App Framework: Core SA&O Platform Capability

This article is a part of a series describing the essential criteria of a Security Automation and Orchestration platform.

The App Framework of a Security Automation and Orchestration (SA&O) platform provides the interface for new App integrations. These integrations connect the platform to any of the thousands of point security products available today. Most SA&O platforms provide some type of App Framework, yet there are several things to look for when evaluating them as part of a purchasing decision.

An Open Framework

An SA&O platform can lose its value over time without integrations for new market offerings. To ensure the extensibility of the platform with new app integrations, a platform should adopt an open framework that allows anyone to develop App integrations. Ensuring that technology partners and community users are able to develop App integrations helps to create a diverse pool of talent that contributes back to the platform. It also reduces an organization’s reliance on the SA&O vendor for additional development, future proofing the platform in the process.  Finally, an open framework permits users to write integrations for “home-grown” tools and capabilities that are not commercially available.     

Abstraction of Security Actions

Security technologies are easier to reference by a SA&O platform user (e.g. a playbook author) when the App that integrates the technology acts as an abstraction layer between the platform and the product or service’s API (Application Programming Interface).  When implemented correctly, users do not need to understand the details of the security technology API.  This frees a user to focus on the mission, not the syntax of a particular technology.  Abstraction also allows playbooks to be more portable across vendor technologies sharing similar actions, such as firewalls, reputation services, EDR (Endpoint Detection and Response) tools, and others.   Technologies can transition in and out of an organization’s ecosystem without negatively impacting automated playbooks.  This is often the case when sharing playbooks across community users or organizations.

App Development Velocity

Technologies should be quickly integrated into the platform without requiring any modification to the core platform. This is possibly the most important attribute of an SA&O platform.  Users and developers should not need to be subject matter experts on the inner-workings of the platform in order to write integrations.  A set of clean, simplified interfaces to the platform should be exposed and clearly documented through guides and sample code to assist in App development.  A single, industry standard language should also be used to simplify the development cycle and enable a wide variety of security professionals to develop Apps. These basic requirements help in streamlining the App development process by allowing the App developer to focus on the security actions they want to expose, and not platform design.


The Phantom team has incorporated these concepts into our platform, with very compelling results.   In the first year of operation, Phantom eclipsed the 100-App mark with significant contribution from the community.  To day, over 25% of Apps have been contributed by community users and technology partners, with even more Apps being used internally at organizations that are not publicly reported.  

Next Steps

To demonstrate the proof behind this methodology, we have invited a 3rd party community user to share their App development experience as well as tips and tricks on an upcoming Tech Session.  Be sure to register for our June 16 session to learn more.  


Other articles in this series can be found here.  You can also download the entire Phantom Buyer’s Guide here. Join the Phantom Community to access the free Community Edition.