Case Study: Nebraska Public Power District achieves 45–55% increase in systems meeting security thresholds and stronger phishing protection with Rapid7 (Nexpose & Metasploit)

Nebraska Public Power District Fights Phishing, Meets Compliance Requirements with Nexpose and Metasploit

Nebraska Public Power District (NPPD) is a vertically integrated, publicly owned utility serving 86 of 93 counties in Nebraska with about 4,000 assets across 19 sites. Facing strict regulatory requirements (NERC CIP, HIPAA, nuclear rules) and a rise in phishing and other targeted attacks, NPPD needed a scalable vulnerability-management and penetration-testing solution that could improve visibility, support compliance, and measure user and system risk.

NPPD implemented Rapid7 Nexpose Enterprise and Metasploit Pro to centralize scanning by asset type and location, run in-house phishing campaigns, prioritize remediation, and produce clear reporting for stakeholders. The program improved visibility into isolated assets, strengthened user awareness, and drove measurable remediation: systems meeting the security threshold rose from 25% to 70–80% (a 45–55% increase), helping NPPD meet compliance goals and improve overall security posture.

Nebraska Public Power District

Tim Pospisil

IT Security Supervisor