Understanding DISA’s Proactive Cybersecurity Measures with RTAs

January 12, 2026

By Deric Bumbaugh, DISA J-3/5/7 Operations, Plans and Readiness

The Defense Information Systems Agency’s cyber defenders monitor, analyze and report suspicious or overtly malicious events at the agency’s enterprise boundaries and on behalf of aligned cybersecurity service provider strategic partner environments. At the heart of this effort are real-time analysts.

Working 24/7, 365 days a year, from four primary monitoring centers – DISA Global, Europe, Pacific and the Pentagon Security Operations Center – these analysts, known as RTAs, secure strategic partners’ networks, endpoints and DISA’s enterprise boundaries.

RTAs review and investigate logs and intrusion alerts from security tools to monitor for anomalous or suspicious activity indicating potential malicious intent. Supplementing this effort, RTAs support the proactive defense of strategic partners’ cyber terrain by contributing to incident and situational awareness reports and disseminating warnings.

Working behind the scenes

RTAs work behind the scenes to secure strategic partners’ cyber terrain. They strengthen cyber defense in an ever-evolving threat landscape by alerting peer CSSPs about incidents and providing key inputs to intelligence-driven Cyber Fusion and Deliberate Defense – formerly Enterprise Hunt – teams. They monitor threats via URLs or intelligence sources and can see them as they happen on the Department of Defense Information Network.

“For strategic partners, it’s like additional police officers monitoring the perimeter,” said Matthew Schell, a DISA Global cybersecurity analyst.

Proactive defense and fine-tuning detections

RTAs bolster cyber defense across DODIN in ways that may seem intangible but pay long-term dividends to deter threats. RTA teams help develop and fine-tune rules to enhance the detection of advanced persistent threats and reduce the number of false-positive alerts.

They leverage AI/ML tools and work on user and behavior analytics, said Adam Juhlke, a DISA Global cybersecurity analyst. He said RTAs train models to determine a typical baseline so the models can spot anomalies in cyber activity and deliver an alert.

Endguard: A dramatic evolution in CSSP capability

DISA CSSP’s Endguard solution extends the RTAs’ reach into strategic partners’ cyber terrain through the Extended Detection and Response or XDR portal.

“Since adding XDR to our analysis workflow, it has definitely given us better visibility into what the host machines are doing,” Schell said. “Before, we had to look at logs and didn’t have a lot of insight about the file or other commands being run on the machine.”

Now, analysts can see a host’s timeline and obtain a hash of the file triggering the alert, making it easier to determine if it’s malicious.

Schell noted that Endguard turns each endpoint into a sensor. When the team searches for a particular malicious file, they can see how many other machines that file is on, which helps determine the scope and scale of potential incidents.

A foundational effort

RTAs monitor the alert grid, perform triage and investigate alert events. They work day and night to give other teams the foundational information to determine potential mitigations and responses. Beyond visible deliverables, RTAs ensure the security of the DODIN cyber terrain, giving strategic partners superior service and peace of mind.

---

Visit DISA.mil for more agency news and events or receive them directly to your inbox. Simply subscribe to DISA News.