>>2604833 (LB) on XKeyscore
The important 'reveal' of the XKeyscore leak that I saw, contemporaneously when I looked at the conflicting versions published by the Guardian and WaPo/C_A was that it was a system that used HTTP Headers identical to the commercial product 'Blue Coat'.
Maybe they didn't just use the headers, but employed the actual Blue Coat product. Q's comment that there are now 'z terminals' which are 'XKeyscore on steriods' suggests modern capabilities, not some old COTS tech from the Aughties. Probably, packet/session reconstruction and 'graph analysis' are much more sophisticated (there are hints of this in the GCHQ drops at the Intercept – unreliable sauce I know, and maybe limited hangout).
The suspicious would be that the NSA cloned the communications of an entire company and used a COTS product for doing 'Deep Packet Inspection' and filtering.
Basically, Pakistan was demonstrated to have the same kind of firewall that a modern financial institution would use for security purposes. It's a guess this exists for all nations, including the Homeland.