Announcing Phantom, the “Connective Tissue” for the Security Industry

Today Phantom announces our first step towards a revolutionary new approach to security. Faced with a massive shortage in the number of security professionals, dozens of independent point products, a suffocating volume of security events, and rising costs, enterprises are simply at a loss as to what to do next.

One challenge comes down to basic agility. Despite bundled offerings from some of the largest security vendors, many organizations still prefer to buy best of breed – and for good reason. This results in an army of individual products with no interconnectivity or ability to function as a single unified defense platform. More importantly, it leads to massive inefficiencies that are being compensated for by throwing even more people at the problem (people that don’t exist).

We need to marshal the full power of our security investment in order to match our adversaries. They’re using automation against us, so why aren’t we using automation to respond?

What is Phantom?

Phantom is an automation and orchestration platform, purpose built from the ground up to marshal the full power of your existing security products. Phantom was built to augment and supercharge your existing operations team by “connecting” things together.

Why now?

The notion of building a unified security architecture certainly isn’t new. In some respects it has been the elusive holy grail of security. Every company that I have worked at has attempted it (McAfee, Symantec, Cisco).  We started down this path over 16 ½ years ago at McAfee when we built the CyberCop products. For some nostalgia, our friend Stuart McClure (now Founder and CEO of next generation endpoint provider Cylance and part of the Blackstone family) covered our first attempt in Network Computing way back then.

Fast forward to today, and this problem has STILL not been solved. So what makes us think that it can be done now?

To start, the world is a very different place today. In the nineties enterprises had relatively few security products. At a basic level they had antivirus and a firewall. If they were progressive they had a vulnerability scanner and perhaps an IDS. But that was about it. Today a typical large enterprise has dozens of point products, some numbering in the high double digits. Each has a different console that somebody somewhere needs to manage and understand. How can you possibly expect to defend yourself with such a fragmented ecosystem?

Secondly, I strongly believe that a large existing security vendor cannot solve this problem. This problem has many similarities to the SIEM space. It needs to be an industry-wide, vendor-agnostic effort. Much like SIEMs, we need to build hundreds of connectors to point products that need to be interfaced with – but unlike SIEMs, which connect to the alerting or northbound interface of these products, we need to connect to the management or southbound interface in order to expose the products core capabilities. This really hasn’t been attempted before outside of vendor-centric approaches.

Lastly, we’ve now thrown the ball sufficiently down the field where the weakest link in our cycle is a human and process-oriented one. We’ve built point products, we’ve built analytics layers, and now we have hordes of analysts looking at an ever-increasing number of events, making decisions and acting on them at human speed. Needless to say, we’re failing to keep up (I won’t pontificate on all of the breaches that have occurred as a result of alert fatigue).

This is where Phantom comes in. We see this as the “LAST MILE” of the security problem.  Our mission is to automate decision making and acting.

Decision Making and Acting


Over the past year I’ve had well over 100 conversations on this problem and our ambitious mission, ranging from Fortune 500 CISOs, to federal agencies and a range of executives from all of the top security vendors. It was always interesting to hear the reaction from someone hearing about us for the first time. There was universal agreement that this is where the industry needed to head, but there were also two very compelling responses that stood out as people attempted to describe what we were building:

“Connective tissue”, in that we were building a layer of connective tissue for the security industry.

“Operating system”, in that Phantom was abstracting out the capabilities of all of my point products, and acting as an operating system to drive them.

The “operating system” analogy really drives home what Phantom is. We built Phantom to be highly programmable.  Phantom can execute any supported action that an individual point product may support. At its core, Phantom is abstracting out all of the disparate APIs across your security environment and allowing you to execute Playbooks that leverage them.

Our Product page explains how this architecture works.

One of the powerful aspects of Phantom is its openness. While not strictly open source, we’ve made every effort to make the platform expandable. Phantom Apps allow you to create connectors to in house or more obscure security technologies and expose their APIs back to the platform. Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.

Similarly Phantom Playbooks are also written in Python. Phantom uses an embedded Python interpreter in order to execute Playbooks, acting as an execution engine or “kernel”. Playbooks are synchronized via Git and we’ve published quite a few sample Playbooks on our public github repository.

The below use case demonstrates how a single Playbook can execute both investigative and containment activities across an organization’s existing security technologies. In this example, Phantom interacts with the virtualization layer, forensic tools, reputation services, a sandbox, endpoint technology, directory services, and more:

Investigate and Contain

As this use case demonstrates, there are a lot of moving parts and every environment is a snowflake – with a completely unique product mix, reinforcing the need for a truly dynamic platform.

Phantom Community Edition

Finally, as part of today’s announcement, we are releasing an Early Experience version of the Phantom Community Edition.  This release allows you to learn more and begin to automate operations as we hit the final stretch of development before General Availability later this year.  The Phantom Community Edition allows you to exercise the full capabilities of Phantom, but limits the number of actions that can be run on a daily basis.  You can synchronize your Phantom deployment with the Community Playbooks that we continue to enhance and update.

Qualified organizations can register for Phantom Community Edition on our Product page.  By registering you can download the platform and get access to documentation, instructional videos, our knowledge base and new App downloads.

Thanks and watch this space for new updates and announcements about Phantom!

Oliver Friedrichs
Founder and CEO
Phantom Cyber

2 thoughts on “Announcing Phantom, the “Connective Tissue” for the Security Industry

Comments are closed.