Domino’s Stays on Top of Threats By Training its SOC Analysts To Think Like An Attacker


Company Size


Customer Website

About Domino's Pizza

Domino’s Pizza is the largest pizza company in the world with a significant business in both delivery and carryout pizza. It ranks among the world’s top public restaurant brands with a global presence of more than 18,300 stores in 90 countries across five continents. Technology is the backbone of Domino’s online ordering and delivery service and the company employs state-of-the-art technology to provide the best customer experience.

The Domino’s Technology department supports the company’s e-commerce, point-of-sale and franchise reporting systems. Its information security team is composed of policy-minded professionals, compliance experts, and technical pros with a hacker mentality. The team works together to protect the entire business from attack by implementing and maintaining the most advanced security technology in the industry.


Domino’s security operations center is a 24/7 shop. One of the biggest security challenges they deal with is phishing. Alexander Padilla, VP, Information Technology and Brian Duross, Sr. Manager for Cybersecurity Operations are responsible for cyber security. “My team is dealing with more phishing related issues than anything else, right now,” states Duross. “Spear phishing seems to be the current popular one. And frankly, it’s one of the harder ones to defend against because the threat actors are getting pretty crafty.”

 Threat hunting also is critical. “With both domestic and international markets, the attack surface is pretty wide. So, we keep our finger on the pulse of what’s happening in the environment and try to detect threats before they become a real problem. To accomplish this we wanted to help our SOC analysts think like attackers. A lot of analysts focus solely on detection and response, so they don’t know the building blocks that an attacker actually uses - they don’t have the other side of the story.”

We took our analysts out of the SOC and put them with Rapid7 security professionals who see real-world stuff every day. They learned about new attack scenarios they never heard of before - from real-world cases and work. That was huge. They really enjoyed learning about that stuff.
Brian Duross, Sr. Manager for Cybersecurity Operations


For years, Domino’s has partnered with Rapid7 to conduct real-world team assessments. “We ran red team/blue team exercises in the past,” he adds. Duross and Padilla approached Rapid7 to create a collaborative training experience and together they developed Rapid7’s new Detection and Response Workshop. Led by a team of expert incident response consultants, the Detection and Response workshop is now available to all Rapid7 customers looking to test their detection capabilities and receive hands-on training for their defenders, helping analysts identify and investigate attacker activity within their team's existing toolset. 

“We took our analysts out of the SOC and put them with Rapid7 security professionals who see real-world stuff every day,” explains Duross. “They learned about new attack scenarios they never heard of before - from real-world cases and work. That was huge. They really enjoyed learning about that stuff.”

Supporting Business Goals

“The goal for us was to provide value to the company, understand where there are opportunities to improve, what elements on the network need some attention or need additional review. And, Rapid7 provides that to us,” states Padilla. “Obviously, it’s still a journey because the business is dynamic. Environments are more and more complex. We’re adding innovation, we’re adding transformation. Rapid7 is mature in their offering, is learning more and more, and it’s providing a better future for our organization.”

“One of our goals for this partnership with Rapid7 is to add value by delivering a solution on business terms,” continues Padilla. “Rapid7 understands our environment, it was important that they contextualized our business in the preparation of the workshop. They took into consideration our principal or more complicated assets, our biggest centers of revenue generation, all these. For some vendors who provide this type of exercise, it’s basically the same service over and over. You can be disconnected from the business context.”

Immersive Experience

“The analysts loved the inclusive nature of these Rapid7 workshops,” reports Duross. “They were able to focus on learning and not worry about the war games aspect of things. Plus, it was directly in our environment using tools that they were already familiar with. That was the other side of this. If we send an analyst off to training they learn a bunch of skills and stuff, but then they have to come back and apply that in our environment. With the Rapid7 Detection and Response Workshop they gained skills they can apply directly to their job.”

“We have varying skill sets,” Duross adds. “For some, it was really their first time understanding how the attack works, as well as detecting it in our environment. For others, it was seeing the other side of this. I have a threat hunter who is reasonably versed in techniques and he learned things too. So, it was really both ends of the spectrum.” 

A Holistic View of Content in the Environment

In terms of impact on security, Duross points to real-world benefits gained from the workshops. “We have a continuous model of content development and refinement, filtering the noise just enough so that we get actionable items. And these Rapid7 Detection and Response workshops help us through that process. They also allow the analysts to get a more holistic view of the content in the environment.”

 “The Rapid7 Detection and Response Workshop is not a traditional red team exercise,” concludes Duross. “We walked away with far more takeaways than we initially expected. It made us learn things about our program that we didn’t even know about.” 

A breach can cost a lot more than money. A company’s reputation and customers’ trust is also at stake. This is how smart companies prepare for what they know will come.

Automatically discover and remediate risks with clarity across your entire infrastructure