Scanning - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse provides targeted scanning of customer networks from an attributed scanning infrastructure.

Cortex Xpanse scans the internet at varying cadences based on the protocol. At the slowest, Cortex Xpanse scans twice a week across IPv4. At the fastest, Cortex Xpanse scans multiple times per day (RDP, for example). In addition to the twice a week global minimum, Xpanse scans known customer assets and cloud ranges daily.

Cortex Xpanse uses multiple techniques to scan the internet and provide an attacker’s view of your attack surface. Xpanse offers two types of scans:

  • Global—The global scan is performed twice a week by default and provides the internet-scale data we use for all customer networks.

  • KAM (Known Assets Monitoring)—KAM monitors known assets at a higher scanning cadence and with faster data delivery for customers who opt in. Refer to Known Assets Monitoring (KAM) for details.

All Cortex Xpanse scans are CFAA-compliant, meaning there is no fuzzing of network services, authentication testing, DDoS testing, packet manipulation, or penetration testing.

Cortex Xpanse scans differ from vulnerability management (VM) scans in that Xpanse scans are from the outside-in, not behind firewalls or inside internal networks. Vulnerability management scans are internal scans that provide a view of your internal network and are typically more probing.