How a California State Agency Unified 9 Security Sources Into a Single Risk Picture

A California Governor’s Office agency managing critical land use and environmental data needed to satisfy NIST 800-53, StateRAMP, and FIPS 199 requirements — while operating with a lean security team across a fragmented tool landscape. Here’s how xAQUA Aegis changed everything in under 4 weeks.

StateRAMP Aligned

NIST 800-53

FIPS 199 Compliant

SIMM 5305-F

KEY RESULTS

0 %

Compliance posture across 4 frameworks within 30 days of go-live

0 m

Mean time to detect — down from 8+ hours of manual review

Disconnected security sources unified into one intelligence layer

Drift event detected before it became a reportable incident

To generate a board-ready compliance report from live data

9 Tools. 9 Dashboards.

Zero Unified Picture.

The agency operated Microsoft Sentinel for SIEM, AWS Security Hub for CIS benchmark compliance, Microsoft Entra ID for identity management, Azure Defender for cloud workload protection, Drata for SOC 2 controls, Palo Alto Networks for network security, HPE Aruba for zero-trust network access, Dynatrace for application performance, and LogicMonitor for infrastructure monitoring.

Each tool reported its own severity scale. None of them talked to each other. The security team spent the first 3 hours of every week manually aggregating data across dashboards just to answer the question their CISO asked every Monday morning: “Where are we on risk?”

😤

3 Hours Weekly

Spent manually aggregating data from 9 tools every Monday

📊

200+ Hours

Audit prep time per annual review cycle with manual evidence collection

🚨

8+ Hours

Mean time to detect correlated security events across multiple sources

The Event That Proved Predictive Intelligence Works

February 10–13, 2026: The AWS CIS Drift Event

Three weeks after go-live, Aegis detected an 8.5σ deviation in the agency’s AWS Security Hub CIS benchmark score — a drop from 84% to 69% over 72 hours. The drift was caused by 8 CIS controls failing simultaneously across IAM configuration and S3 encryption settings.

What made this remarkable: Aegis correlated the CIS failures with an unusual authentication pattern in Entra ID (847 failed login attempts over 4 hours) and a C2 traffic signature detected by Palo Alto Networks on port 8443. Three separate tools, three separate signals — connected automatically into a single Priority 1 Action Card at 02:15 UTC.

Without Aegis, these three signals would have been investigated separately by different team members. The correlation — which pointed to a coordinated credential-stuffing attempt — would likely have taken days to surface, if at all.

Outcome

The agency contained the event before any data was exfiltrated. Mean time to detect: 47 minutes vs. the prior 8+ hour baseline. The incident was closed within 3.2 hours. The recovery was predicted by Aegis to complete by March 25 at 74% confidence — and it did.

FEB 10 · 22:47 UTC

AWS CIS score begins declining · 84% → 81%

FEB 11 · 06:15 UTC

Entra ID anomaly detected · 847 failed auths

FEB 12 · 14:30 UTC

Aegis correlation engine links 3 signals · 8.5σ drift flagged

FEB 13 · 02:15 UTC

P1 Action Card generated · CISO notified · 47 min MTTD

FEB 13 · 05:27 UTC

Event contained · MTTR 3.2 hours · No data exfiltration

MAR 25 · PREDICTED

AWS CIS recovery to 80%+ · 74% confidence (Aegis forecast ✓)

The Numbers After
Three Months Live

Compliance Posture

0 %

Across NIST 800-53, CIS Benchmark, SOC 2, and FedRAMP within 30 days

Mean Time to Detect

0 m

Down from 8+ hours. Cross-source correlation found in minutes, not days.

Mean Time to Resolve

0 h

From P1 Action Card to confirmed containment. 8% faster than prior baseline.

Board Report Generation

< 0 s

Down from 8 hours of manual preparation. Narratix generates from live data.

KRI Metrics Live

All 32 KRIs computed continuously — no spreadsheets, no manual aggregation.

Data Egress Events

All signals, scores, AI inference, and reports stayed within the agency boundary.

"Within the first 30 minutes of the POC session we could see exactly which controls were drifting and why. Aegis correlated three signals we'd been investigating separately for weeks. That's what sold us — not the demo, the actual data."

— Security Director, California State Agency · POC Session, February 2026

Ready to See Aegis With
Your Own Data Sources?

We'll run the same POC session for your agency — your security stack, your data, your compliance requirements. You'll leave with a complete risk picture and a board-ready report.