RetailOperations

How THG Cut Security Response Time 60% with Elastic ML Detection

T(THG (The Hut Group)Source: ELASTICJanuary 2025

THG (formerly The Hut Group) is a UK-based ecommerce retail company with revenues exceeding £2 billion, selling its own-brand and third-party cosmetics, dietary supplements, and luxury goods online while also providing ecommerce infrastructure to third parties through its Ingenuity division. Facing a rapidly expanding threat surface as it grew through acquisitions and added SaaS platforms, THG deployed Elastic Security as its unified SIEM, using machine learning capabilities to surface novel attack vectors and automation to eliminate manual triage overhead. The outcome: mean time to respond to security events dropped by 60%, first-line triage burden fell from 90% to 50% of analyst time, and physical storage costs declined by 60% through intelligent data tiering.

Impact

60%

Reduction in mean time to respond (MTTR)

From 90% to 50% of analyst time

First-line triage time reduction

60%

Storage cost reduction

25,000

Events ingested per second

Challenge

THG’s ecommerce and technology stack was expanding rapidly through acquisitions, creating 100+ fragmented data sources with incompatible logging formats that forced analysts to spend up to 90% of their time on first-line triage and left the business exposed to threats that fell below rule-based detection thresholds.

Solution

THG deployed Elastic Security as a unified SIEM, ingesting 25,000 events per second from 100+ sources into a common schema, using machine learning for anomaly detection and automated SOAR-integrated playbooks to reduce analyst triage time and accelerate incident remediation.

Tools & Technologies

ESElastic SecuritySecurity

What Leaders Say

With Elastic, we can add new data sources at any time. We’re now pulling in as many as 25,000 events per second from about 100 different feeds. It all adds up to terabytes of data that we can use to enhance security and business performance.

Ryan Kennedy, Head of Security Engineering, THG

Elastic is much more than a log collection tool. It adds features and value that make a real difference to the security of the business.

Ryan Kennedy, Head of Security Engineering, THG
Get the full context.

Sign up to read complete case studies, access detailed metrics, and unlock all use cases.

Full Story

THG’s rapid growth through acquisition created a security challenge that traditional multi-vendor approaches couldn’t handle. As the company expanded its technology stack to include a growing number of SaaS platforms and a zero-trust architecture, each new system came with its own logging format, interface, and query language. Security analysts were context-switching constantly, spending up to 90% of their time on first-line triage—a pattern that suppressed the proactive threat hunting and detection engineering the business needed.

The core problem was fragmentation: THG was ingesting logs from approximately 100 different data sources at up to 25,000 events per second, but no single platform could correlate, query, and act on that data efficiently. Storage costs for the volume of security data were also significant, requiring expensive hardware to maintain hot and warm tiers for data that was increasingly rarely accessed but still needed to be retained for compliance.

THG deployed Elastic Security as a replacement for its fragmented multi-vendor stack, consolidating all security operations into a single interface. The platform ingests from all 100+ data feeds, giving analysts a unified schema to query across the entire organization—device telemetry, phishing data, threat intelligence, and SOAR alerts—in a single language. Machine learning runs continuously to detect anomalies, including fraud patterns, data breach indicators, and denial-of-service signatures that fall below the threshold of rule-based detection. Elastic’s integration with THG’s SOAR platform enabled automated playbook execution, so when a threat pattern is identified, remediation steps begin automatically rather than waiting for analyst intervention.

The shift in operational profile was substantial. Mean time to respond fell by 60%. Analyst time spent on first-line triage dropped from 90% to 50%, freeing the security team to focus on threat hunting, detection engineering, and forward-looking security initiatives. Storage costs for infrequently accessed data—now held in Elastic’s cold and frozen tiers via searchable snapshots—fell by 60%, significantly reducing hardware dependency without sacrificing accessibility.

For THG’s Chief Security Officer, the value extends beyond incident response metrics. Elastic dashboards are now visible across different parts of the business, embedding security awareness in operational teams. The platform’s flexibility means that as THG acquires new businesses running on different technology stacks, those entities can be integrated into the same security architecture without re-engineering the detection layer. In an ecommerce environment where customer trust and transaction integrity are foundational, THG’s investment in unified, ML-driven security represents a direct business enabler.

Similar Cases

CW
Camping World
40%
customer engagement increase

Camping World deployed IBM watsonx Assistant as a virtual agent named Arvee across all web properties, increasing customer engagement by 40% and improving agent efficiency by 33%.

RetailICIBM ConsultingIWIBM watsonx Assistant
R
Rakuten
~50% reduction
mean time to recovery

Rakuten integrated OpenAI Codex into incident response, CI/CD pipelines, and autonomous development — cutting mean time to recovery by 50% and compressing quarter-long projects into weeks.

RetailOCOpenAI Codex
E
Engine
15%
average handle time reduction

Engine, a B2B travel platform handling 500,000+ annual traveler requests, deployed an Agentforce AI agent called Eva that autonomously manages over 30% of customer cases end-to-end. The implementation reduced average handle time by 15%, lifted CSAT from 3.7 to 4.3, and delivered $2M in estimated annual cost savings — all within a 12-day deployment timeline.

RetailSASalesforce AgentforceABAgentforce Builder
S
Shopify
< 24 hours
model upgrade deployment

Shopify built Sidekick, an AI commerce assistant powered by Claude Sonnet on Google Vertex AI, enabling millions of merchants to reach their first sale in days instead of weeks.

RetailGBGoogle BigQueryGVGoogle Vertex AI
E
Etsy
~80x
listings per theme increase via algotorial curation

Etsy, the global marketplace for handcrafted and vintage goods, serves nearly 90 million buyers across more than 130 million listings from 5 million sellers. Using Vertex AI, BigQuery, Dataflow, and Gemini, the company built a personalized search and discovery platform it calls “algotorial curation” — increasing listings per theme by 80x, driving a 5% lift in SEO-driven visits, and delivering a 3% conversion improvement for sellers.

RetailGDGoogle DataflowGBGoogle BigQuery
S
Super-Pharm
50% to 90%
inventory accuracy

Super-Pharm leveraged Google Vertex AI for ML-powered demand forecasting, improving inventory accuracy from 50% to 90% and making forecasting 10x more efficient.

RetailGBGoogle BigQueryGVGoogle Vertex AI
M
Morrisons
98.96%
data reporting lag reduction

Morrisons, one of the UK’s largest supermarkets serving nine million customers weekly across 500 stores, migrated its on-premise data warehouse to BigQuery and Looker, reducing reporting lag by 98.96% from one day to 15 minutes. Real-time data now powers Vertex AI demand forecasting models and a customer-facing Product Finder app that receives 50,000 hits per day during peak periods.

RetailGCGoogle Cloud RunLLooker
GF
Grupo Falabella
60%
service requests resolved autonomously on whatsapp

Grupo Falabella deployed Salesforce Agentforce on WhatsApp to handle customer service for Latin America's leading retail chain, autonomously resolving 60% of service requests and growing WhatsApp channel adoption from under 50% to over 70% within three weeks.

RetailSASalesforce Agentforce