Marco Baldauf


IT Security Insights #2: Alexander is on the trail of hackers

I met Alexander while researching our blog series, “IT Security Insights”. In this interview, he tells me how he and his team identify cyberattacks and protect IT systems proactively with pentests. It will be interesting, I promise!

Alexander, you’re Squad Lead in Security Consulting for the incident response service. What does that mean and how did you get started with it?

Alexander: I was involved in IT forensics and cyber defense during my undergraduate work, and also as part of my PhD program. When I joined T-Systems, I had the opportunity to dive completely into penetration testing and forensics as a consultant. Right now we’re setting up a forensics service for external customers. We’ve been doing this internally for quite some time and now offer the incident response and handling service to corporate customers as well. This service is available 24/7 and helps companies that have suffered a cyberattack find out exactly what happened, how the attackers got into the company network, and what they did there. 

Screen indicates a cyber attack

Attack or Investigate? You can do both in Alexander's team.

How exactly would you explain your job to someone like me? 

Alexander: While my team visits customers on site, I’m the collection point for all possible disturbances in their project assignments and I work on finding solutions.
When customers are attacked, I’m their first point of contact. I conduct an initial assessment, after which I can either reassure them or have to deliver the bad news that major damage has occurred. In the latter case, I suggest measures to stop the attack and analyze exactly what has to be done. 
I support my colleagues in Sales with presentations for customers and bid creation. And around once a month, I hold showcase hacking events here in the Group, to increase security awareness among employees. 

What does a normal working week look like for your team?

Alexander: A pentester has a certain level of planning security, because they can plan and prepare several weeks in advance. There are fixed assignments to individual tests, which the employees then plan, design, execute, and write final reports for, all on their own responsibility. For large test series, we have a project lead who coordinates and consolidates the various tests.

Our forensics experts face an additional challenge, in that the incidents are unscheduled by their nature. They require a rapid response and we sometimes have to reshuffle our priorities. Major projects often occupy the colleagues for long periods. If only minor projects are pending, someone might be responsible for several of them at the same time. It’s anything but a classic 9-to-5 job, because when something happens, companies are fighting for their very survival, so we provide the necessary assistance without watching the clock. When entire production lines are shut down by a cyberattack, many livelihoods are at stake.

The major cyberattacks that make it to the papers or the evening news – are you familiar with all of them?

Alexander: When a news magazine writes “The experts are on site,” then that’s usually us. Of course, some companies try everything to avoid public attention when they get hacked. 

And we protect our employees against public attention, too, because major attacks are often perpetrated by intelligence services, organized criminals, or autocratic governments. That’s why we try hard to keep our names out of the press. We are mentioned as a company in press releases now and then, most recently by DFB, the German Soccer Association.

Fingerprint scanner

Major corporations, government agencies, and entire nations trust in Deutsche Telekom’s IT security expertise. Working with this customer portfolio is very exciting for Alexander.

How large are your project teams?

Alexander: Our customers are spread across all industry sectors and company sizes. The attacks range from ham-fisted attempts to complex, highly sophisticated attack scenarios. Teams range from two to 30 employees, depending on the complexity. In major projects, we get support from other teams, for example, experts on the Dark Net, data lake analysts, auditors, and so on.

Why should new colleagues decide to join you and your squad?

Alexander: We offer highly interesting projects and customers. We constantly test new systems, and not a hair salon’s website for the umpteenth time, for example. We are so large that we are trusted by major corporations, government authorities, and even entire countries. We do the most interesting things – both in terms of technology and content. The Corona-Warn-App, for example, is something we developed and tested. We have an important job and an impact on society.

We’re a team of experts who are happy to share our knowledge and mutually support each other. You don’t have to decide: do I want to attack or investigate? Here you can do both, while at the same time working closely together with other teams in Telekom Security. Our counter-surveillance team X-rays smartphones, the testing lab etches off chips – there’s nothing we can’t do here in cyber defense. The team experiences the weirdest and most unusual stuff. It never gets boring with us. 

Alexander, that was a great insight into your squad’s exciting, unusual everyday work. Thanks for that! 

If we’ve sparked your interest in the areas of incident response and IT forensic consulting, you’ll find career opportunities at a number of entry levels at Deutsche Telekom Security GmbH. 

And if you need consulting on forensics or incident handling matters, email us at

We’ve also prepared more information on working at Deutsche Telekom Security GmbH for you.

Have we sparked your interest? You’ll find all current vacancies at Deutsche Telekom Security GmbH in our job search. We look forward to receiving your application.