Announcing the launch of Lumen Defender℠ Managed Rules for AWS Network Firewall

Proactive, internet-scale, AI-powered threat intelligence meets cloud-native simplicity

Cloud-native environments are facing an unprecedented surge in cyberattacks. In 2025, malware threats grew by over 30% in the first half of 2024, with 560,000 new variants detected daily and 70% of serious incidents involving fileless malware that evades traditional defenses.¹ Attackers increasingly rely on malicious proxy networks embedded in residential IP space to obfuscate traffic and bypass perimeter controls.

Network firewalls are foundational for perimeter security; however, their effectiveness is diminished by evasive tactics and rapidly shifting adversary infrastructure that traditional threat intelligence powering the firewalls cannot detect. What’s needed is threat intelligence that is proactive, dynamic and on an internet scale—intelligence that can see suspicious infrastructure as it’s being stood up, not after it’s active with patient zero.

That’s where Lumen Defender^SM Managed Rules comes in, built for network security teams, CISOs and cloud practitioners. Powered by Black Lotus Labs^®, this brings protection derived from the Lumen internet network backbone visibility directly into AWS environments.

Lumen and AWS redefining network security

The collaboration between Lumen and AWS is built on a shared vision—empowering organizations to defend against modern threats with agility and precision and making firewalls more effective through proactive threat intelligence.

What is AWS announcing?

AWS announced the launch of fully managed rule groups by security vendors, including Lumen, for AWS Network Firewall. This new feature allows customers to leverage pre-configured, expert-curated rule sets that seamlessly integrate third-party threat intelligence from leading security vendors directly within their AWS Network Firewall policies. These rule groups are frequently updated by security vendors to reflect the latest threat landscape, providing customers with up-to-date protection without the need for writing their own custom rules. To learn more, visit AWS Network Firewall documentation.

What is Lumen announcing?

Lumen is proud to be an early partner for AWS Marketplace Managed Rules by launching Lumen Defender Managed Rules for AWS Network Firewall. Customers can subscribe to the rule group and apply it to their firewalls from AWS Network Firewall console. With this rule group, customers gain access to Black Lotus Labs threat intelligence, allowing rapid integration of threat data to protect critical cloud deployments.

What does this mean to network security teams and CISOs?

Defender Managed Rules, powered by Black Lotus Labs Threat Intelligence, are automatically applied to network traffic, designed to block access to risky IPs. Customers can take advantage of the following benefits:

• Backbone visibility: Leverage high-risk IPs sourced and curated from Lumen global network infrastructure and threat researchers
• Managed overhead: Fully managed by Lumen with automatic updates and no manual rule maintenance required
• Consumption-based pricing: Flexible pricing model that aligns with real-world usage
• Simplified management: Centralized firewall policy management through AWS Network Firewall, eliminating the need for multiple tools and interfaces

How it works: A practitioner’s guide

From a practitioner’s perspective, setup is simple:

• Network Firewall and Security teams subscribe to the Lumen Managed Rule group and attach it to their AWS Network Firewall policies.
• Lumen delivers curated threat feeds as Suricata-compatible rules via AWS Marketplace to customer firewalls.
• Lumen automatically updates threat feeds with zero infrastructure deployment for the customer.
• Lumen provides contextual metadata such as threat category and severity enabling security teams to triage and respond to incidents more effectively.
• All management occurs within AWS console, streamlining operations and reducing tool sprawl to enhance the organization’s overall security posture.

Black Lotus Labs threat intelligence: Unmatched network visibility

Black Lotus Labs is the Lumen Threat Research and Operations division—a multidisciplinary team of data scientists, reverse engineers, security engineers and threat analysts who specialize in detecting, tracking and disrupting digital threats worldwide. What sets Black Lotus Labs apart is their unmatched network visibility:

• Direct access to the Lumen internet backbone. Lumen operates one of the world’s most interconnected internet backbones—giving Black Lotus Labs visibility into a vast portion of global internet activity, including malicious traffic. Black Lotus Labs, the Lumen threat intelligence team, monitors this backbone, identifying suspicious infrastructure before attacks reach victims. This upstream vantage point enables early detection of threats—often before patient zero is infected.
• Tracking of 2.3 million unique threats across botnets, malware, C2 networks, criminal proxies, nation-state operation and 46,000 command-and-control (C2) servers. The research team can rapidly identify patterns of malicious behavior at internet scale using advanced detection and machine learning algorithms, which can validate IOCs with high fidelity before they can reach Lumen customers.
• Visibility into 99% of all public IPv4 addresses via transit traffic. This matters because it provides the most coverage across the address space than any other vendor.
• Execute over ~150 C2 disruptions per month through takedowns and notifications.

Example detections include:

• Raptor Train – Black Lotus Labs revealed the largest known Chinese state-sponsored botnet to date. Collaborated with U.S. law enforcement takedown.
• KV Botnet – Discovered novel threat infrastructure to deploy and control disruptive malware implanted in critical U.S. infrastructure.
• Qakbot -Scaled visibility into previously unknown infrastructure used by Qakbot to achieve unprecedented agility.

Explore blogs from Black Lotus Labs about our latest research on takedowns.

Why this matters: Transforming firewall network security for the modern enterprise

In today’s environment, adversaries leverage encrypted tunnels, proxy chains and compromised routers to evade detection. Lumen Defender Managed Rules address these invisible attack vectors, providing organizations with the upstream visibility and automated intelligence needed to protect their networks proactively.

Join the firewall revolution—shape the future of network defense with Lumen and AWS

Lumen invites you to join us in advancing threat intelligence-enabled firewalls. You can access our services on the AWS Marketplace or configure Lumen Defender Managed Rules in your available AWS NFWs.

 Learn more

^¹SentinelOne, Key Cyber Security Statistics for 2025, July 2025.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2025 Lumen Technologies. All Rights Reserved.