Will automation take away all our jobs?

It’s a theme that seems common in TED Talks lately, and one we’ve even covered before on the blog.  Though this particular talk sheds light on an angle which I hadn’t considered before watching David’s talk.

“The number of bank tellers has DOUBLED since the ATM was invented.”


It seems so counterintuitive, until you consider how bank tellers have evolved their role to include other services ultimately becoming more valuable to their employers and teammates along the way.

The same lesson applies to the Security Operations Center.  Automation helps to augment SOC teams, enabling them to keep pace with the volume and velocity of security events they are not able to process otherwise.

Automation allows teams to reduce the clerical workload, focusing more time on the actual analysis of complex security events that require human decision making, versus the mundane, routine events that are ripe for automation.  This aids in employee development since analysts get the opportunity to build new skills, and helps with retention as employees are less likely to leave a job due to monotony or boredom.

Besides the obvious efficiency and accuracy gains, employers also see personnel related improvements resulting from automation.  Though it rarely means a reduction in force, it can slow the rate of growth required to staff the SOC at full capacity.  Most companies are pleased to see this affect as more care can be given to employee recruiting and development at a measured pace.

Finally, similarly to how bank tellers have evolved their craft, security automation leads to completely new jobs like the Tier 4 SOC Engineer or even Automation Engineers responsible for overseeing the Security Automation & Orchestration platform.

Interested in seeing how Phantom can help your organization keep pace or enable you to develop new skills?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see the platform in action.

CP Morey
VP, Products & Marketing

Phantom Announces $13.5 Million Series B Financing Led by Kleiner Perkins

Friends and Phantom Community Members –

It’s been over a year since we launched Phantom, and it’s amazing to see how it has grown.  Phantom is now trusted by the world’s largest commercial enterprises and government agencies.  While that is a big responsibility, our mission and community focus hasn’t changed and thousands of you now use or have explored our Community Edition platform.

Today I’m pleased to share the news on our $13.5M Series B investment led by Ted Schlein of Kleiner Perkins.  The full release is included below and on Business Wire.  This investment allows us to accelerate our mission and continue to make all of you Smarter, Faster, and Stronger through automation!

Join me on a webinar this Friday to learn more about our mission & strategy

With 2016 as a benchmark, the bar is set high for 2017.  We’re excited to lead the industry with the first  open, extensible, and community powered Security Automation & Orchestration platform – the heart of your next-generation SOC.

I’d like to share just a few of the accomplishments that made us proud in 2016:

Q1 2016

  • Launched the 1st version of Phantom.
  • Named most innovative company at RSA Conference 2016.
  • Published first research showing that companies routinely ignore over 75% of security alerts.

Q2 2016

  • Announced In-Q-Tel Strategic Funding Agreement.
  • Awarded $10,000 in prizes to the community in the Phantom Playbook & App Challenge.
  • Launched Phantom Community site which boasts more than 100 Apps – the most in the industry.

Q3 2016

  • Announced industry icon and former CEO of RSA, Art Coviello, as Phantom’s newest advisor.
  • Recognition by SINET16, CRN’s 10 Coolest Startups and Dark Reading’s Best of Black Hat.
  • Delivered first Coding for Security Pros course at Black Hat, awarded $2,500 for best Playbook.

Q4 2016

  • Launched Phantom 2.0 fueled by your feedback with more than 500 enhancements including a new Playbook Editor, Mission Control, and Onboarding experience.
  • Announced strategic relationship with Booz Allen Hamilton.
  • Won GSN Magazine Top Security Orchestration Solution.
  • Crossed the 100 App milestone, supporting over 100 distinct security technology integrations.

Add to that hosting twenty-three Tech Sessions, sponsoring dozens of industry events, and nearly 100 blog posts.  We couldn’t have accomplished so much without your support.  Our commitment is equally strong through investments like our free Community Edition platform and access to the growing library of Phantom Playbooks and Apps.

Thanks for your continued interest and support!.. Oliver

Phantom Announces $13.5 Million Series B Financing Led by Kleiner Perkins

Investment Fuels Continued Growth for the First Community-Powered Security Automation & Orchestration Platform

Palo Alto, Calif. — January 10, 2017 07:30 AM Eastern Time — Phantom, the first company to provide a community-powered security automation and orchestration platform, announced it has raised $13.5 million in Series B funding to accelerate growth in sales, marketing, and engineering. The latest round brings Phantom’s total funding to more than $23 million and is led by Kleiner Perkins. Existing investors TechOperators Venture Capital, Blackstone (NYSE: BX), Foundation Capital, In-Q-Tel, Rein Capital, Zach Nelson, and John W. Thompson also participated in the round.

“Security teams are suffocating from the growing volume and velocity of security alerts,” said Ted Schlein, general partner, Kleiner Perkins. “Lack of integration between point products and a shortage of skilled security professionals only exacerbates the problem and makes it all but impossible to respond. Most enterprises are looking at security automation and orchestration to address these challenges.  Phantom’s open and extensible platform is the clear leader in this emerging market.”

“We are extremely excited to partner with Kleiner Perkins,” said Oliver Friedrichs, Founder & CEO of Phantom. “Ted Schlein has been a force of nature in the security industry and has helped to build great companies such as Mandiant, ArcSight, Internet Security Systems, Lifelock, Carbon Black and Fortify.”

Join Phantom Founder & CEO, Oliver Friedrichs, to Learn More About Our Vision & Strategy

The Phantom platform automates and orchestrates security operations enabling analysts to achieve in seconds what may normally take hours or days to accomplish manually. Phantom Apps drive this by acting as the connective tissue to integrate the dozens of discrete point products that enterprises have deployed to secure their environment.

Phantom recently reached an important milestone in surpassing 100 Apps, or distinct product integrations, supporting almost every category of security technology: reputation services, endpoint technologies, sandboxes, firewalls, and common mobile, virtual and cloud-based security solutions.  With the largest number of apps in the industry, Phantom customers can automate nearly any security use case including investigation, hunting, enrichment, containment, resilient regeneration, patch & vulnerability management, and more.

Join the Phantom Community to Learn More About Security Automation & Orchestration

Phantom’s community-powered approach was critical to reaching this milestone as it enables apps to be developed or extended by anyone and shared with other users; more than 25% of Phantom Apps now come from partners, customers, and the community at large.

“By providing an open platform we’ve given people building blocks to automate an almost infinite number of security use cases,” said Friedrichs.  “We’re seeing creative Apps that connect services and technologies we had never considered. Engineers in the world’s largest commercial enterprises and government agencies use our platform and extend it to solve some very complex problems.”

Phantom Apps are available for a wide range of industry-leading security technologies from partners including Cisco, McAfee, Palo Alto Networks, RSA Security, Symantec, Splunk, HPE, IBM and many others.  In cases where a Phantom App is not yet available, the community-powered approach supports rapid development and sharing.

About Phantom

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security skills gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one open, integrated, and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: http://www.phantom.us and follow us @TryPhantom.

About Kleiner Perkins Caufield & Byers

Kleiner Perkins Caufield & Byers (KPCB) partners with the brightest entrepreneurs to turn disruptive ideas into world-changing businesses. The firm has helped build and accelerate growth at pioneering companies like Alphabet, Amazon, Flexus Biosciences, Nest, Slack, Snap Inc., and Uber.  KPCB offers entrepreneurs years of operating experience, puts them at the center of an influential network, and accelerates their companies from success to significance. For more information, visit http://www.kpcb.com and follow us @kpcb.

Security Automation – A Free Puppy?

I joined Phantom just before the holiday, and I’ll be working with our clients in the Southeastern US.  The end of year season offers a rare luxury of time when joining a new company to reflect on the big picture as much as the details.

I had one of those “big picture” moments over the holiday when I saw a sign for “Free Puppies”.  Our twin 6-year old boys wanted a new puppy for Christmas. I told them that puppies are expensive and require lots of care & feeding. Their response, “Dad, seriously who wouldn’t want a free puppy from Santa?”

If you’ve had a free puppy, you already know the answer. There are acquisition costs like trips to the vet for check-ups & medications, ongoing maintenance costs like food, training, & equipment, plus the unexpected costs of damage to the furniture or worse, your house.  Free is never what it seems.

So how does this relate to security automation?

I’ve be in the security industry for several years.  As a new category like security automation becomes popular, everyone rushes to show how they address it.  Many will claim they’ve been doing automation for years, and that it is even available in their existing product.  Unfortunately, this is where software can seem like a free puppy costing much more in the long run after considering what is required to deploy and manage it.

Though enterprise software is never simple, in getting to know Phantom, I’ve noticed how care has been given to reduce the friction in deploying and using a security automation platform.  Our onboarding assistant helps configure system settings, connect to a data source, and activate your first few Playbooks to quickly show Phantom in action (watch a short video on Phantom’s onboarding).  Once deployed, our visual IDE makes it easy to edit existing Playbooks or create new ones – even if you can’t write code (watch a short video on Phantom’s Playbook editor).

Though Phantom is by no means a free puppy, choosing a purpose-built platform for security automation brings a number of benefits related to implementation and ongoing use.  Ultimately this translates to faster time to value and lower overall cost.  While free puppies from Santa are great, I’d rather see a clear and quick Return on Investment when deploying new enterprise software.  If you’ve ever had a free puppy, I’ll bet you feel the same way.

Sandy Dlugozima
Southeast Sales Manager

Top 3 Phantom Playbooks for 2016

The Playbook Series on our blog remains one of our most popular content features.  With dozens of posts in the series, we thought it would be interesting to showcase three of the most popular Phantom Playbooks from the year.

First up is the Ransomware Playbook.  Phantom can ingest either a suspicious file or file hash from your current security infrastructure to trigger the Ransomware Playbook, automating key investigation and containment steps:


Next on the list of the most popular Phantom Playbooks for 2016 addresses Phishing.  Phantom can ingest a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and trigger the Phishing Playbook to automate 15 triage, investigation, and remediation steps:


Last on the list is a Phantom Playbook that can automatically gather threat intelligence for you and enrich inbound security events. With the added context on hand you can reduce redundant steps in your investigations, achieve faster decision making, and improve your overall productivity:


The new Playbook Editor in Phantom 2.0 made a significant leap forward in our mission to be the industry’s first, open, extensible, and community powered Security Automation & Orchestration platform – a technology that is core to building the next-generation SOC.  Watch this video to see how easy it is to build and customize Phantom Playbooks.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing

Did you know that Phantom Playbooks are Python based? The Phantom platform interprets Playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and Playbooks here.

App Envy? You decide…

Though Phantom only went GA earlier in 2016, we’ve been working on the technology for nearly 3 years.  This investment in our architecture has produced meaningful differences – some of which we’ve covered in past blog posts.

One element that is foundational to our architecture is the Phantom App.  Apps extend the capabilities of the platform by supporting integration to all of the 3rd party security products that our users want to automate and orchestrate.

apps_75plusPhantom has over 75 Apps, allowing the platform automate common reputation services, endpoint technologies, sandboxes, firewalls, and common mobile, virtual and cloud based security products.

Apps are closely related to another foundational element in our architecture – actions.  Simply put, actions are what you automate – retrieving data for investigative purposes or changing policy on a security device for example.  The Phantom platform supports more than 150 actions.

Here’s an example to illustrate both elements:


HackerTarget is a Phantom App that supports 12 actions including tracerouting an IP, executing a whois lookup, and several others.  You can see all Phantom Apps and their associated actions at my.phantom.us.

In a race to compete in this emerging market, some vendors have adopted a taxonomy that inflates their App count.  For example, what Phantom would call a single Active Directory App with two actions, is instead represented as two separate Apps:

  • Active Directory Authenticate App
  • Active Directory Query App

It’s misleading, but fortunately also rather transparent.  If you are evaluating Security Automation & Orchestration platforms, simply looking at the list of supported apps would reveal the attempt to inflate the count – more Apps equate to a better platform, unless they aren’t really Apps.

What is certainly related and also important to consider is the how Apps are developed for a Security Automation & Orchestration platform.  Our community-powered approach means core elements like Apps can be developed by anyone and shared within the community.  Users have the option of using community developed Apps entirely or as a starting point for developing their own.  Communication and collaboration is encouraged as a way for users to address challenges, share information, and showcase their skills.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see it in action.

CP Morey
VP, Products & Marketing

Paul Davis Joins Phantom as VP of Delivery

I have had the honor of working with first-rate security operations teams around the world.  Whether I was in the CISO role at one of the top 5 companies in the Fortune 500, running Security Operations Centers in the frenetic world of financial exchanges, or responding to threats against the critical infrastructure industry, there are a number of challenges that have been universal:

  • There is never enough time
  • It is tough to deliver security consistently and effectively
  • Repeatable processes are illusive
  • Shutting down a threat or attack takes longer than it should

Lack of time and resources as well as having a “target on one’s back” are challenges that every IT security professional faces.  As they say, “you’re only as good as your last security event response.”  Just ask the CISOs who have lost their jobs to security lapses.

paul-davis-banner_2Paul brings more than 20 years of experience working with security operations teams and solving security challenges at some of the largest organizations in the world.

So what is needed to overcome these challenges?

Consistency – it takes time

It’s sad, but true.  Despite the glamorous portrayal of hackers and security response teams in the movies, a monotonous but important reality is that security teams need to document what they do.  We need to track it, we need to be coordinated, and we need to be agile.  We are forced to do it with increased pressure from the growing number of threats impacting our organizations.  Our work needs to be standardized and repeated every day, without a drop in service quality.

I’ve built a number of security programs.  One concept that has always served me well is the playbook.  In all situations, whether the security team was small or large, there has been a need for consistency, for common nomenclature, standard deliverables, and predictable paths.  At the very least, this approach ensures that the shift handover will be smooth.  Geographically dispersed groups are going to be able to respond more effectively, and the public face of the IT security team will look professional and reliable.

The benefits are worth it.  A consistent approach drives team pride, fast action (e.g. like building a SOC with full 24×7 operations in 2 months), and metrics that demonstrate the value of the security team.


To ensure consistency from the start, I’ve used playbooks with graphical diagrams supplemented by an arduous manual documenting each and every step of the process.  When the inevitable happens, the team could use a well documented playbook to ensure that we were following a consistent process.

Still, there was something that always bothered me.  Lack of automation.  I call it a “click-fest”.  Cut and paste this information into another application, or even worse, re-type the information.  I challenge anybody to get excited about entering a SHA256 manually.  This “click-fest” was often repeated multiple times a day.  Human error, boredom, and even missed security events occurred.  When I lead a security team, I want to exercise their critical thinking, challenge them to use their instincts and IT security chops versus treating them like a group of unskilled data entry dupes.

So what has changed?

The industry has evolved.  Products have APIs that allow you to extract information and enable response.  Though you need something to bring the data together and go beyond a prioritized list of events to review – invoking once again the cursed “click-fest”.

After two decades in the security industry, I started working with some of the most forward thinking security institutions, building threat intelligence platform architectures.  These architectures were designed to consume data in the form of events and threat intelligence, and then validate if the event reached a risk threshold.  These systems were being built in-house and they required a lot of maintenance.  This changed some of the members of the team from being security analysts to developers.  It’s not ideal, but you need people who not only understand how to build robust solutions, but also understand the mission and parameters that affect a security operations team, or a threat intelligence team, or an incident response team.

Are you in security or system integration?

The systems were built. They weren’t ‘pretty’, but they worked.  It wasn’t a system which allowed people to easily codify their processes into playbooks.  It required systems integration.  I remember meeting a CISO in Australia, and he asked if I could help him get out of the system integration business since most of his security engineers where focused on integration instead of optimizing security response.

But I want efficiencies, I want automation

When I started to design those threat intelligence platforms, many customers wanted complete automation.  I had to explain to them that you could only expect to automate a portion of the operations – maybe 60% of the threats.  I had to explain that their security response needed to leverage all of the organization’s infrastructure.  There is a cost associated with implementing security controls.  The closer the threat gets to the processor, the higher the cost.  If I can block an attack at the network level, then I’m not going to affect the performance of that critical database.  I talked about an agile response model with “micro rules” that could be applied according to whether you were monitoring for a threat IOC inside the infrastructure versus responding to an active threat inside their environment.


A system is needed that provides automation to enable speedy, standardized, and effective response. This same system also needs to support the triage process of investigating an event, bringing all relevant information to the analyst from multiple sources, enabling them to determine the level of risk and to perform deeper analysis of the situation.  It should also enable active response across multiple solutions.

The Answer

Phantom has built what security operations teams and incident responders need.  A platform that empowers security teams to integrate and develop standardized process and procedures.  All the concepts that I’ve dreamed of and spoken about during the past few years are realized in a product that enables integration, automation, and efficiency in a security operations environment. It supports an agile model that can leverage the power of automation and the human brain.

Phantom provides automation, consistently.  A powerful platform to ensure that SOC and IR teams are focusing on the interesting aspects of investigation and response, leveraging their skills and passion for security.  Phantom is the solution that can proactively gather all the information that analysts need to assess risk, and execute an effective response, at scale.

I’m really excited to be joining Phantom, since it is the realization of the dreams I had as a security professional.  I look forward to helping our customers, our partners, and the IT security community find success. I look forward to working with a great skilled team to build relationships that will help advance the capabilities of the IT security industry, from vendors to the people protecting organizations on the electronic frontline.

Paul Davis
VP of Delivery

Paul is a seasoned IT Security Executive with a global reputation for building organizations and delivering services.  He has more than 20 years of experience working with security operations teams and solving security challenges at top companies including EDS, General Motors, GE, Cisco, Dow Chemical, The Washington Post, The United Nations, MCI, Prudential, and Mitsui.

Prior to joining Phantom, Paul held a number of senior leadership roles including EDS’ Chief Information Security Officer at General Motors, Chief Security Officer at Dow Chemical, and Director of Security Operations for a major financial exchange.  Paul earned a CISSP certification, and is a member of ISSA, IACs, and the MIT Enterprise Forum of Cambridge.

Are You Bringing a Knife to a Gun Fight?

Though one might question if their origins were for good or evil, botnets have been used for both causes for years.  For bad actors, botnets represent a cheap and powerful form of automation.  With bots dispersed across a vast network of infected computers and controlled by a Command and Control (C2) server, automation directs the next action from the queue.

Malicious botnets are used for multiple purposes: distributing malware, stealing passwords, propagating spam, and launching DDoS attacks.  The benefits are hard to ignore–botnets are a low cost, fast acting way to complete the mission.  But why should automation be a tool used only by the bad guys?

With automation becoming increasingly popular in the SOC, it’s easy to wonder why it has taken so long for the good guys to stop showing up to the gun fight with a knife.  Some would say that we’ve been forced to “carry.”

One driver for SOC automation is that our security deployments have gotten more complex.  Twenty years ago, companies had just a few security products to manage – perhaps a firewall and anti-virus.  Today, most are juggling dozens or more.  I was recently at a CISO event where my informal poll of the crowd showed many enterprises are working with 25 – 30 different security vendors.  Industry research suggests the number may even be higher.  With more to manage, automation is an easy choice – and perhaps the only logical choice.

So where do you start?


We’ve developed a maturity continuum for automation and orchestration to help answer this question.  As with other continuums, it’s a useful way to benchmark your progress in adopting this new technology as well as developing a strategic vision for the future.  Download a copy of our whitepaper to explore the continuum in depth.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

CP Morey
VP, Products & Marketing