Introduction to Cortex Xpanse - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse is a SaaS-based attack surface management platform that collects and correlates information about every device and service connected to the public internet.

Cortex Xpanse is a multi-tenant, SaaS-based attack surface management (ASM) platform that collects and correlates active and passive information about every device and service connected to the public internet. Using this information, Cortex Xpanse attributes assets to specific organizations, identifying weaknesses in your organization’s known infrastructure and helping you discover and protect previously unknown internet-connected systems.

Expander is the Cortex Xpanse web application and API that discovers, monitors, and tracks your global Internet attack surface, identifying new, existing, and unknown assets, and actively helping you reduce your exposure to attackers.

Expander's secure open APIs support integrations to various third-party systems, including SSO. Expander also supports an asset ingest model upon which we can build connectors to various systems. With these connectors, asset information can flow into the Expander platform and be processed alongside all other asset data.

Cortex Xpanse Expander provides the following key features that enable organizations to track and secure their internet-facing assets and infrastructure.

  • Asset Inventory—Cortex Xpanse provides a searchable, filterable view of all the assets that have been attributed to your organization by Cortex Xpanse, including IP ranges, certificates, domains, cloud resources, websites, and services.

  • Dashboards and Reports—Cortex Xpanse provides out-of-the-box, as well as customizable, dashboards and reports on the current and historical state of your organization's inventory, services, and incidents. This reporting delivers insight into trends and helps leaders identify key topics and business units to focus on to improve the security posture of the organization.

  • Incidents and Alerts—Cortex Xpanse incidents and alerts are based on a flexible attack surface rules engine that identifies security and configuration risks within your organization's assets and services, and provides a workflow in which analysts can investigate, prioritize, track their efforts to remediate outstanding problems, and independently confirm they have been corrected.

  • Active Response—The Cortex Xpanse Active Response add-on module provides the ability to automatically resolve alerts or to automate the alert investigation and notification workflow. Active Response uses curated out-of-the-box playbooks that run whenever a new attack surface alert is created. The playbook execution changes dynamically based on the details of the alert (such as the type of service detected) the integrations that have been configured (such as AWS or ServiceNow).

ASM is often used interchangeably with EASM (external attack surface management), though EASM refers specifically to the external attack surface while ASM may be used more broadly.