Threat Response Center - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Research and respond to zero-day exploits and global threat events in the Threat Response Center.

The Threat Response Center (TRC) in Cortex Xpanse simplifies and streamlines your response to global threat events and zero-day exploits by aggregating the most important information about the threat and its impact on your organization in one place. From the Threat Response Center, you can accomplish the following:

  • Review a curated list of emergent and global threat events, and quickly identify the events that impact your organization.

  • Research a threat event. The Xpanse Security Research Team provides a threat summary, potential exploit consequences, previous exploit activity, and links to other reputable sources for additional information.

  • Assess the impact of a threat event on your organization. Review a detailed list of the affected software, turn on relevant attack surface rules, identify relevant incidents and alerts, and see how the risk is distributed across your organization.

  • Build a Remediation Plan. The Threat Response Center provides remediation guidance for each event, lists of relevant alerts and incidents by status and assignee, and click-throughs to incident and alert pages to begin remediation.


You must have a role with Attack Surface Rules permission to access the Threat Response Center. In the Roles Based Access Control (RBAC) UI, you can find Attack Surface Rules in the Incident Response component.

Which Threat Events Are Included in the Threat Response Center?

Typically, a threat event is defined as a critical or high-risk vulnerability that allows threat actors direct access to assets, leading to widespread impact across corporate networks. Devices and applications impacted by such vulnerabilities are at risk of exploitation remotely over the public-facing Internet. These threats often allow threat actors to gain remote control of systems. 

Cortex Xpanse considers the following questions when evaluating the level of risk of a threat event and whether to include it in the Threat Response Center:

  • Is it a vulnerability without a patch?

  • Is it a “Known Exploitable Vulnerability” that has been weaponized by threat actors?

  • Can it be exploited remotely over the internet in an unauthenticated manner?

  • Is a proof of concept readily available? Has active exploitation in the wild been reported?

  • How widespread is the impact of the vulnerability? Does it impact many organizations or is limited to a certain section of the industry?

  • Is the vulnerability in an application or device that is routinely targeted by attackers?

  • Does it have a vendor severity rating of “Critical” or “High”? Does it have a CVSS score of 9 or higher?

  • Are there geo-political factors in play? (For example, is an APT targeting groups or individuals from specific countries or regions?)

How Often is the Threat Response Center Updated?

You can find the latest information on emerging threats in the Threat Response Center. Our security research team creates and updates threat events in the Threat Response Center in the following situations:

  • When a new threat event occurs and the security research team determines the event is critical enough to add to the Threat Response Center.

  • When new information is discovered for existing threat events. The information on a threat event page is updated frequently as a threat evolves.