Phantom: Security automation and orchestration platform

The Phantom platform can integrate existing security technologies and provide a layer of “connective tissue” between otherwise disparate systems.


Phantom was recently recognized as a finalist in the RSA Conference Innovation Sandbox Contest. The competition is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry.

“Phantom is a force-multiplier for our security team,” said Jay Leek, CISO at Blackstone. “We saw it first from a customer’s perspective as an innovation that delivers productivity gains, enabling us to respond faster, do more with our existing resources, and get the most out of our security investments.”

The platform streamlines security operations through the execution of digital Playbooks to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of point products used in typical enterprise security environments.

Focused on enhancing security operations, Phantom doesn’t replace existing security products, but instead makes a company’s investment in them smarter, faster and stronger. Through a logical architecture that abstracts product capabilities via the App model; simple actions can be automated from within Playbooks thus allowing Phantom to act as an “operating system” for an organization’s numerous security products.

“Despite bundled offerings from reputable security vendors, organizations continue to select best of breed; and for good reason,” explained Phantom co-founder and CTO, Sourabh Satish. “Unfortunately this results in a dizzying number of point products that don’t work together and hinder security analysts’ ability to react to incidents. With Phantom we are making it easier for organizations to get the most out of their security investments by enabling existing resources to achieve their full potential.”

The platform empowers organizations to automate the triage of security elements such as alerts, incidents, threat intelligence, vulnerabilities, phishing emails and more. Customers can either push JSON formatted data to the platform, or pull it from a number of externally supported SIEM or analytics tools. It currently provides integration with over 40 of the industry’s leading security solutions.

While not strictly open source, the platform is expandable by the user community. Apps allow users to create connectors to in-house or more obscure security technologies and abstract their APIs back to the platform. Phantom Apps are Python modules, allowing anyone in the community to expand the platform and contribute Apps to the Phantom App store. Similarly, the Playbooks are also written in Python and can be customized at will by the community.

RSA Conference 2016

More about

Don't miss