Announcing Phantom 2.0 – Early Access!

It’s been a very busy summer for Phantom, our users, and the community.  So far, we have announced the winners in the Phantom App & Playbook Contest, added more than 15 new Apps (thanks to many community contributions), and revamped our Community Portal.  Well, we’re adding to that list…   We are very pleased to announce the early access availability of Phantom 2.0!

The GA for our first Phantom release was in February of this year, and it is amazing how much the product has grown in such a short time.  This accelerated evolution of the product is credited to the great feedback from our customers, users, and the community.  A big thank you to all.

There are several new features to start using immediately.  The feature that represents the most drastic change is the BPMN-style Playbook Editor (60 second demo)

This new editor now allows users to create fully functional Phantom Playbooks with complex decision making logic represented with BPMN-style visual blocks without having to edit the underlying Python code.  Said another way, Python experience is not required to develop complex playbooks on the Phantom platform.

Below is an example of a playbook that incorporates action execution as well as decision logic, all built in a visual way without manual Python coding.  The playbook execution path is as follows:

  • (Action) Execute a Geolocate IP Investigative Action
  • (Conditional IF Block) Check if Country Code is Equal to North Korea
  • (Action) Execute a WHOIS Investigative Action
  • (Conditional IF Block) Check Latitude of Geolocation
  • (Action) Block IP on Firewall

Example: Specify Action Using Searchable Action Pane

v2 blog Specify Action Using Searchable Action Pane

Example: Populate the Parameters for the Action

v2 blog Populate the Parameters for the Action

Example: Build Conditional Logic

V2 blog Build Conditional Logic

Example: Insert Containment Action (Block IP)

v2 blog Insert Containment Action

While the above playbook is a simple example, it demonstrates the power of the new Playbook Editor through the use of conditional statements and the BPMN visual.  This capability completely changes how playbooks are developed, as well as who can develop, maintain, and enhance playbooks.

This is not the only enhancement to the platform, however.  Below is a summary of the other key features introduced in Phantom 2.0:

Delete Containers and Artifacts: The platform supports the ability to delete containers and artifacts from the UI. There is now a related user privilege ‘delete containers’ for the role.

JSON Widget view: In Mission Control, all widgets now support an option to view the full JSON view of the action results. This can be toggled from the widget’s top right “gear” menu, which also has the option to resize widgets.

DUO Two Factor Authentication: The platform now supports integration with DUO Two Factor Authentication, which can be enabled in the Administration / Authentication section.

New Automation APIs have been enabled that facilitate the new Playbook Editor auto-generated Python code.

REST APIs for ‘Custom Lists’ have been added so that custom lists can now be retrieved and their data can be updated via newly added REST endpoints.

Filtering Containers: The Container listing page now supports the ability to search and filter containers. This facilitates multi-selecting containers to be edited, deleted, or execute playbooks on.

We want everyone in our growing community to download this release, use it in your development or test environment, and let us know your feedback.  It is located in the usual place – in the ‘Product’ section of our portal.  You will see an Early Access release that is Phantom version 2.0.67.

As always, utilize the Slack channel as much as possible – everyone at Phantom is active on Slack and it’s a great place to get best practices from other users as well as collaborate on Playbooks.


Rob Truesdell
Director, Product Management

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: