Case Study


Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal


The challenges faced by Rackspace in guarding against external threats included:

  • Improving processes to find, verify, and respond to external threats to improve staff use and speed response time
  • Enhancing defenses against external threats to reduce reputational risks due to cyberattacks, specifically from unknown external threats
  • Identifying online brand abuse and domain infringement by competing service providers

Solution Benefits

RiskIQ PassiveTotal® has delivered these benefits:

  • Automated identification, verification, and response to external threats, lessening staff use and speeding response time
  • Assures brand protection through proactive monitoring of domain and brand infringement
  • Quickly uncovers attackers’ infrastructure, thus allowing a more thorough understanding of the adversary
  • Fortifies Rackspace’s internal security systems and integrates with other security tools to automate and consolidate once manual actions across multiple systems
  • Allows powerful means to communicate results to management

“The information we could gather with PassiveTotal allowed us to more efficiently learn more about a potential issue or adversary’s infrastructure, to identify other possible at-risk environments, and to prevent future attacks based off information regarding new domains or IPs being used.”

--Gary Ruiz, Senior Manager for Cybersecurity Rackspace

The Results

Overall, RiskIQ’s PassiveTotal provided Rackspace with a comprehensive toolset with broad intelligence that offered capabilities to automatically alert the team to threat indicators they were tracking.

In particular, information gathered by PassiveTotal let Rackspace learn more about their adversary’s infrastructure and identify additional environments that may be targeted to prevent future attacks. Furthermore, it allowed the firm to efficiently identify domains and competitors infringing on their brand. In many cases, threat investigation takes only minutes leveraging RiskIQ’s API, which automates access into and data extraction from PassiveTotal. This operational efficient improves Rackspace human resource utilization, given the considerable cost to find, onboard and develop cybersecurity analysts.

Also, it took only a few days to train Rackspace’s security analysts on using PassiveTotal. At the same time, results and information uncovered by PassiveTotal can be used to educate tier-one and tier-two analysts and leadership on threats and how to address them.

PassiveTotal can also identify new domain variants to prevent future domain infringement and phishing attacks. Its ability to identify new threats significantly reduces Rackspace’s MTTD (mean time to detect) and MTTR (mean time to respond), thus minimizing possible damage to Rackspace’s and their customers’ brand reputations through compromise of sensitive data. Meanwhile, PassiveTotal quickly identifies newly created domain variants in phishing attacks, thus allowing Rackspace to proactively block them and prevent future attacks.

Next Steps

Given the great success that Rackspace has had in using RiskIQ’s PassiveTotal to quickly identify and respond to external threats, the company plans to expand its use of RiskIQ products for further protection from beyond the firewall. In addition to using API to automate Splunk, Phantom and other data-analysis software, Rackspace expects to automate its own applications through API.

They will also expand the use of PassiveTotal projects to more efficiently communicate info between Tier 1 and Tier 2 support, and also to demonstrate results to management.

Rackspace is exploring the use of RiskIQ Digital Footprint, which identifies a company’s external-facing assets—in essence, its entire digital presence—to be fully aware of vulnerabilities to external threats. The company also wants to look at bringing on RiskIQ External Threats, which covers domains, mobile, social and anti-phishing exposures by crawling the internet through virtual user technology.


RiskIQ PassiveTotal is a very effective solution for Rackspace to quickly identify and respond to external threats. Because of PassiveTotal, Rackspace’s time needed to research an external threat has been reduced. Likewise, the RiskIQ API’s ability to automatically find and identify threats has reduced Rackspace’s time spent on triaging and responding to them. As a result, Rackspace has been able to better prevent damage to its employees’ and customers’ personal information and brand reputation when attacked by external threats.

To further benefit from RiskIQ’s capabilities, Rackspace is currently automating the use of Splunk’s log data management, Phantom’s security automation, and other digital-analysis software through RiskIQ’s API, and Rackspace looking to integrate its own applications into the program as well.

Beyond this, the company is exploring the use of RiskIQ Digital Footprint® and RiskIQ External Threats® to further extend their digital threat management program.