Summit Utilities Reduces CVSS Criticals by 91%
Summit Utilities is a multistate utility provider committed to reliable, secure service delivery. With patching processes built around a Microsoft stack, Summit needed a way to catch high-risk vulnerabilities that escaped standard workflows and aged into risk.
The Challenge: Patch Blind Spots and Ticketing Inefficiencies
Prior to Zafran, Summit relied heavily on Microsoft’s patch management tools to handle the bulk of its remediation efforts. While effective for most scenarios, this process often left gaps, particularly for vulnerabilities that aged beyond 30-45 days or fell outside predefined severity thresholds.
There was also no streamlined workflow for identifying, tracking, and assigning remediation efforts; the team lacked clarity and consistency in addressing lingering risk.
The Implementation
Summit deployed Zafran to augment its existing patch management strategy, without needing new agents. Zafran integrated directly into Defender’s output, enriching vulnerability signals with runtime presence, internet exposure, and control coverage to uncover hidden risks.
Instead of buying a separate vulnerability scanner, Summit used Zafran’s intelligence to filter the flood of alerts down to what truly mattered, surfacing missed patches and risks aging past 30–45 days. With Jira integrations, Zafran enabled structured workflows using RemOps, including dashboards and ticket pipelines for SLA-aligned remediation.
The Zafran rollout at Summit was driven by the security operations team, which quickly adopted bi-weekly cadences and dashboard reviews. Underlying the deployment is that Zafran is fully built on AWS and leverages a comprehensive suite of cloud-native capabilities to deliver secure, scalable, and intelligent remediation operations. By utilizing Amazon Bedrock for generative AI, along with AWS Security Hub, Amazon Inspector, and AWS AgentCore, we enable continuous exposure assessment, automated prioritization, and accelerated remediation actions—reducing operational effort while improving overall security posture. Summit is now expanding its use of mitigation insights and control context, with plans to build aging-based assignment rules and deeper remediation visibility.
With Zafran, we’ve got a clear view into what matters, structured workflows to act on it, and fewer risks slipping through the cracks.
Aaron Baillio, Director of InfoSec
Summit Utilities
The Results
Since implementing Zafran, Summit has:
- Achieved a 91% reduction in critical vulnerabilities by prioritizing remediation based on what truly poses risk within their environment
- Surfaced critical patching blind spots previously missed by Windows Server Update Services (WSUS) and Microsoft Defender
- Delayed or canceled the purchase of additional vulnerability scanners; freed up budget and reduced tool sprawl
- Reduced operational risk by cutting through noisy, inflated criticality scores and surfacing real threats
- Automated triage and ticket creation through Zafran’s Jira integration, aligning remediation with SLAs
Zafran is now helping Summit bridge the last mile of patch management to reduce operational risk, improve accountability, and strengthen overall posture.
Learn More
Zafran partners with complex global organizations to help them move from reactive vulnerability patching to proactive risk reduction. Our work is strengthened by Zafran’s deep collaboration with AWS. We are ISV Accelerate (ISVA), Co-sell Ready, members of the AWS Global Startup Program (GSP), and fully deployed on AWS. As a Marketplace-first company operating through an AWS Partner-Led motion, we work closely with AWS field teams to drive measurable security and compliance outcomes across our customer base. With Zafran, security teams can focus on exposures that actually matter—based on live context from their own environment—and take immediate steps to mitigate risk.
We invite you to see what our customers already know. Come see the power of Zafran.
Industry
Primary Use Cases
Key Outcome
See Zafran in action
See Zafran in Action
Prioritize and fix what is truly exploitable using risk context from your existing security tools
