Tailored Access Operations (TAO) is a cyber-intelligence-gathering unit of the U.S. National Security Agency (NSA), reportedly established around 1997 and headquartered at Fort Meade, Maryland. Around 2017 it was reorganized and renamed Computer Network Operations within the NSA's Directorate of Operations, following the agency's "NSA21" restructuring under Director Mike Rogers.
TAO's mission is computer network exploitation (CNE): penetrating foreign computer systems and telecommunications networks to collect signals intelligence, map adversary infrastructure, and prepare the battlespace for potential computer network attack. Public knowledge of TAO expanded dramatically after the 2013 Edward Snowden disclosures and the 2016–2017 leaks by a group calling itself the Shadow Brokers, which released a trove of NSA exploitation tools.
Reporting by Der Spiegel (December 2013), based on Snowden documents, described a TAO catalog known as ANT containing implants and hardware tools — including codenames such as COTTONMOUTH, DEITYBOUNCE, and FEEDTROUGH — designed to compromise firewalls, BIOS firmware, routers, and air-gapped systems. The Shadow Brokers leaks exposed exploits including EternalBlue, an SMB vulnerability later repurposed in the May 2017 WannaCry ransomware outbreak attributed to North Korea and the June 2017 NotPetya attack attributed to Russian military intelligence.
Within TAO, reporting has identified sub-groups such as Remote Operations Center (ROC), which conducts live intrusions, and Access Technologies Operations, which handles hardware interdiction — the practice of intercepting shipments of networking equipment to install implants before delivery to targets.
For IR and policy researchers, TAO is significant for three reasons: it illustrates the institutionalization of offensive cyber capability within a signals-intelligence agency; it raises vulnerabilities equities debates over whether governments should hoard or disclose software flaws; and the leakage of its tools has fueled arguments about proliferation risk in cyber arsenals, comparable in some analyses to the spread of conventional weapons.
Example
In 2017, the Shadow Brokers released TAO-developed exploits including EternalBlue, which was subsequently weaponized in the WannaCry ransomware attack affecting the UK's National Health Service.
Frequently asked questions
No. As part of the NSA21 reorganization completed around 2016–2017, TAO was folded into a broader Computer Network Operations element within the agency's Directorate of Operations, though its functions continue.
Keep learning