Cisco SecureX threat response Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (829.7 KB)
    View with Adobe Reader on a variety of devices
Updated:November 25, 2020

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (829.7 KB)
    View with Adobe Reader on a variety of devices
Updated:November 25, 2020


Cisco SecureX threat response Data Sheet

This document describes a product overview and ordering information for Cisco SecureX threat response (formerly Cisco Threat Response).

For more detailed information, go to

Solution overview

Security attacks wait for no one, making threat investigations increasingly complex, all the while with understaffed security operations teams. Security analysts need to stay ahead of current threats and minimize impact in the event of an attack, but they’re often pivoting between multiple, disparate cybersecurity tools and spending valuable time and resources in the process.

SecureX threat response is a security investigation and incident response application. It simplifies threat hunting and incident response by accelerating detection, investigation, and remediation of threats. Threat response provides your security investigations with context and enrichment by connecting your Cisco security solutions (across endpoint, network, and cloud) and integrating with third-party tools, all in a single console. SecureX threat response is included at no additional cost with the following Cisco security licenses:




Cisco Secure Endpoint

Cisco Secure Email

Cisco Secure Web Appliance


Cisco Secure Firewall

Cisco Secure Network Analytics


Cisco Umbrella


Cisco Secure Malware Analytics

To understand whether a threat has been seen in your environment as well as its impact, SecureX threat response aggregates contextual awareness from Cisco security product data sources along with global threat intelligence from Talos® and third-party sources via APIs. Threat response identifies whether observables such as file hashes, IP addresses, domains, and email addresses are suspicious or malicious, and whether you have been affected by them. It also provides the ability to remediate directly from the interface and block suspicious files, domains, isolate hosts, and more without pivoting to another product first.

With SecureX threat response you will:

      Simplify threat investigations

      Get rapid, coordinated incident response

      Lower Mean-Time-To-Respond (MTTR) and dwell time

Primary use cases

      Incident response: Leverage multiple security technologies in a single console to address and manage the aftermath of an attack in your environment by aggregating multiple security technologies for a holistic investigation and remediating in a single console.

      Threat hunting: Proactively search for active threats in your environment with a holistic, integrated approach by aggregating multiple security technologies in a single console.

How SecureX threat response works

Threat response aggregates intelligence from both Cisco security product data sources and third-party sources via APIs to identify whether observables such as file hashes, IP addresses, domains, and email addresses are suspicious. The left-hand side of the diagram below shows the intelligence sources that are used to generate verdicts on the Indicators of Compromise (IOCs). When you paste the observables to the Investigate interface of SecureX threat response and start an investigation, the product adds context from integrated Cisco security products automatically, so you know instantly which of your systems was targeted and how. It brings that knowledge back from intel sources and security products, displaying results in seconds. From there, security operations teams can take action immediately or continue their investigation with the tools provided.

How SecureX threat response works

Main features and capabilities






Tool for saving, sharing, and enriching threat analysis that allows to document all the analysis in a cloud casebook and to save snapshots from all integrated or web-accessible tools.

Get a correct verdict on dispositions on observables quickly and intuitively and pivot to individual data sources for more information, working across multiple integrations in the Cisco security portfolio.

Available via:

  SecureX threat response Investigate UI
  Other integrated Cisco products and tools
  Any webpage via browser plug- in, including other Cisco products, integrated or external threat intel sources, and existing third-party tools.






Incident Manager

Automated triage and prioritization of alerts from Cisco Secure Firewall and Cisco Secure Network Analytics. Allows for investigating and enriching events with context from integrations across security products as well as responding to high-urgency incidents.

Convenience of common UI for all Cisco-detected security incidents

First-level triage, promoting raw security events to Incidents

Customizable auto-promotion rules

Required integrations:

  Cisco Secure Firewall integration
  Cisco Secure Network Analytics


Remediation actions:

  Isolate hosts
  Block files

Block domains

Respond to threats immediately through the convenient interface of one console.

Required integrations:

  Cisco Secure Endpoint integration to isolate hosts and block files
  Umbrella Enforcement APIs to block domains

Browser plug-in

Browser extension that allows for pulling IP addresses or domains from anywhere an observable is seen, for an investigation.

Quickly and easily pull in indicators of compromise from any webpage or browser- based console, Cisco or otherwise, and start an investigation.

  Installed plug-ins for Google Chrome or Firefox

Relations graph

Part of SecureX threat response interface that shows all the observables found during the investigation and indicates relationships between them. Intuitive color and shape coding helps determine the nature of the events and the relationships.

Visually intuitive guide to enrichment results, which allows for an at-a-glance verdict for the observables you are investigating (malicious, benign, and unknown) and helps you immediately tell if these observables are seen locally in your network.

Available via:

SecureX threat response Investigate UI

Open-source integrations

Custom integrations of any security operations tools and workflows available through open and well-documented APIs.

Leverage your full security stack by integrating all tools into one console, enhancing your existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, Response (SOAR) technologies.

Available via open APIs


Threat Response

Product specifications

SecureX threat response is a cloud-based product available in three regional clouds:

      U.S. cloud

      EU cloud

      Asia Pacific cloud

Browser requirements: current and preceding versions of Chrome, Edge, Firefox, and Safari

Cisco security integrations

The product can integrate with selected cloud and on-premises solutions. Cloud services are typically integrated using API keys, available under the settings menu of the cloud service itself. For on-premises devices to be integrated with SecureX threat response, it must first be added and then registered in Security Services Exchange. Security Services Exchange (SSE) is a Cisco cloud platform that handles cloud-to- cloud and premise-to-cloud identification, authentication, and data storage for use in Cisco cloud security products. The connected devices can write to the storage in SSE and then from there to SecureX threat response.

Value of the individual product integrations

SecureX threat response and Umbrella: Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats and proactively blocks malicious requests before they reach a customer’s network or endpoints. With Cisco Umbrella enrichment for SecureX threat response, customers can stop phishing and malware infections earlier, identify already-infected devices faster, and prevent data exfiltration. The integration provides complete visibility into Internet activity across all locations and users and allows you to take action with a two-click response to quickly block domains.

SecureX threat response and Cisco Secure Email: Integration with Secure Email allows you to understand email as a threat vector by visualizing message, sender, and target relationships in the context of a threat. You can search for multiple email addresses, subject lines, and attachments at once to understand how a threat has spread.

SecureX threat response and Cisco Secure Firewall: Integration with Secure Firewall provides the capability to investigate, identify, and enrich intrusion events with context from integrations across security products. It also offers an automated triage and prioritization of intrusion events through the built-in Incident Manager.

SecureX threat response and Cisco Secure Endpoint: Integration with Secure Endpoint allows you to investigate and identify multiple files with context from integrations across security products. It provides detailed information on affected endpoints and devices, including IP addresses, OS, and AMP GUID. Additionally, it allows you to block files at endpoints and Endpoint-capable edge devices and immediately quarantine affected endpoints with the Endpoint Host Isolation response feature.

SecureX threat response and Secure Malware Analytics: Integration with Secure Malware Analytics allows you to get detailed intelligence about malware, associated paths, and more.

SecureX threat response and Secure Network Analytics: Secure Network Analytics’ visibility and security capabilities will enrich threat detection and response in the SecureX threat response console with agentless behavioral and anomaly detection capabilities. SecureX threat response integrations with other sources of global threat intelligence and internal visibility will affirm and enrich Network Analytic findings with confirmed threat intel and local sightings. Integrations with Cisco control devices provide two-click mitigation and resolution.

SecureX threat response and Secure Web Appliance: Secure Web leverages multiple technologies to protect your network against the most common threat vector and provides SecureX threat response users with visibility into connections with unsafe or suspicious websites. SecureX threat response integrations with other sources of global threat intelligence and internal visibility will affirm and enrich Web findings with confirmed threat intel and local sightings.

Integrated product software compatibility




Cloud only

Malware Analytics

Cloud only


  (With Security Management Appliance (SMA)): AsyncOS12.5 on both the Email Security Appliance (ESA) and the SMA
  (Standalone): AsyncOS13.0


Cloud product, N/A

Web Appliance

(SMA or standalone): AsyncOS 12.0

Network Analytics



v. 6.3+

Integrating your Cisco security products with Cisco threat response

      Quick-start guides for integrated products:




      Configuration tutorials on YouTube




APIs/third-party integrations

Threat response is developed using an API-first approach, which means that all features are built into the API, and then the user interface is updated to call that API function. Functionally, this means that any action you can perform in the UI, you can also perform via the API. The API documentation is robust and even includes prototyping tools that you can use to help develop your own integrations and middleware.

Use cases for the API include, but are certainly not limited to:

      Adding your own threat intelligence, regardless of source or collection method, to SecureX threat response for future investigations

      Performing automated investigations on observable feeds, checking for local sightings

      Promoting alerts and events from third-party tools into SecureX threat response’s Incident Manager

To get started learning how to use this powerful, versatile tool, see the Cisco Learning Lab on the SecureX threat response API at

API aggregation

Threat Response can be thought of as an API aggregator—we use the APIs of the integrated products so that you don’t have to. Threat Response uses those APIs to retrieve information and relay response actions to the products that offer them. For example:

      Using the SMA API to ask if the SMA has any record of interactions with an IP address

      Using the AMP file database API to get a reputation lookup on a file hash

      Using the AMP for Endpoints API to request host isolation on an endpoint

Each of these integrated tools adds their own capabilities to the toolset.

API aggregation

SecureX threat response is not a SIEM, or a SOAR—although it provides some functionality commonly associated with each. Like a SIEM, SecureX threat response gives you one place where you can check logs from multiple products—not by aggregating the logs themselves, as in a traditional SIEM (adding storage cost and maintenance), but by aggregating the lookups against those existing information stores. Similar to a SOAR, SecureX threat response gives you quick response capabilities across multiple control planes in a single interface. However, SecureX threat response is a free application, and it can very well coexist with SIEM and SOAR tools and empowers them to integrate with Cisco products more easily—in fact, we already have supported integration tools for Splunk, LogRhythm, and others soon to come.


If you require technical assistance with SecureX threat response, you can open a case in Support Case Manager. The Cisco security product(s) through which you have access to SecureX threat response entitle you to a number of technical services. You would need your product serial number or product service contract to create a support case. Alternatively, you can either manually select “threat response” in the technology window and bypass the entitlement or contact Cisco Support at 1 800 553 2447.


For more information about SecureX threat response, visit or contact your Cisco security account representative to learn how your organization can get more value out of your existing security investment by leveraging SecureX threat response at no additional cost.

Other helpful resources:

      Threat Response community page

      Threat Response YouTube videos

      Threat Response at-a-glance

      Threat Response FAQs

Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:

Sustainability topic


Information on product material content laws and regulations


Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

Learn more