Axiata set aside a budget of US$3 million (RM12 million) to build a cybersecurity centre in Kuala Lumpur, with the SOC in Sri Lanka moving into a supporting role. It made sense, as Axiata was a Malaysian government-linked company (GLC), and such a critical capability should be built where it had its headquarters. It fell to Suresh to lead the effort.
“To be honest, at that time it was not clear what the outcome was going to be,” he admits, as there was no stated goal of establishing a world-class SOC. Yet that is exactly what the centre, called the Axiata Cyber Fusion Centre (CFC), has turned out to be. More than that, CFC also applied for a patent for a cybersecurity platform, HELIOS, which was recently granted by MyIPO, Malaysia’s patent office. Suresh believes this is the first patent received by a Malaysian GLC, aside from Petronas, the national oil company.
How did it get there?
Directing cybersecurity strategy and operations across 12 countries
Operating around the clock on a secure floor in the headquarters of CelcomDigi, Axiata’s Malaysian telco subsidiary, the CFC is a fully in-house operation protecting telecom networks, digital banking systems, fintech platforms, and other critical infrastructure across Axiata’s regional footprint.
The CFC brings defence, intelligence, innovation, and talent development under one roof. This is where analysts, many of them in their 20s and early 30s, monitor thousands of digital assets in real time. Offensive teams simulate attacks to test resilience. Threat specialists scan the dark web for early warning signs, while researchers refine tools to stay ahead of emerging risks.
Each day, the CFC tracks over 10,000 digital assets and 11,000 log sources, triggering more than 1,000 alarms and monitoring over 100 attack patterns. The centre also invests heavily in talent, delivering more than 500 training hours annually and maintaining a retention rate above 85%, considered strong at a time when highly trained cybersecurity professionals are in high demand.
Operational since March 2022, the facility replaced what was once an outsourced, fragmented setup, directing cybersecurity strategy and operations across 12 countries. (chart above)
“Operational costs for serving subsidiaries across the group are charged back at cost,” said Suresh.
In conjunction with its official inauguration in September 2022, Axiata, pleased with the progress made and seeing room for further upside, announced a US$16.4 million (RM65 million) commitment to strengthen cybersecurity capabilities across the group. The CFC itself represents only part of that broader investment.
Running the centre internally has also proven financially efficient. “If we had outsourced this to a third-party vendor, the annual cost would easily reach between US$5 million and US$6 million,” Suresh estimated.
The intangible costs would have been even higher. In an era where increasing value is derived from analysing the flow of digital data from business and our personal lives, safeguarding that data and ensuring its integrity to gain customer trust is priceless. Maintaining the outsourcing model would have meant Axiata having little internal expertise or knowledge in cybersecurity and data protection.
It also would not have been in a position to sell cybersecurity services to the market, generating a new revenue stream for Axiata.
From cost centre to revenue engine
In what Suresh sees as an exciting next phase, the CFC also supports a growing number of external clients, extending its expertise beyond Axiata’s own operations. This began in 2024 with its first such customer in Cambodia.
“Since 2024, we’ve extended services beyond the Axiata ecosystem,” Suresh says. “Today we support about 20 external clients across three countries, including Sri Lanka, Bangladesh, and Cambodia.”
The ambition was always there. “When we built this place in 2022, the intent was to eventually go external and monetise the asset. But we needed to mature our practices and resources first.”
A turning point in raising the bar for its capabilities came in December 2022, when Axiata decided to fully in-source its cybersecurity operations as its outsourcing contract was due to end in March 2023.
“I firmly believe that for an organisation to be sustainable, its core capabilities must be run in-house. You cannot build a sustainable organisation on an outsourced model,” said Suresh.
Within a hectic three-month period, Suresh hired 32 cybersecurity professionals to ensure the centre was fully operational by April 1, 2023.
The switch went smoothly.
“That gave us the confidence to then enter the market, offering our services outside Axiata group entities. And we did it with zero marketing budget. In many ways, this is a startup operating inside an enterprise,” said Suresh.
But entering the market required more than scale. Although Axiata was a known brand, it was not known for offering cybersecurity services. “I knew that going to market with vanilla services like basic Managed Detection and Response wouldn’t work. Everyone offers that. We needed a real differentiator.” That is where HELIOS came in, paving the way to a patent.
HELIOS, the crown jewel of Axiata’s Cyber Fusion Centre
At the centre of the CFC’s capabilities is a homegrown platform called HELIOS, short for Heuristic Engine for Leveraging Intelligence, Attribution, and Operational Security.
The platform combines AI and heuristic analysis to detect emerging threats, attribute attacks, and aggregate intelligence from multiple sources into a single operational view. It protects critical sectors such as finance, telecom, energy, and healthcare.
(Ed: Heuristic analysis is used in cybersecurity to identify suspicious activities and potential threats that traditional signature-based detection methods might miss. It focuses on analysing the behaviour of programs and files to determine if they exhibit characteristics typical of malware, even if they are previously unknown or modified versions of existing threats.)
The name HELIOS comes from the Greek word for the sun. “The idea was simple,” Suresh says. “Shine a light where people normally can’t see.”
Traditionally, cyber reconnaissance requires analysts to manually comb through open, deep, and dark web sources. “In the past, that process could take two to four weeks,” Suresh says. “But I wanted that intelligence much quicker, even daily.”
That need led to HELIOS. “We built it because the market tools were too fragmented,” he explains. “One vendor handles attack surface management, another monitors APIs, another scans cloud buckets. You end up stitching together multiple systems.”
HELIOS integrates those capabilities into a single platform. At its core are autonomous AI browser agents that crawl the internet in parallel, mapping domains, scanning APIs, and searching code repositories such as GitHub and Postman for exposed credentials.
It can perform large-scale vulnerability scans across 2,000-plus IPs and more than 20 critical web applications annually. HELIOS has already detected over 7 billion leaked data records, and caused some jaw-dropping reactions from politicians and senior bureaucrats when shown what a simple URL search can uncover. Suresh declined to share names.
“If you place a domain at the centre, HELIOS builds a full digital tree around it,” Suresh says. “Every subdomain, IP address, open port, and leaked credential connected to it.”
The platform also includes a proprietary dark-web crawler. “Most commercial tools scan every few months,” Suresh says. “Our crawler scans every six hours. What once took weeks of manual investigation can now be completed in less than two days.”
Realising they had built a powerful tool, Suresh applied for a patent in 2025. It was granted in February 2026, making HELIOS one of the few homegrown cybersecurity innovations to achieve this, rather than being adapted from global technologies.
It also marks Axiata Group’s first-ever patent and could arguably be among the first technology patents secured by a government-linked company.
“As a patented homegrown platform, HELIOS is considered a sovereign asset. It has the potential to help protect national digital infrastructure,” said Suresh.
But with that capability comes responsibility. “This platform will be targeted left, right, and centre because of the intelligence it holds,” Suresh says. “So our job is to make sure it’s absolutely bulletproof.”
From 2022 to 2025, the CFC has made clear progress. Its NIST CSF maturity score rose from 2.4 to 3.52 out of 5. That puts it firmly in the “very good” range. In other words, CFC now has strong, well-established cybersecurity practices and is actively managing risk.
The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a widely used system that rates how well an organisation manages and protects against cybersecurity risks.
CFC’s response times dropped from over 72 hours to under 24 hours, critical vulnerabilities fell from more than 20 to fewer than four, and its research produced two zero-day vulnerabilities tracked in the global CVE (Common Vulnerabilities and Exposures) system.
“These numbers show our investment isn’t just about cost savings,” Suresh says. “It’s about building resilience, capability, and trust for the group and our external clients across the region.”
Inside the Fusion Centre
Step onto the Cyber Fusion Centre floor and the structure of the operation quickly becomes clear. The facility is divided into two wings, each serving a different purpose. The South Wing houses governance, architecture, human resources, and finance.
“You need a support unit to handle the business of cyber,” Suresh says. “Managing people, revenue, and service delivery, it’s not just about technology.”
The North Wing is the command zone. Access is tightly controlled and reserved for core cybersecurity specialists working across three pillars: active offence, active defence, and threat intelligence. The facility is also designed for the realities of cyber warfare. Sleeping pods and a fully stocked pantry allow teams to remain on site during major incidents.
“When we’re dealing with something critical at 2 am, I don’t want my specialists worrying about food or where to rest,” Suresh says. “Their focus should be on the mission.”
One distinctive feature of the centre is its in-house offensive security team, capabilities many organisations still outsource. “Our offence team operates across three layers,” Suresh explains.
The first focuses on vulnerability management, continuously scanning systems for weaknesses and ensuring they are fixed. The second is penetration testing, where specialists conduct structured stress tests before systems go live.
The third is red teaming. “In the market, people often confuse pen testing with red teaming,” Suresh says. “Pen testing follows a methodology. You test predefined scenarios.”
Red teaming, however, is far more strategic. “It’s objective-driven, almost like Special Ops,” he says. “I don’t tell them how to do it. I only give them the end goal.”
For example, a team might be tasked with gaining super-user access and retrieving sensitive data. “As long as they don’t disrupt business operations, they can use any tactic a real attacker would,” he says. “That’s how we truly measure resilience, and whether our Blue Team is alert enough to catch them.”
The centre also includes a physical War Room dedicated to major cyber incidents. “In cyber, war means incidents,” Suresh says. “You can’t run a major incident response on the operational floor. You need an isolated environment.”
The room’s collapsible walls allow direct access to Red and Blue teams. “When something happens, the specialists you need are literally on the other side of the wall,” he explains.
Cybersecurity is not only about defending against external attackers. Insider threats must also be managed carefully. Suresh says the ACFC focuses on strict technical safeguards rather than monitoring employees’ private lives.
“We don’t track the personal behaviour of our staff,” he says. “Instead, we mitigate risk through strong technical controls.”
Most analysts operate under restricted permissions. “Most of our specialists have read-only access,” he explains. “They can observe and monitor, but they cannot modify, copy, or paste sensitive information.”
Physical controls add another layer of protection. USB ports inside the facility are disabled to prevent external storage devices.
Most system views are also virtualised. “What analysts see on their screens isn’t stored locally,” he explains. “It’s essentially a virtualised screen streamed from the cloud.”
Remote devices are protected with Data Loss Prevention systems. “For example, public generative AI tools like ChatGPT are blocked to prevent data leakage,” Suresh says. “We only allow Microsoft Copilot because it runs within our secure corporate tenant.”
Still, he acknowledges that technology alone cannot solve everything. “Beyond these controls, there has to be a baseline of trust.”
Cybersecurity as a national imperative and building the talent pipeline
The work of the CFC goes beyond corporate protection. Under Malaysia’s Cyber Security Act, telecommunications infrastructure like that owned by Axiata is classified as National Critical Information Infrastructure.
“Cyber warfare is no longer just about government websites,” Suresh said. “Telecom towers, digital banks, and fintech platforms are national assets.”
During the Russia-Ukraine war, cyber tensions quickly spilled across borders. “We saw Malaysian hacker groups align with one side, and the other side immediately retaliated against Malaysian entities,” he says.
That reality makes threat intelligence essential. “If there’s chatter about an attack targeting Cambodia or Indonesia, we need to know before it reaches the headlines. We have to be ready for the collateral damage of global conflicts.”
Because of its role in regional telecommunications, Axiata often acts as an early warning node for the broader ecosystem.
The CFC has become a regional collaboration hub. Between 2023 and early 2026, it hosted 107 visits from industry, government, and academia. These included GSMA, which represents the telco sector. Among the 61 private enterprises were KPMG, BAT, Telenor, and UEM Edgenta, alongside 34 government agencies and 12 academic institutions.
Multinationals running similar operations have told Suresh that Axiata’s CFC is more impressive than their global centres, a point of great pride for him and his team.
Through partnerships with Malaysia Digital Economy Corporation (MDEC) and CyberSecurity Malaysia, the company shares threat intelligence with national agencies and the wider business community.
“We aren’t just protecting a company,” Suresh says. “We’re protecting the digital pipes of the nation.”
Talent remains one of cybersecurity’s biggest challenges. The CFC’s attrition rate sits between 15% and 17%, high by most industries, but below the ASEAN cybersecurity average of 22% to 25%.
“Demand is massive, but the talent pipeline isn’t keeping up,” Suresh says.
The centre currently employs about 50 cybersecurity professionals in Kuala Lumpur, supported by another team in Sri Lanka.
“Out of the 50 in KL, 48 are local talent,” he says. “We intentionally reduced the expat ratio because we want to build domestic capability.”
The centre also invests heavily in developing the broader ecosystem. It regularly hosts students and collaborates with universities such as Asia Pacific University of Technology & Innovation, Universiti Teknologi Malaysia, and Universiti Teknologi MARA.
Many senior staff, including Suresh himself, also teach as adjunct lecturers. “We see it as giving back,” Suresh says. “We’re not just protecting a company. We’re helping build the cybersecurity talent pool for the entire country.”
Suresh is noncommital on addresing a question about whether the CFC, based on the company declaring cybersecurity as a new revenue stream, will be spun out into a seperate business and seek venture funding, as other businesses within Axiata have done successfully, including Boost and ADA, but it would not be a surprise if it was. After all, Suresh has said that it has already been operating like a startup within the group. Watch this space.
Related Articles
Keyword(s) :