Employers Mutual Limited strengthens cyber defences with XDR shift

Employers Mutual Limited (EML) is consuming extended detection and response (XDR), AI-powered, cloud-based security operations centre and SIEM services from a single provider to maximise visibility into its technology estate and data.

The Australian insurance service provider specialises in workers’ compensation insurance and claims management, servicing schemes including icare, WorkSafe Victoria, the South Australian Return to Work Scheme, as well as various private clients.

The company has grown quickly in the past decade and now holds significant volumes of personally identifiable information (PII), including highly sensitive records on behalf of people facing injury, illness or life-changing events.

This story is part of the 2026 iTnews State of Security report. Read it for free here.

When your corporate datasets include intimate medical details on thousands of your clients’ workers, you need to employ the strictest security protocols.

For head of security and infrastructure, Leon Gelderblom, safeguarding this information securely has required substantial investment into its extended detection and response (XDR) capabilities to maximise visibility.

“It is about being able to see any suspicious activity, and then automate the actions we need to take,” Gelderblom said.

Three years ago the company adopted an XDR capability from SentinelOne, replacing a more limited endpoint detection and response (EDR) solution.

“We wanted to expand and get more 24/7 coverage, but they weren’t as flexible and willing to work with us to expand our portfolio without significant cost impact,” Gelderblom said.

While Gelderblom entered the tool selection process with high expectations for competency, he said this was not the only factor influencing his evaluation criteria.

“I don't think any product is perfect,” he said. “It’s about having the ability to raise queries when there are problems and knowing the supplier will work with you to resolve them.”

Since then EML has expanded its relationship with SentinelOne, adopting additional AI-powered, cloud-based SOC and SIEM services to improve its ability to derive intelligence from XDR data.

“We tend to limit the number of relationships we have, so we will look at an existing partner and see if they have the necessary capability when we want to expand,” Gelderblom said.

“(SentinelOne) was meeting our requirements, so it made sense for us to expand the service.”

This shift also enabled EML to retire its on-premises SIEM platform. 

“Making the shift to a (cloud-based) SIEM eases our team’s burden from managing an on-premises capability,” Gelderblom said. 

“We have a small team, and building a SIEM and a SOC service on premises is not sustainable. Having our telemetry going into SentinelOne, which was already looking at a lot of our EDR and XDR services, means we are combining that all into one. That gives us a single pane of glass that we can take actions on quickly.”

He added that the move has improved both efficiency and response times.

“There is always the danger that we might have missed a few things when we had the on-premises system. The burden on our team has eased up, and the AI service is analysing the logs a lot faster, so we can take the action as quickly as possible.”

This transition has also served to tighten the relationship between EML and its supplier. Gelderblom said that while initially the cloud-based SIEM generated a high volume of false positive alerts, over time SentinelOne and EML have fine-tuned its responsiveness to better reflect EML’s operations.

“It is about building trust with the service provider, so you can know when you need to care about an alert,” Gelderblom said

A key element of EML’s strategy also includes ensuring that its workforce can identify and report threats.

“Our threat vector is very much composed of emails coming to our users,” Gelderblom said. 

“That has not changed much, but the volume has significantly increased. So we have been focusing on awareness and making sure that users are vigilant and report things as quickly as they can. 

“We have multiple layers, but no layer is 100 percent foolproof. If something reaches the end point, we need to know about it as quickly as possible so we can take the right action, be it automated or manual.”