ButanGas, a key player in the Italian energy sector, strengthens its cybersecurity posture with CrowdSec’s real-time threat intelligence and Platinum Blocklists, ensuring safe and uninterrupted liquified petroleum gas (LPG) distribution across the country.
ButanGas operates in the energy sector, specializing in liquified petroleum gas (LPG) storage and distribution. Its main mission is to guarantee a safe, reliable, and continuous supply throughout Italy. As part of the Dragan Group, a multinational energy organization active in seven countries, ButanGas maintains a strong national presence with more than 20 offices and 9 LPG storage and bottling depots.
Behind these operations lies a complex and extended digital infrastructure. Supporting over 700 users across multiple countries, ButanGas manages IT and cybersecurity centrally for Italy and additional legal entities abroad. They require consistent protection, centralized visibility, and scalable security controls across geographies.
At the helm of this strategy is the organization’s CIO and CISO, Riccardo Morandotti. He is responsible for IT strategy, cybersecurity governance, risk management, and digital transformation initiatives across the company.
The challenge: Too much noise, not enough insight
Like many companies in the energy sector, ButanGas faced a constant stream of malicious activity targeting its network perimeter.
Hundreds of suspicious connections were hitting their firewalls every day, generating significant noise but little actionable intelligence. While Sophos firewalls were already in place, the team lacked clear visibility into what was actually happening within their logs.
They needed more than just protection; they needed clarity. The volume of alerts made it difficult to distinguish meaningful threats from background noise, and the lack of enriched data limited their ability to take informed action. At the same time, ButanGas had a clear strategic priority: adopting European cybersecurity solutions without compromising on the quality of threat intelligence.
Why CrowdSec: European roots, global intelligence
After evaluating several threat intelligence providers, Riccardo identified CrowdSec as the right fit. He explains, “What stood out was that CrowdSec is a European-based company, which aligned perfectly with our strategic goal of using European security tools whenever possible. At the same time, CrowdSec collects data globally and provides insights that few other vendors can match.”
Equally important was the ease of deployment. Within just one hour, CrowdSec was integrated into their existing environment, and results followed almost immediately. From day one, hundreds of malicious connections were blocked daily, with a threefold increase in detected suspicious traffic. At the same time, false positives remained extremely low, below 1%, ensuring legitimate traffic was never disrupted.
CrowdSec is simple to deploy, operate, and integrate, letting our team focus on response rather than tool management. Its reliable threat intelligence and accurate detections give us high‑confidence security decisions with minimal noise, making it a truly dependable part of our security architecture.
– Riccardo Morandotti, CIO and CISO of ButanGas
A smarter, more proactive firewall
ButanGas initially deployed CrowdSec on its most critical firewall, with plans to extend coverage to ten more. Even this first step delivered a significant impact.
All malicious traffic is now blocked before reaching the network, drastically reducing exposure. Firewall logs have also become far more readable and actionable, with a clear distinction between legitimate and malicious traffic, eliminating the confusion that previously slowed down analysis.
The real transformation, however, goes beyond inbound protection.
Through the integration between CrowdSec, Sophos Firewall, and their MDR service, ButanGas now benefits from proactive outbound control as well. Internal endpoints are prevented from establishing connections with known malicious IPs, and any suspicious outbound attempt is immediately blocked. In more critical cases, compromised machines can be automatically isolated, helping contain threats before they spread or escalate.
This capability has proven essential in limiting lateral movement and preventing potential data exfiltration, turning the firewall into an active enforcement point rather than a passive filter.
From blocking threats to understanding them
While automated blocking significantly improved their security posture, the most meaningful shift came from enhanced visibility.
With CrowdSec’s IP enrichment capabilities, ButanGas now gains contextual intelligence on every threat, ranging from geographic origin to behavior patterns and risk scoring. This allows their team to understand not just that an IP is malicious, but why.
For a European organization, this is particularly valuable. They benefit from strong visibility into threats impacting European countries, while still leveraging globally collected intelligence to stay ahead of emerging risks.
Building a scalable security model
With CrowdSec in place, ButanGas has transformed its firewall into a proactive, intelligence-driven security layer.
Malicious traffic is stopped before it becomes a risk, visibility has improved dramatically, and the operational burden on the IT team has been reduced. All of this has been achieved without disrupting legitimate business activity.
As deployments grow across more firewalls, ButanGas is creating a scalable, unified security model. It protects a complex, multinational infrastructure while supporting the company’s mission to deliver safe, reliable energy.
