Telco AEGIS: Autonomous Security for a New Era of Threats In 2026, a telecom network is no longer just a standard infrastructure; it is a critical national asset under constant attack. Cyber threats in telecom have rapidly evolved from simple fraud to sophisticated attacks that compromise national-level visibility and location intelligence. Advanced threat actors like UNC3886 can exploit vulnerabilities and remain hidden inside a network for months, exposing billions of users. Meanwhile, legacy SS7 vulnerabilities still enable invisible attacks like location tracking and information disclosure, proving that these signaling risks are active, adaptable, and far from theoretical. Traditional, static defenses can no longer keep pace. They are too slow, too reactive, and too fragmented to handle the scale and complexity of modern threats. The industry demands a smart and autonomous protection paradigm where the operational philosophy is simple: We Handle the Threats. You Run the Empire. Telco AEGIS addresses this challenge by introducing an Agentic and Autonomous Security Lifecycle, transforming security operations from manual, batch-based processes into a continuous, intelligence-driven, and governed model. An Architecture Aligned with TM Forum Standards Telco AEGIS is a governed ecosystem of multi-agentic AIs purpose-built for TM Forum Autonomous Networks Level 4. Built on the Model Context Protocol (MCP) and strictly aligned with the TM Forum Open Digital Architecture (ODA), the solution separates decision intelligence from enforcement, enabling seamless integration across multi-vendor environments. At its core, Telco AEGIS combines agentic AI with a unified intelligence layer that aggregates multi-CSP telemetry, enriched with threat intelligence and telco-specific context. The solution is driven by four foundational pillars: * Active AI Analytics: An integrated security control layer that allows the system to analyze, detect, and proactively recommend actions. * Smart Decision-Making: Advanced AI that translates complex analysis into practical, executable recommendations. * Seamless Ecosystem Integration: Designed for easy integration with multiple brands and vendors, allowing the solution to scale effortlessly across existing infrastructures. * Interactive Dashboard: Provides security teams with complete visibility and centralized control over all AEGIS AI activities. Detection and Response Through a Closed-Loop DevSecOps Telco AEGIS operates on a closed-loop lifecycle—monitoring, detecting, generating, validating, and deploying—where specialized AI agents collaborate to deliver precise, context-aware security outcomes. Instead of relying on reactive configurations, the solution enables intent-driven decisioning, automated playbooks, and pre-deployment validation. This ensures every security action is tested, risk-assessed, and proven before reaching production. The moment a threat appears, Telco AEGIS detects it, analyzes it, decides what to do, takes action, and then verifies the result. In the UNC3886 case, this means identifying persistence, correlating the threat, and isolating the affected system immediately. For SS7 anomalies, it means spotting a suspicious signaling request, blocking the tracking attempt, and preserving visibility for the security team. Crucially, the loop does not stop at detection; it continues through response and learning, ensuring the system gets progressively smarter over time. Proven Outcomes and Business Impact What does Telco AEGIS deliver for your operations and your bottom line? Through automation and AI, the Catalyst enables networks to achieve remarkable, measurable results: * Drastic Response Acceleration: Accelerates MTTD and MTTR by shifting the detection-to-containment target to under two minutes—a major leap from manual hunts that take hours or days. * Proactive Defense: Agents correlate live intelligence against known tactics and automate blocking across the stack, from SIEM to firewalls, strengthening protection against zero-day attacks, fraud, and signaling abuse. * Operational Efficiency: Reduces manual effort by over 30%. * Deployment Accuracy: Ensures that more than 95% of security updates are validated before deployment, minimizing critical configuration errors. * Enhanced Precision: Significantly reduces false positives, reducing the time spent chasing endless alerts. Because the system is governance-built, every AI decision is explainable and auditable, making it regulator-ready and highly suitable for critical infrastructure environments. Beyond operational efficiency, Telco AEGIS delivers a broader impact by strengthening national infrastructure resilience, reducing scams, and increasing trust across interconnect and roaming ecosystems. It shifts the industry from reactive security to autonomous, evidence-driven assurance where intelligence becomes the currency of trust, and networks evolve into proactive, resilient digital platforms. Telco AEGIS is helping redefine what autonomous security means for the telecom industry. Example Addressed Use Cases for this Catalyst : Use Case 1 – APT UNC3886 Attack Detection, Simulation & Recommendation, here are the functions of each entity: 1. Akuig plays the broadest role as the backbone for integration, service management, and data routing within this ecosystem. Its functions include: * Inventory Service: Collects and manages inventory data from Telin's Network Element dan sent to SCM Ericsson. * Cloud (SFTP Transfer Method): Receives data from Telkomsel's Network Element that has passed through Ericsson's SCM via the SFTP transfer method. * MCP Servers: Acts as middleware or a message broker. The first MCP Server collects data from the Inventory and Cloud to be forwarded to the Agent. The second MCP Server receives the output from the Agent and distributes it to various services (Simulation, ITSM, and Dashboard). * ITSM Service: The IT Service Management system that receives output from the MCP Servers for ticket/incident management, which is then forwarded to the UI Dashboard. 2. Ericsson * SCM (Security Configuration Management): Acts as an intermediary that collects data or logs from Telkomsel's Network Element and analyze compare with Security Standard. Ericsson's SCM then forwards this data to Akuig's Cloud using the SFTP transfer method. 3. Tritronik functions as the processing brain (agent) and the visual interface for the user: * UC-01 Agent: Provides the main smart agent/automation that processes data from the MCP Server (Akuig) and retrieves references from Knowledge Management. * UI Dashboard: Provides a graphical user interface for monitoring. This dashboard receives data feeds directly from the MCP Servers and ticket/incident status from the ITSM Service. 4. MTM * Breach & Attack Simulation: MTM is responsible for executing the attack simulation. This component receives instructions or triggers from Akuig's MCP Servers via the REST API method, then performs simulated attacks targeting the network infrastructure (such as the Firewall). 5. Huawei * Firewall: Acts as the network security device (Firewall) within the target simulation infrastructure. Huawei serves as the first line of defense after traffic enters from the internet, which is then tested for vulnerabilities by MTM's Breach & Attack Simulation. Use Case 2 – Subscriber Location Tracking Attack Detection, Simulation & Auto Mitigation, here are the functions of each entity: 1. Akuig acts as the center for knowledge management, workflow orchestration, and service management. Its functions include: * Knowledge Management: Collects data and threat intelligence (such as CTIs from GSMA, Inter-CSPs Knowledge Bases, and Standard Documentations) in step 1, then forwards this knowledge to the agent. * MCP Servers: Acts as the middleware and main control center. The MCP Servers coordinate bi-directionally with the UC-02 Agent, trigger the Breach & Attack Simulation, receive alerts from the IDS, apply auto-mitigation to the Signaling Firewall, and forward incident data to the ITSM Service. * ITSM Service: The IT Service Management system that receives incident/ticket data from the MCP Servers, which is then forwarded to the UI Dashboard. 2. Tritronik functions as the intelligent processing agent and visual interface (dashboard) provider: * UC-02 Agent: A smart agent that receives data from Knowledge Management and coordinates with the MCP Servers to execute detection and mitigation logic. This agent also sends data directly to the dashboard. * UI Dashboard: A graphical user interface used for monitoring. This dashboard receives visual feeds/status directly from the UC-02 Agent and ticket status from the ITSM Service. 3. SecurityGen focuses on technical security execution, ranging from attack simulation and intrusion detection to network defense: * Breach & Attack Simulation: Executes subscriber location tracking attack simulations targeting the network. This simulation is triggered by commands from the MCP Servers. * IDS (Intrusion Detection System): A system that monitors network traffic. If it detects an attack from the simulation results or a real threat, the IDS sends an alert back to the MCP Servers. * Signaling Firewall: The primary line of defense within Telkomsel's infrastructure that protects the Core Network and subscriber devices (MSISDN/IMSI). This firewall receives auto-mitigation instructions from the MCP Servers to block detected attacks. Autonomous security. Proven outcomes. Trusted networks. The future does not wait, and neither should your network.