Actively Find and Fix Your Attack Surface Exposures with New Playbooks in Your Active Response Module

With the increasing demand for cloud and hybrid work, businesses are struggling to keep up with the management of their attack surface which is expanding at an alarming rate. The 2022 Attack Surface Threat Report shows that certain industries, such as healthcare and insurance, saw a 20-25% increase in new risks every month, with no industry showing a reduction in attack surface risks. The modern attack surface is expanding and changing every day.

Cyberattackers are taking advantage of this, using highly automated methods to find and quickly exploit vulnerabilities in target organizations, sometimes within minutes of a new Common Vulnerability and Exposure (CVE) being announced. While attackers are using automation, security teams are still struggling to inventory their assets, and are hindered by a backlog of other repairs.

To turn the odds back in the favor of the defenders, we launched our new Active Response Module to enable security teams to actively find and automatically fix their attack surface exposures. Today we are expanding our Active Response Module to automatically find and fix your attack surface exposures related to:


  • RDP Servers: According to the 2022 Unit 42 IR Report, 62% of successful ransomware attacks involved the exploitation of RDP instances. Exposed RDP instances are on sale for  $3-$101 on the dark web. The Active Response module automatically shuts down your RDP exposures.
  • Insecure OpenSSH Servers: OpenSSH servers are incredibly common, but not always used safely. The Xpanse research team found that over 50% of companies are running insecure instances which can be exploited through low-level brute force attacks.
  • Unencrypted FTP Servers: File Transfer Protocol (FTP) is a method of transferring files from one server to another in an unencrypted manner. Without adequate encryption, this data is at risk of compromise, theft, and more. FTP is not an industry-standard protocol and is in violation of numerous regulatory compliance standards. With this playbook, you can discover and shut down your unencrypted FTP ports.
  • Telnet Servers: Telnet provides unencrypted remote shell access. The presence of externally accessible Telnet servers poses a significant risk of data and credential loss, as the servers are not designed to be publicly accessible and exploits are regularly discovered for these systems. With this playbook, you can discover and remediate your Telnet servers.
  • SNMP servers: Simple Network Management Protocol (SNMP) is a protocol from the 1980s that collects and organizes information about managed devices on a network. Devices like modems, routers, switches, and printers use it to communicate. It is extremely insecure and should never be publicly accessible yet the Xpanse research team discovered over half a million devices on the internet open on SNMP’s default port 161.

Additionally, starting today, Xpanse customers will also be able to natively integrate with AWS and GCP to automatically enrich incident information and cut off access to ports to prevent your assets from being exposed to the public internet. Learn more.

Proactively prevent ransomware by automatically shutting down RDP exposures:


Attackers are only becoming more sophisticated and new vulnerabilities are emerging daily. Some of the world’s largest and most demanding organizations use Xpanse to secure their attack surface by reducing their risky exposures. Xpanse protects the U.S. Department of Defense, all six branches of the U.S. military, several federal agencies, and large enterprises like Accenture, AT&T, American Express, AIG, Pfizer, and over 200 others.

To learn more, read the Active Response Module or watch the “Active Attack Surface Management with Cortex Xpanse” webinar on-demand!

1BleepingComputer:Logins for 1.3 million Windows RDP servers collected from hacker market