Transforming Vulnerability and Exposure Management for a US State Agency

• US State Government Agency
• Dozens of sub-agencies
• Serves millions of citizens
• Looking to unify, prioritize, and automate response to vulnerabilities and exposures

The state-level agency is the backbone of IT infrastructure and cybersecurity for dozens of executive branch agencies serving millions of citizens. It ensures essential state functions, such as public safety, health services, and transportation operate smoothly and securely. By adopting advanced technologies, this agency not only safeguards the state’s digital assets but also sets a national standard for state-level cybersecurity.

In 2023, this agency established a project to modernize its vulnerability management operations. The goal was to address what was preventing the state-level agency and its sub-agencies from improving vulnerability management service level objectives (SLO) and reducing vulnerability-related risk.

Key Results

• Level of effort for manual vulnerability analysis and triage reduced by 80%
• Real-time statewide cyber risk visibility for executive leadership
• Reduced high-risk vulnerabilities by 50% within three months

Before Nucleus, teams spend up to 80% of their time sorting through vulnerability data, leaving little room for remediation. By automating the heavy lifting, Nucleus flips that ratio—enabling teams to focus on fixing high-risk vulnerabilities and reducing their backlog.

Securing a decentralized network, with dozens of state agencies, posed many unique challenges:

1. Data Overload: Disparate security scanning tools generated vast amounts of vulnerability and exposure data, making timely analysis and assessment impossible using manual processes.
2. Emerging Threats: Rapid response to critical vulnerabilities, including zero-day threats, was impeded by the lack of unified threat intelligence across commercial and internal agency feeds.
3. Remediation Timelines: Manual processes and poor visibility prolonged exposure to high-risk vulnerabilities with remediation timelines regularly missing agency and leadership goals.

The Nucleus Security unified vulnerability and exposure management platform aggregates, normalizes, and correlates vulnerability data from over 160 scanning tools, asset inventory systems, and threat intelligence sources. Designed for scalability, Nucleus provides security teams with centralized visibility, risk-based prioritization, and workflow automation to accelerate vulnerability remediation and streamline compliance across diverse attack surfaces.

Why They Chose Nucleus

The Agency explored several unified vulnerability management platforms over the course of several months, and ultimately selected Nucleus for three key reasons:

Meeting the Agency’s Technical Requirements: Nucleus was the only vendor that met requirements for multi-tenancy, third party integrations, scalability, and FedRAMP authorization with support for SaaS and on-premises deployment.

Deep Subject Matter Expertise: The Nucleus team demonstrated deep knowledge in vulnerability management and public sector use cases during a three-month proof-of-value (POV). The Nucleus team’s expertise was key to helping them navigate the process and organizational changes that were required to modernize the agency’s vulnerability and exposure management program.

Collaboration Partnership: Nucleus worked closely with the agency to ensure a seamless experience—from initial discussions to deployment and ongoing support. Our team provided hands-on guidance at every step, ensuring long-term success beyond just implementation.

Nucleus provides security teams with centralized visibility, risk-based prioritization, and workflow automation to accelerate vulnerability remediation and streamline compliance across diverse attack surfaces.

Within 90 days, Nucleus was operational and delivering value to the agency:

• Aggregating, normalizing, and deduplicating all vulnerability, exposure, and asset information generated by the agency’s vulnerability assessment tool stack.
• Enriching vulnerability scan data with real-time threat and vulnerability intelligence from over 15 sources. This created an intelligence-led approach to prioritization ensuring that the state’s sub-agencies were focused on mitigating exposures that pose the highest risk.
• Automating the manual and error-prone processes that were in place to efficiently deliver vulnerability information to agencies.

Through the implementation, Nucleus worked closely with the agency to develop several custom enhancements. These included:

• Integrations with vulnerability and asset inventories used by the agency.
• Custom role-based access control (RBAC) model tailored to grant the access based on unique roles within each sub-agency.
• State-wide reporting capabilities were created to enable statewide monitoring across all government agencies.

Within six months, Nucleus was fully operational, transforming how the agency monitors vulnerabilities and exposures. State agencies were successfully onboarded and began using Nucleus to analyze, prioritize, and drive remediation for vulnerabilities and security weaknesses identified by scanning tools. The end result was accelerated vulnerability response, lower mean-time-to-remediate (MTTR) vulnerabilities, and a significant reduction of the level of effort spent on vulnerability analysis and triage statewide.

Nucleus is a comprehensive vulnerability and exposure management platform. Here are some of the key features that helped successfully transform the agency’s vulnerability management program:

• Integrations: Nucleus already supported most integrations the agency needed to unify vulnerability, attack surface, and asset inventory data, as well as to create issues/tickets. Nucleus supports over 160 integrations natively and rapidly supports new integrations.
• Automation: With a small team, the agency manages diverse tools, high volumes of data, and extensive responsibilities. It used the Nucleus automation framework to automate data ingestion, asset ownership assignments, vulnerability prioritization, ticketing, report generation, report delivery, and more. This enabled the agency to scale its workflows without increasing headcount.
• Multi-tenancy: As a service provider to nearly dozens of agencies, true multi-tenancy was a must for the agency. Built from the ground up to support the multi-tenancy requirements of the intelligence community, Nucleus had all the features that the agency needed to manage data among agencies with full separation, provide granular role-based access within agencies, and maintain statewide visibility and centralized control over the entire platform and information.
• Vulnerability Intelligence: With a diverse stack of vulnerability scanners and Attack Surface Management (ASM) tools, the agency had multiple sources of vulnerability data reporting different priorities and severity ratings. This made it nearly impossible to prioritize consistently across the full spectrum of vulnerabilities and exposures. Nucleus’ vulnerability intelligence was leveraged to assign risk levels consistently across all sources of vulnerabilities, based on the agency’s prioritization methodology.

The agency used the Nucleus automation framework to automate data ingestion, asset ownership assignments, vulnerability prioritization, ticketing, report generation, report delivery, and more.

Operational Improvements

The agency centralized visibility into all vulnerabilities, exposures, and assets. The leadership team now has a real-time view of cyber risk exposure and remediation status across all its executive branch networks, enhancing their continuous monitoring capability. Nucleus has automated dozens of workflows that were previously manual, enabling the agency to scale its operation and deliver results significantly faster. Spreadsheets have been eliminated and replaced with dashboards, on-demand reports, and scheduled reports that answer the questions that the agency needs answered automatically.

Statewide Impact

With Nucleus in place, each agency has an automated, up-to-date, and threat-prioritized list of every vulnerability impacting its systems. By focusing patching and mitigation efforts on high-risk and high-impact vulnerabilities, agencies have improved their overall cybersecurity risk posture, and the organization has the visibility needed to understand the risk posture of the agencies and the state.

Risk Reduction

• Customized vulnerability prioritization leveraging threat and vulnerability intelligence from Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS ISACs), and other feeds.
• Significant reduction in the meantime to remediate (aka “dwell time”) of high-risk vulnerabilities and overall improvement of security posture.

Nucleus has automated dozens of workflows that were previously manual, enabling the agency to scale its operation and deliver results significantly faster. Spreadsheets have been eliminated and replaced with dashboards.

The agency partnered with Nucleus to modernize its vulnerability and exposure management program while streamlining compliance.

The result: faster remediation of critical risk, rapid response to emerging threats, and continuous monitoring of agency and vendor security efficacy tailored to state-specific requirements.

With Nucleus, the agency continues to set the standard for public-sector cybersecurity, ensuring critical exposures are targeted based on the most current intelligence.