How Thailand enhanced its public sector cybersecurity posture

National Cyber Security Agency’s Secretary-General Amorn Chomchoey shared how integrating Elastic’s instant search capabilities with the Thailand Cyber Threat Intelligence platform has enabled the agency to achieve a more proactive posture.

The National Cyber Security Agency (NCSA) of Thailand has led efforts for coordinating and implementing cybersecurity policies and initiatives across the nation, and now they are going for a more proactive stance. Image: Canva.

Governments across Southeast Asia are running digitalisation programmes to stay future-ready and reap the benefits of emerging technologies.


But as governments become increasingly digitalised, removing traditional, isolated IT perimeters meant that a single vulnerability in one platform can trigger failures across multiple critical national sectors.


At the forefront of this shift is the National Cyber Security Agency (NCSA) of Thailand, which has led efforts for coordinating and implementing cybersecurity policies and initiatives across the nation.


 Thailand’s Cloud First policy, for instance, moved state functions, citizen platforms and critical infrastructure online, which led to a “completely redrawn national attack surface” said Thailand’s National Cyber Security Agency (NCSA), National Cyber Security Committee, Secretary-General, Amorn Chomchoey.


“This forced NCSA to pivot from reactive firefighting to building systematic, proactive, nationwide resilience,” said Chomchoey.


The agency has led efforts for coordinating and implementing cybersecurity policies and initiatives in Thailand.


He shared insights into how Thailand’s public sector cybersecurity posture has strengthened to stay ahead of risks and the importance of reducing blind spots for more efficient protection of critical infrastructure.

The blind spot: fragmented data


Before implementing its current operations model, Thailand’s national Computer Emergency Response Team under NCSA (ThaiCERT) was working without a unified view of its own environment.


Hundreds of government bodies, regulators and infrastructure partners operated independently with no shared picture of system behaviour across agencies.


National Cyber Security Committee, Secretary-General, Amorn Chomchoey. 

That fragmentation delayed log correlation which had a direct operational cost, impacting the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), noted Chomchoey.


If one department’s portal was compromised, ThaiCERT had no fast way to check whether the same attack was hitting a database elsewhere.


“This inability to perform high-speed, cross-agency data correlation meant that tracking localised lateral movement, identifying persistent beaconing, or spotting sophisticated, multi-stage advanced persistent threat (APT) campaigns was nearly impossible.


“We were essentially hunting in the dark,” said Chomchoey.


The team identified that they needed a “paradigm shift” from passive log storage to active, high-velocity search framework.


“We needed capabilities that could ingest telemetry from thousands of disparate endpoints, normalise it under a single schema, and let analysts query massive datasets at petabyte scale in seconds,” shared Chomchoey.


This need led to a partnership with Elastic, whose SIEM platform became NCSA’s primary tool for real-time visibility.


Chomchoey shared that the results showed up at scale. “Instead of wasting time manually stitching data across disjointed tools, our analysts could now perform quick searches and trace data relationships instantly,” he noted.


 With enhanced visibility, an anomalous login pattern or localised system misconfiguration on a cloud node is now automatically correlated against network anomalies across multiple sectors, allowing analysts to trace an adversary's exact entry point and path of lateral movement in real time, and contain threats at the perimeter before they escalate into a national or sector-wide data exposure event.


He shared that the Thailand Cyber Threat Intelligence (TCTI) platform also integrated with Elasticsearch to achieve a more proactive posture.


By connecting the national malware information sharing platform (MISP)-based threat-sharing platform directly to Elastic's high-velocity indexing capabilities, they were able to instantly cross-reference new threat intelligence across all interconnected Sectoral CERT systems.


“Without that instant search capability, real- time detection is an illusion,” said Chomchoey.


Chomchoey also noted Elastic Security was the primary platform for last year’s National Cyber Exercise (NCX 2025), which gathered over 800 agencies and 1,000 operators, including critical information infrastructure organisations, regulators, and government agencies to run coordinated defence simulations.


Building on that momentum, this year's national exercise is currently underway, scaling up these defence playbooks across the same multi-agency network.

Fixing fundamentals first


NCSA focused on baseline hygiene before layering on advanced tooling.


The agency first ran automated dark web monitoring to detect  leaked credentials, enforced website security standards across public portals, and pushed for adoption of a national domain name system security extension (DNSSEC) to enhance legitimacy and unaltered domains.


In collaboration with the THNIC (Thai Network Information Center), this effort has significantly raised Thailand's global DNSSEC validation ranking, a measurable sign of progress in hardening the country’s internet resilience and digital infrastructure.


This was important because sophisticated analytics platforms do not compensate for unpatched basics, and closing the gap before any upgrade driven by artificial intelligence (AI) was critical, noted Chomchoey.


To close off credential-based attack vectors, NCSA also mandated Multi-Factor Authentication (MFA) across all critical public sector systems, since single-layer passwords are no longer sufficient against automated, AI-amplified credential attacks, he added.


For that reason, he suggested that other Southeast Asian public sector agencies should consider four main questions before investing in upgrading tools:

  1. Are you buying a strategic tool or building a data graveyard? Logs collected only to satisfy compliance, without fast search capability, were a liability, not a defence.
  2. Is the tool cloud-native, or legacy technology with a "cloud" label? Old perimeter-based architecture doesn't map to interconnected, cloud-first government services.
  3. Does it integrate with your broader security network or create another silo? Tools should use open standards to share threat intelligence with national or sectoral CERTs, not lock agencies into a closed system.
  4. Are your people ready to run it? "You can deploy the most sophisticated, AI-driven platform on the market, but if your operators only understand ten percent of its interface, your defensive posture will remain weak,” said Chomchoey.

Reflecting on the latter point, he added that capability-building through national exercises, e-learning, and competitions was treated as an “absolute priority and our core mandate for keeping our cyberspace safe, secure, and trusted for everyone.”

AI and quantum for the next frontier


Chomchoey shared that NCSA’s near-term focus had two parts: AI and quantum.


First, the agency would focus on defending against AI-enabled attacks while embedding AI into its own detection and response systems for real-time anomaly detection, threat prediction, and automated response.


This sits under NCSA's “AI for Security and Security for AI” framework: using AI to strengthen national defences while also hardening AI systems themselves against adversarial attacks and data manipulation. As part of this, ThaiCERT is establishing dedicated AI Red Teaming capabilities to proactively hunt for model vulnerabilities at a national scale.


Second, Thailand’s Quantum-Ready 2030 policy set a national timeline to migrate systems to post-quantum cryptography (PQC).


To support the transition, NCSA published PQC readiness guidelines and launched a training platform called QUANTA (Quantum Agility National Training & Assessment), shared Chomchoey. The policy rests on four foundations: cryptographic discovery and migration, infrastructure preparation, workforce development, and governance and regulatory compliance.


The national framework provides organisations with real-world transition toolkits, testing laboratories, and structured migration to help Thai entities audit, evaluate, and transition their information assets smoothly.


He noted that these efforts were part of the overarching objective to build a technologically advanced, deeply integrated and nationally coordinated cybersecurity ecosystem.


“However, as we venture into these advanced technological frontiers, human capacity building remains our most vital anchor. That is why the core of our strategy continues to focus on strengthening a resilient ‘human firewall’.


“Ultimately, a secure and trusted cyberspace depends entirely on the combination of predictive technology, strong baseline governance, and a highly skilled population because technology is only ever as strong as the people and policies that secure it,” concluded Chomchoey.