Strengthening Cyber Resilience at a Major U.S. Airport Operator

Executive Summary

One of the busiest airport systems in the United States faced mounting pressure to modernize its security operations. The organization needed to improve overnight threat coverage, operationalize a growing toolset, and demonstrate measurable program maturity to federal stakeholders. But building a fully staffed, in-house SOC proved too complex and costly.

Instead, they turned to a shared services model with UltraViolet Cyber. Over time, that relationship has expanded into a layered engagement: around-the-clock Managed SOC, Dedicated Defense support (focused on detection tuning, platform support, and on-site strategy), automation, and incident response. Security teams work side by side—even on holiday weekends, during security incidents, and in city-level briefings—to keep airport systems protected and leadership informed.

The result is a long-term partnership rooted in responsiveness, expertise, and operational outcomes.

The Challenge

The airport initially explored standing up its own security operations center (SOC). After several months of planning and cost modeling, the team determined that maintaining 24/7 coverage and managing tool integration internally would stretch resources and budget beyond sustainable limits.

The environment spanned approximately 6,000 endpoints across IT and OT systems, with security responsibilities cutting across airport infrastructure, vendor networks, and terminal operations. Internal staffing remained lean, making sustained oversight and tuning difficult to operationalize.

The airport had already invested in a range of security technologies, including endpoint detection, SIEM, perimeter firewalls, and network monitoring platforms. What they lacked was the operational coverage, tuning expertise, and staff to tie it all together. Overnight and holiday coverage remained a persistent vulnerability.

At the same time, new requirements from TSA’s Security Improvement Plan (SIP) raised the stakes. Demonstrating progress toward stronger detection and response maturity became an executive priority.

To meet the full scope of operational demands, the airport required not just coverage but also additional capability, leadership, and trusted execution.

The Solution

The partnership with UltraViolet Cyber began with Managed SOC, integrated into the airport’s existing security stack and focused on delivering 24/7 detection and triage. Over time, it evolved into a more integrated, outcome-oriented model:

• Dedicated Defense engineers were embedded to support detection engineering, platform operations, and on-site security strategy.
• Managed SOC expanded to enable pre-authorized response actions, reducing dwell time and improving containment.
• TORQ automation was introduced in 2025 to streamline alert enrichment, enable SMS emergency notifications, and support full response execution.
• UltraViolet security experts responded to multiple incidents, including attacks that occurred over weekends and holidays, delivering rapid triage, containment, and continuity of operations under pressure.
• UltraViolet also played an active role in supporting the airport’s TSA Security Improvement Plan, participating in strategy development, regulatory conversations, and expanding the airport’s vulnerability management efforts in alignment with federal requirements.

With years of experience supporting major U.S. airport environments and deep familiarity with federal-grade cybersecurity requirements, UltraViolet brought a strong understanding of airport infrastructure, from runway and baggage handling systems to vendor networks and regulatory oversight. That context informed detection strategy and helped accelerate operational wins.

The Impact

Through the course of the partnership, the airport has achieved measurable gains in coverage, detection, and responsiveness:

• 24/7 triage and escalation, aligned to defined SLAs
• Median response time of <1 minute for critical alerts
• Accurate detection of key activity during a scheduled penetration test, reinforcing the effectiveness of detection tuning and threat coverage
• Security intelligence briefings delivered to municipal and federal stakeholders
• Early warnings on third-party risk events, allowing leadership to respond quickly

Following a potential major threat that required rapid response and coordination, client leadership summed up the value of the partnership:

The relationship has continued to grow, shaped by operational success and trusted execution. What began as a tactical solution for overnight coverage has evolved into a deeply integrated partnership. Together, the teams have responded to live threats, fine-tuned detection strategies, and built a shared operational rhythm grounded in trust. Over time, institutional knowledge has compounded, driving greater efficiency, better outcomes, and lasting confidence from airport leadership.

What’s Next

As the airport prepares for future high-profile events and increased travel volume, it’s exploring new approaches to coordinate and scale cybersecurity efforts. Among the possibilities under consideration is a dedicated program management office (PMO) to centralize oversight and align stakeholders across security initiatives.

Today, the partnership continues to support:

Cyber resilience is now a board-level focus, and the airport has a trusted partnership in place to support whatever comes next.