When Lumen Technologies — one of the largest US telecommunications and internet backbone operators — decided to modernize its security posture, it discovered a staggering blind spot: the company thought it had roughly 17,000 assets. The real number was 1.1 million.
That 60x gap between assumed and actual attack surface is the kind of finding that changes organizational strategy, and for Lumen, it did exactly that.
The Discovery
Geoff Krahn, Director of Product and Platform Security at Lumen, led an initiative to consolidate asset visibility across the company's sprawling infrastructure. The challenge: Lumen was pulling from more than 40 disconnected inventory systems — each with its own data format, update cadence, and coverage gaps.
By deploying the Axonius asset intelligence platform, the team aggregated all 40+ sources into a single normalized view. The result revealed 1.1 million assets — endpoints, cloud instances, network devices, third-party SaaS connections, and more — that had previously existed as invisible risk.
Business Impact
The newfound visibility directly drove two major strategic decisions:
1. Cloud Migration
Axonius surfaced a large number of end-of-life devices across the fleet. The inability to maintain and secure aging hardware at scale made the business case for cloud migration — the data made it undeniable. Rather than playing whack-a-mole with expiring hardware, Lumen chose to migrate the majority of its infrastructure to the cloud.
2. 10x Security Investment
Demonstrating to leadership the true size of the attack surface is rarely a conversation that goes well for security teams expecting small budget asks. In Lumen's case, the visibility data was compelling enough to justify a 10x increase in security investment — a rare outcome driven directly by better data.
Risk-Based Prioritization
Beyond asset discovery, Axonius Exposures combined technical vulnerability data with:
- Asset context — ownership, business function, criticality
- Control coverage — what security tools are actually deployed on each asset
- Remediation impact modeling — which fixes deliver the most risk reduction per effort
Krahn described the goal as evolving vulnerability management "beyond scan and spam to intelligent risk-based requests driven by remediation actions that will deliver the most risk reduction."
Threat Intelligence Context
Lumen's Black Lotus Labs provides further context on the threat landscape the company operates in. Their 2026 Defender Threatscape Report documented:
- 200 billion+ NetFlow sessions monitored daily
- 1 billion+ DNS sessions analyzed daily
- 2.3 million unique threats tracked per day
- 46,000 command-and-control (C2) servers identified per day
Operating at that scale of threat visibility while simultaneously managing an unknown attack surface of over a million assets underscores why accurate inventory is the foundation of any security program.
Key Takeaway
Asset inventory is not a one-time project — it is a continuous discipline. Lumen's experience is a case study in what happens when security teams inherit fragmented tooling and never consolidate it: blind spots accumulate, and the gap between perceived and actual risk grows silently.
For any organization managing distributed infrastructure, consolidating asset discovery before investing in detection and response capabilities is not just good practice — it is table stakes.