About IP Performance
IP Performance Ltd is a UK-based network engineering and cybersecurity systems integrator that has operated for over 25 years. The company specialises in designing, delivering, managing and protecting high-performance IT networks for organisations in both the public sector (government, healthcare, education) and private sector (SMEs, large enterprises).
Core competencies include:
Network Infrastructure: Routing, switching, wireless, and hybrid cloud networking
Cybersecurity: Managed security operations, firewalls, network detection and response, intrusion prevention, endpoint protection, automated penetration testing
Performance Optimisation: Load balancing, traffic management, and latency reduction
Managed Services: 24/7 service desk, proactive monitoring, spares management, SLAs
Consultancy & Training: Security audits, threat assessments, cyber incident workshops
The company positions itself as a friendly network engineering and cybersecurity partner — a specialist that combines strong vendor relationships with independent, customer-first advice.
Executive summary
IP Performance Ltd set its sights on expanding its cybersecurity customer base and strengthening its position as a trusted provider of managed cybersecurity services. However, the company’s team faced a significant barrier to growth: its Security Operations (SecOps) processes were heavily manual and time-intensive.
Alert triage alone consumed several hours per customer, per day
Manual reporting and investigation processes slowed response times
Scaling operations meant adding disproportionate headcount
The reliance on manual effort created a bottleneck that restricted growth and placed increasing strain on the team.
The challenge
Before Tines, IP Performance had very little automation in place for security alert processing. While the team used Ansible extensively for infrastructure tasks like platform builds and OS provisioning, SecOps remained heavily manual.
“Time was one of our largest problems,” explains Security Solutions Architect Duncan Ross. “We were spending two to three hours per day per customer just on initial alert triage. And if we found a problem, we had to investigate it from there.”
Triage required checking and cross-referencing multiple tools - including SIEM, EDR, and NDR - all manually. “Each one had to be checked and cross-correlated,” Duncan adds. “It was time-consuming, and that made it difficult to scale and take on more customers.”
Why Tines
To overcome its scaling challenges, IP Performance evaluated three automation platforms: TheHive, DTonomy, and Tines.
TheHive offered structured incident response playbooks, which initially seemed promising. But as Duncan explains, “you had to spend time creating the playbook, and then manually follow it for every single alert… so you were really just moving the work from one platform to another, without getting any actual help in doing it.”
DTonomy took a machine learning-based approach to alert processing, but proved unstable in practice. “It was a bit flaky,” he says. “It would fall over, and then we wouldn't know that the alert processing had stopped working.”
Tines stood out for its reliability and ease of use.
“Tines helps with the actual work, actually reducing the workload,” Duncan says. “For us, that was the biggest thing. We had to find a way of getting through all of that work, and still have the capacity to do other things as well.”
They also saw the opportunity to use Tines workflows as the glue between existing systems. Duncan provides an example: “Our SIEM was connected to our IT service ticketing system, but that also wasn't able to do anywhere near what we could do with Tines.”
“Tines just works, and that’s what’s so impressive about it. It’s simple, even for someone like me who doesn’t come from a programming background. I’ve built things in Tines that have been really useful.”
Duncan Ross, Security Solutions Architect
The Impact
From reducing triage time to closing skills gaps with AI, IP Performance has used Tines to scale operations, enhance service quality, and deliver greater value to its customers.
Time savings and increased capacity
IP Performance achieved a 95% reduction in time spent on alert triage, while improving the quality and consistency of response.
What once required a significant staff resource working a combined 20 hours per day now takes just two team members around 30 minutes each.
With that time saved, the team is now able to take on more customer environments without growing the team, directly contributing to business growth.
“We've reduced the triage and initial investigation time by an order of magnitude. It’s massively increased the amount of work we can do and take on.”
Duncan Ross, Security Solutions Architect
Improved service quality
Tines plays a key role in helping IP Performance deliver high-quality services without relying on expensive, heavyweight tooling. By combining best-in-class open source and existing platforms with Tines workflows, the team avoids unnecessary licensing costs while still meeting enterprise-grade demands.
“We’ve done a lot of work finding the right mix of tools that let us avoid big licensing costs,” Duncan explains. “What Tines has enabled us to do is link a lot of that stuff together and create more value in the services that we offer.”
This blend of cost and operational efficiency made Tines foundational to the company’s service model.
“We cannot do what we do now without Tines. It’s just integral, I would cry if somebody took it away from me. And so would my team.”
Duncan Ross, Security Solutions Architect
Improved customer experience
As a managed service provider, IP Performance uses Tines to improve transparency, demonstrate value, and build trust with customers, especially during and after incidents.
“We don’t just close cases. Now we’ve got loads of closure types, so we can report on what actually happened,” Duncan explains. “If a host was remediated or an IOC was blocked, we track and show that.”
This outcome-focused approach makes it easier for customers to understand what actions were taken, how long they took, and what was automated versus handled manually. Tines Cases helps deliver that context clearly.
“Customers really like the fact that when we send them a report, it shows them what we did and the outcomes. They can take that to their management and say, ‘This is the work that’s being done for us.’”
In one case, a customer used to spend an hour each day checking Entra logins manually. Now, Tines monitors for suspicious activity and sends a Teams alert only when something needs attention.
“The customer trusts it now enough that he doesn’t do that checking anymore,” Duncan says. “We’re saving him an hour a day. He was very happy when we came up with that.”
Faster workflow development with AI
With one of Tines’ most popular AI features - automatic mode in the event transform action - the IP Performance team can build and refine workflows significantly faster, without needing deep programming expertise.
Duncan explains, “You can tell the AI, ‘I need to do this, I need this data. I want you to tell me about this thing,’ and it says, ‘Here’s a script that will allow you to do it.’ Then you can iterate until you’re happy with the result. That’s really powerful. It’s really accelerated our ability to automate.”
AI in Tines doesn’t just speed up workflow development - it lowers the barrier to automation. One example came when the team encountered unfamiliar log data from an API they hadn’t worked with before.
“We didn’t know the API particularly well, or what kind of data we were going to get,” Duncan says. “But we were able to feed the AI tool a sample log, ask it to turn that into something we could process, and then prototype and iterate on that workflow really quickly.”
More efficient investigations
Duncan’s colleagues also use Workbench, Tines’ universal AI copilot, to conduct investigations more efficiently, accelerating response times when it matters most.
“My analysts really like Workbench. Being able to ask for a summary of something, or ask questions about suspicious activity from a chat interface is really useful.”
Duncan Ross, Security Solutions Architect
More complete coverage
With automated triage in place, the team no longer worries about missing critical alerts.
“Before Tines, our big worry was missing things, if somebody went on holiday, or if somebody was off sick, or on public holidays. The initial triage and checking of all the alerts is now done by automation first. If something important comes in, a Tines case gets logged, it talks to our pager system, and alerts us that there’s something we have to look at. I’m not worried about missing things anymore.”
That reliability has freed up the team to shift their focus from firefighting to continuously improving the mission-critical processes that their business relies on.
“We’re now spending more time on building new workflows, processing alerts in a different way, and trying to make existing workflows better at what they do,” he adds.
“Tines allows you to trust the automations that you've built and runs indefinitely without problems, which is invaluable to us.”
Duncan Ross, Security Solutions Architect
Seamless integration accelerates investigations
Tines enables IP Performance to connect and correlate data across cloud-based and on-prem tools, removing friction from investigations and improving response times across their customer base.
“We’ve got different tools that live in different places,” Duncan says. “Our Elastic SIEM lives on-prem, but some customers have an EDR with a cloud-based management portal. With Tines, we can talk to that API in the cloud, pull information from there, talk to the Elastic stack on-prem, and pull information from there too. Then we can correlate across those sources during investigations. That’s been really powerful for us.”
“During the buying process, the Tines team kept saying to us, ‘If it’s got an API, Tines can connect to it’, and that’s proved to be true.”
Duncan Ross, Security Solutions Architect
Top use cases
Incident response
Alert triage and investigation
Top workflows
Alert triaging
One of the most valuable and repeatable workflows IP Performance has built in Tines involves end-to-end alert triage, saving significant time and forming a key part of their MSSP service delivery.
The process includes pulling alerts, deduplicating them, enriching with threat intelligence, assessing criticality, creating a case, and triggering remediation.
“Our entire use of Tines is built around this idea of processing alerts, enriching them, having a playbook for the ones that need looking at straight away, and then doing something about them,” says Duncan. “At the moment, we’re doing this for seven customers and counting. And we’re running this process for all of them with Tines.”
Entra ID login alerts
Tines monitors Entra ID login activity and sends customers a Teams message when suspicious behavior is detected, removing the need for manual daily checks.
This workflow not only streamlines detection but also strengthens trust and demonstrates ongoing value to the customer.
Favorite feature
Duncan highlights Tines actions - the core building blocks of every workflow.
“We can click a button and put the value that we want to block, and it gets put into a block list that gets put straight onto the firewall and is blocked straight away,” Duncan explains. “It saves time and effort, and it makes things repeatable.”
He also calls out Tines Cases for its deep integration capabilities.
“I like Cases a lot - its integration with the rest of the Tines platform makes it incredibly useful. We don’t have to struggle to get data in, we can take action directly from a case, and the closure and tagging features make reporting much clearer. Our customers love that they can see what was done, how long it took, and what was automated.”
Tines support
According to Duncan, exceptional support from the Tines team stood out from day one.
“Tines is the best vendor I have ever worked with, apart from ourselves of course. The level of help and support that we got, and the level of engagement that we got, and the way in which the team helped us with our problems - I've never worked with a vendor that's provided that level of support.”
Duncan Ross, Security Solutions Architect
What’s next
Duncan and the team are focused on evolving their use of Tines beyond individual alert sources to a more unified, context-rich response process.
“One of the things we’re working on now is stitching together alerts from different sources, like Defender 365 and Entra, into a single, correlated case,” Duncan explains. “That way, instead of handling each alert in isolation, we can bring them together and say, ‘These are all related to the same issue,’ and deliver a clearer picture to the customer.”
They’re also working on expanding alert coverage across more tools and refining reporting outputs to better highlight response actions and outcomes.
“Now that we trust Tines to handle these processes, we’ve got the headspace to focus on all sorts of other projects.”
Duncan Ross, Security Solutions Architect