Despite the increase in the total number of incidents handled by the centre last year, the average response time across all events dropped from 14 to 13 minutes and 25 seconds. The most significant progress is recorded in critical Distributed Denial of Service (DDoS) incidents. "In 2025, we faced a significant increase in the volume and complexity of DDoS attacks. Despite the record workload, however, we were able to further accelerate our reaction times, and thanks to the great work of the entire team, we responded to DDoS attacks in an average of 5 minutes and 2 seconds compared to 6.5 minutes in 2024," said Zdeněk Grmela, Tribe Lead of Protect team at T-Mobile.
The activity of cyber attackers is also shown by regular monthly and quarterly overviews of the National Cyber and Information Security Authority (NÚKIB). In some periods of last year, they reported an increase in incidents in various categories, especially in the area of ransomware and DDoS attacks.
Massive DDoS attacks: all-time high surpassed three times
Although the NÚKIB records recorded a year-on-year decrease in the number of DDoS attacks, T-Mobile's SOC statistics show that their intensity is still increasing. The year 2025 thus brought an enormous increase in the SOC. While in the previous year, the center recorded the largest DDoS attack with an intensity of 360 Gbps, in 2025 this limit was exceeded in three cases.
"In the middle of the year, we detected the most massive DDoS attacks to date, targeting our customer from the financial sector. These were repeated in waves of 550, 625 and up to a record 700 Gbps. In this case, it was a volumetric attack, the so-called UDP flood. During this time, the attacker floods the server or network with thousands to millions of messages (so-called UDP packets) per second. This causes overall network or even end systems to be overloaded – services slow down or stop altogether, and users cannot access them. Due to the size of these attacks, our analysts used, among other things, special countermeasures using flowspec technology to defend themselves," says Martin Štalmach, Head of the Security Operations Center at T-Mobile. This is confirmed, among other things, by the global trend where attackers are more likely to resort to more massive and technically complex methods than in the past.
Through the protection of end devices and users, XDR protects the SOC protects tens of thousands of endpoint devices and users, and in 2025 it detected more than 60% of cases with attempts to exploit vulnerabilities in supervised systems. "In this regard, the so-called Threat Intelligence, or knowledge of attackers' tactics, which is based on detection scenarios and allows us to capture incidents before they cause more serious damage, is of great importance to us. It is knowledge of the techniques and procedures that are used by attackers. Over 20% of attacks were intercepted thanks to machine learning and AI. This is a year-on-year decline, which may indicate a change in the most used types of attacks, but at the same time it further confirms the importance of Threat Intelligence," explains Štalmach.
SIEM: Faster initial analysis under increasing workloads
T-Mobile's security monitoring center focuses on three key areas: network and infrastructure protection (including DDoS), endpoint and user protection (XDR), and comprehensive IT environment monitoring (SIEM). For IT Environment Monitoring (SIEM), SOC experts performed initial analysis and informed customers in an average of 28 minutes and 58 seconds, which maintains the SOC's rapid ability to respond even under increasing workload. This is, among other things, one of the requirements of the current NIS2 legislation for rapid incident reporting and risk management in supply chains.