Mission Control: Mission Guidance Playbook and Action Recommendations

This article is a part of a series describing key features of the Phantom Security Automation and Orchestration platform.

In this installment of the series, we will cover a new capability of the platform called Phantom Mission Guidance™. Mission Guidance uses reinforcement learning to make playbook and action recommendations to an analyst while processing a security event. This capability shortens event resolution times by streamlining the process of determining how to best process an event.

Mission Guidance provides playbook and security action recommendations based on statistical ordering. This feature assists with a common analyst question, “Given a particular event assigned to me, what can I really do?” Mission Guidance helps to navigate the analyst through that decision-making process. Prior to the Phantom 3.0 release, understanding what needed to be accomplished when processing an event was an exploratory exercise. Indicators of Compromise (IOCs) had to be explored in order to discover what available playbook and/or security action choices were available. Mission Guidance eliminates this “Fog of War” state within the context of a security event.

Providing guidance to the analyst has other, longer-term benefits as well: it can also serve as a tool to educate an analyst. For the new analyst, Mission Guidance serves as an educational tool by guiding the analyst through the playbooks and discrete security actions they need to execute to effectively triage, investigate, and respond to an event. For the experienced analyst, Mission Guidance serves as confirmation of the playbooks or actions that should be used.

Mission Guidance is located in a tab adjacent to the Activity Pane.


The tool breaks recommendations into two sections: playbooks and actions. The ordering of the recommendations starts with the most recommended items sorted to the top of the list. Another great thing about Mission Guidance is that it is interactive—recommended playbooks and actions can be launched directly from the Mission Guidance view. This eliminates unnecessary context switches, further streamlining and improving the analyst experience.


As playbooks and security actions are executed, there is an indicator that shows what has been executed and what remains to be executed.


Mission Guidance recommendations self-tune and adjust over time as the platform is used. As more data is associated with playbooks and actions, the Phantom Platform adapts to the local Security Operations Center (SOC) environment and its analysts. Looking forward, we plan to continue to add new recommendation functionality into the platform. Stay tuned for more information on enhancements in this exciting area of the platform!

If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.

Other articles in this series can be found here.