JRC Capital Management’s high-frequency and algorithmic forex and derivatives trading operations represent a high-value cyber target due to their reliance on proprietary trading algorithms, real-time market data feeds, and automated execution systems.

As a BaFin-regulated investment house serving institutional and wealthy private clients, JRC faces unique cybersecurity challenges: (1) protecting intellectual property in their algorithmic trading models implemented in EasyLanguage/TradeStation; (2) ensuring continuous availability of their extensive financial market data assets (1.2TB of historical forex and derivatives tick data); and (3) maintaining operational resilience given their dependency on outsourced ICT infrastructure, which has previously been targeted by DDoS attacks that disrupted access to virtual machines.

Under DORA and MiFID II regulations, JRC must not only protect these assets but also demonstrate robust incident response capabilities for their BaFin supervisors and Bundesbank oversight.

This pilot implements CyberAId’s cybersecurity technologies to protect JRC’s complete trading operation lifecycle—from market data ingestion to algorithmic signal generation to client portfolio execution.

The implementation focuses on securing JRC’s core trading models, their extensive financial data repositories, and ensuring operational continuity through failover mechanisms aligned with their existing contingency measures (broker feeds, local caches, and TV/Bloomberg verification). By deploying these protective measures with minimal latency impact, the pilot demonstrates how quantitative trading firms can maintain cyber resilience while preserving their algorithmic performance edge.

Implements CyberAId-MONITOR enhanced with eBPF to detect unauthorized access or manipulation attempts of JRC’s proprietary trading algorithms. The system continuously monitors for suspicious activities targeting EasyLanguage code repositories, unusual pattern changes in model outputs, and potential intellectual property exfiltration. OLISTIC risk assessment engine provides real-time threat evaluation specifically tailored to algorithmic trading environments.

Deploys CyberAId’s real-time monitoring to ensure the reliability and integrity of JRC’s critical market data feeds. The system detects anomalies in data flow patterns, identifies potential feed manipulation, and automatically triggers JRC’s established fallback sequence (alternative service providers, broker data, local caches) when integrity issues are detected. Integration with JRC’s existing infrastructure enables coordinated responses with minimal operational disruption.

Utilizes CyberAId-LLM and CyberAId REPORT to automate the incident investigation and regulatory reporting process for BaFin and Bundesbank requirements. The system rapidly synthesizes forensic evidence, creates detailed audit trails of cybersecurity events affecting trading operations, and generates compliant documentation aligned with German and EU financial regulations.

CAIXABANK, as a major European financial institution, faces challenges in detecting and responding to increasingly sophisticated cyber threats targeting their diverse banking channels. The organization currently employs traditional security monitoring solutions and machine learning models, but struggles with the high volume of alerts, detection of novel attack patterns, and efficient incident response coordination.

With the financial industry experiencing a 238% increase in cyberattacks since 2020 and attacks becoming more sophisticated, CAIXABANK needs advanced solutions that can identify anomalies more accurately, streamline incident response, and provide real-time risk assessment across the entire organization. Additionally, while the bank has made progress in traditional machine learning for cyberfraud detection, it has not yet explored how generative AI might enhance these capabilities, particularly for detecting impersonation attacks across multiple banking channels and financial operations.

This pilot will implement an integrated anomaly detection and incident response system leveraging CyberAId’s advanced technologies, with special emphasis on enhancing CAIXABANK’s existing monitoring infrastructure with AI-driven contextual analysis, automated incident triage, and real-time organizational risk assessment.

The solution will focus on identifying subtle anomalies across banking channels and streamlining the incident response process through intelligent automation and decision support.

This use case enables advanced anomaly detection across digital banking channels, transaction systems, and network infrastructure. By combining Wazuh-based monitoring, eBPF-enhanced network visibility, and behavioural analysis, the system identifies subtle deviations from normal operations. CyberAId LLMs enrich detected anomalies with threat intelligence, historical patterns, and business context, significantly reducing false positives and enabling detection of impersonation attempts across mobile, web, and payment systems.

This use case transforms CAIXABANK’s incident response capabilities through AI-powered triage, investigation support, and response automation. When anomalies are detected, the CyberAId-REPORT system will automatically gather relevant context from multiple sources towards creating incident dossiers that accelerate investigation. The LLM orchestration layer will analyse incident details, recommend containment and mitigation actions based on established playbooks, and generate natural language summaries for security teams. For complex incidents, the system will provide interactive investigation guidance through a chat interface, allowing analysts to explore different aspects of the incident through natural language queries.

The solution will also automate routine response actions for well-understood threats, enabling analysts to focus on complex cases requiring human judgment. Throughout the incident lifecycle, the system will maintain detailed timelines and documentation, ensuring detailed audit trails for post-incident analysis and compliance requirements.

This use case implements a real-time risk assessment framework that integrates security telemetry from across CAIXABANK’s infrastructure to provide a dynamic view of organizational cybersecurity posture. The OLISTIC risk assessment engine will continuously analyze the security status of critical assets, applications, and services, calculating risk scores based on vulnerability data, threat intelligence, and business criticality. The system will present this information through intuitive dashboards that enable security leaders to understand current risk levels, identify vulnerable areas, and prioritize mitigation efforts.

Based on the DIÓSCURI digital twin technology, the solution will also enable scenario planning and impact analysis, allowing security teams to simulate the effects of potential attacks or mitigation strategies within a safe virtual environment. This advanced risk visualization will support more effective resource allocation, mitigation planning, and executive communication about cybersecurity risks and initiatives.

As an Electronic Money Institution licensed by the Bank of Greece and offering services including electronic wallets, IBAN-connected accounts, and card payment processing, OTE/COSMOTE Group Payments faces significant regulatory pressure to implement robust Anti-Money Laundering (AML) measures in line with relevant regulations.

The payment service provider ecosystem is particularly vulnerable to money laundering schemes due to the volume of transactions, potential for anonymity, and cross-border nature of many payments. Traditional rule-based AML systems generate excessive false positives (often exceeding 95%) while still missing sophisticated laundering techniques that deliberately stay below detection thresholds.

With regulatory fines for AML non-compliance reaching into millions of euros and the potential for criminal liability, improved detection capabilities represent both a compliance necessity and a competitive advantage.

This pilot will integrate CyberAId’s advanced technologies to create a multi-layered AML detection system that significantly improves accuracy while reducing false positives. Based on a combination of graph-based network analysis, advanced anomaly detection, and LLM-powered contextual reasoning, the solution will detect sophisticated money laundering patterns that traditional systems miss, particularly in e-wallet and card payment ecosystems. The following use cases are envisaged.

This use case implements advanced graph analytics to map transaction networks and detect hidden relationships indicative of money laundering. The system will build dynamic transaction graphs connecting entities across COSMOTE Payments’ e-wallet and card payment ecosystems, identifying suspicious patterns such as structuring (breaking large transactions into smaller ones), smurfing (using multiple accounts for transfers), and layering (moving money through multiple accounts to obscure origins).

By analysing temporal patterns, relationship depths, and transaction velocities, the system will detect coordinated activities that might indicate organized money laundering operations. The solution will particularly focus on identifying shell company activities and nominee accounts through unusual transaction patterns and behavioural inconsistencies, while maintaining a low false positive rate through contextual validation.

This use case focuses on enhancing AML detection through the integration of CyberAId-MONITOR log analysis capabilities with transaction monitoring systems. The solution will ingest diverse data sources including transaction logs, authentication events, and API access patterns into Wazuh, applying custom detection rules optimized for AML use cases. The system will implement multi-stage correlation rules that connect user behaviours, device information, and transaction patterns to identify coordinated activities across seemingly unrelated accounts.

Based on eBPF-based monitoring, the solution will gain deep visibility into system-level activities that might indicate compromise of payment processing systems, a common vector for sophisticated money laundering operations. The Wazuh integration will provide audit trails for regulatory compliance, which will generate detailed evidence packages for suspected money laundering cases, notably cases that meet regulatory requirements for suspicious activity reporting.

This use case leverages CyberAId’s LLM orchestration layer and DIÓSCURI digital twin technology to transform AML alert investigation through advanced contextual analysis and scenario simulation. The system will create a secure digital replica of the payment processing environment within the DIÓSCURI digital twin, allowing investigators to safely simulate and analyse suspicious transaction patterns without risking production systems. By recreating transaction flows within this virtualized environment, investigators can trace money movements, test hypotheses about potential laundering patterns, and visualize complex networks that might otherwise remain hidden.

The LLM orchestration layer will automatically gather relevant context for each alert, including historical customer behaviour, transaction patterns, and relationship networks, presenting this information through an intuitive interface with natural language explanations. This combination of simulation capabilities and AI-driven analysis will significantly reduce false positives while providing investigators with powerful tools to understand sophisticated laundering mechanisms. The system will also generate investigation narratives and supporting documentation for regulatory filings based on insights gained through the digital twin simulations, ensuring detailed and accurate reporting.

The complex ecosystem of private banking and asset management creates unique security challenges, particularly in transaction authorization flows. Smaller asset managers often relay client orders to larger custodian institutions, creating potential security gaps where attackers can insert fraudulent instructions via compromised email accounts or endpoint devices. These attacks are particularly effective when kept below standard verification thresholds (e.g., €50K) and can result in significant aggregated losses while evading traditional security controls and reputation damage. Additionally, smaller institutions typically lack the data volume, security resources and technical capacity to develop robust detection models independently.

This pilot will implement an impersonation detection system leveraging email content analysis, federated learning across institutions, adaptive monitoring, and LLM-based contextual reasoning. The approach will enable even smaller financial institutions to benefit from collective intelligence without compromising client data privacy. The following use cases are envisaged:

This use case focuses on the detection of potential impersonation attacks through sophisticated analysis of email communications containing trading or transfer instructions. The system will perform deep analysis of email content, structure, and metadata to identify anomalous patterns that might indicate fraudulent activity. The solution will take advantage of CyberAId LLM agents with few-shot learning on financial communication patterns, in order to detect subtle linguistic deviations from established client communication norms, unusual attachment types, suspicious embedded links, or atypical formatting choices.

The system will also analyse email header information and sending patterns, cross referencing these against known client communication preferences and history. This approach will enable the identification of sophisticated impersonation attempts even when the transaction details themselves appear legitimate and fall below typical verification thresholds, addressing a critical security gap in current financial systems.

This use case implements CyberAId-PROACTIVE’s federated learning network that enables collaborative threat model development across financial institutions of various sizes without compromising sensitive client data. The system will establish secure connections between custodian banks and smaller asset managers, facilitating the development of shared impersonation detection models trained on diverse datasets while keeping actual client data within its originating institution.

By implementing differential privacy mechanisms and secure aggregation protocols for model updates, the solution ensures regulatory compliance while significantly enhancing detection capabilities for smaller institutions. This federated approach allows asset managers with limited data resources to benefit from detection capabilities trained across a much broader landscape of transactions and client behaviours, dramatically improving security posture without requiring data centralization or transfer between organizations.

This use case will also form a basis for the evaluation and proof-of-concept of adding quantum security in form of quantum-two-factor authentication to protect the connections and interaction between the transaction partners.

This use case builds upon UC#1.2 focusing on the automatic optimization of CyberAId-MONITOR configurations based on insights generated through the federated learning system. The solution will dynamically adjust Wazuh detection rules, correlation parameters, and alert thresholds based on patterns identified across the institutional network, ensuring that security monitoring continuously evolves to match emerging impersonation techniques.

This automated adaptation of security monitoring parameters based on collective intelligence ensures that even smaller institutions benefit from advanced detection capabilities typically only available to large financial organizations with dedicated security teams. The continuous refinement of detection rules based on cross institutional learning creates a security monitoring system that stays ahead of evolving attack methodologies and secures a crucial financial supply.