Case Study

US Federal Agency Boosts Security

A key U.S. federal government agency had information siloed between the agency’s headquarters, security operations center, and various field locations. This made it challenging to enforce security and IT policies across a decentralized network and led to numerous unknown, unmanaged, and vulnerable internet-connected assets.

In brief


US Federal Agency


Government Agency


United States of America


A key U.S. federal government agency had trouble enforcing security and IT policies across its decentralized network. The agency needed help understanding the numerous unknown, unmanaged and vulnerable internet-connected assets and ensuring the security of information siloed between the agency’s headquarters, security operations center, and various field locations.


The agency worked with Cortex® Xpanse™ to define its global inventory of internetconnected assets. IT identified numerous exposures (including unprotected FTP and Telnet instances) and remediated them before attackers could exploit them. The agency now uses the Xpanse platform powered by Expander on an ongoing basis to discover, monitor, and track internet assets across all agency locations.


The agency decreased critical exposures by over 58% and reduced the number of insecure certificates by 44% over a two-year period and is driving toward full remediation. Because they had a complete, current, and accurate asset inventory, the agency’s headquarters and security operations center could finally enforce policies across the entire agency and raise its overall cybersecurity posture.

Download PDF Share


A major cabinet-level federal agency that manages projects related to science, technology, and infrastructure needed a better way to manage internet-connected assets and services and monitor and enforce policies across a distributed network. Because the agency employs over 100,000 people and 85% of its workforce is contractors, it was easy for new infrastructure to be spun up outside of sanctioned IT processes. This meant the agency had a complex network where the security and IT operations teams had incomplete visibility and thus incomplete ability to defend the agency’s network.

The challenges at the agency came at a time when cyberattacks against U.S. agencies and infrastructure have been ramping up. Attacks on the U.S. electrical grid, the U.S. Office of Personnel Management, and major U.S. contractors like Boeing have all happened in recent years. In response to these escalating attacks, the U.S. has a defined National Cyber Strategy that includes a focus on defending forward and moving to “halt malicious behavior at its source.” A key part of this initiative that spans across government agencies is securing federal networks and critical infrastructure. The agency chose the Xpanse platform to tackle these challenges head-on and boost its cybersecurity posture


Once the agency engaged with Xpanse, one of its first tasks was to solve the problem of the security team having responsibility for a network it didn’t have full ability to monitor and manage. At the time, it was the established practice across the agency for semi-autonomous field sites to make their own risk-acceptance decisions without adhering to centrally decreed security policies. This paved the way for internet-facing vulnerabilities that the security team didn’t know about and thus could not remediate. In its initial IP address list audit, Xpanse showed that the agency had 40% more IP addresses than it knew about and was actively monitoring.

The security team used Xpanse Expander to independently identify assets and exposures across the entire network perimeter of the agency, and enforce remediation actions at the individual field sites. In one case, a particular field site used a series of networked security cameras extensively. The field site had a legitimate business use case for the cameras, but was unaware that the cameras’ factory default configuration included File Transfer Protocol (FTP). These FTP instances were not encrypted or actively managed, and could have been accessed by unauthorized, malicious actors on the internet. In addition to exposed FTP, there were field sites with publicly exposed Telnet servers, which are unencrypted remote access protocols that are a favorite target of attackers. Xpanse discovered these exposures and empowered the agency’s security team to work with the field sites to properly configure, manage, and protect these devices and services.

With the Xpanse platform, the agency gained total visibility into its global internet attack surface. The security team no longer had to accept responsibility without visibility or authority—it could now discover, monitor, and track internet assets and exposures across the entire organization, resulting in a heightened security posture. Leveraging Expander from August 2017 to April 2019, the agency decreased critical exposures by over 58% and reduced the number of insecure certificates by 44%, and is driving toward full remediation.

With a significantly reduced attack surface and automatic discovery and monitoring of new internet-connected assets and exposures, the major U.S. agency is more secure and able to focus on its mandate in service of the American people.

To learn more about Cortex® Xpanse™, visit