Automate Security Operations

With Phantom

Phantom is a security automation and orchestration platform that integrates with your existing security technologies in order to provide a layer of “connective tissue” between them.

Phantom streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of point products that you use every day.

Phantom doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger.

Phantom accomplishes this through a logical architecture that abstracts product capabilities, through the Phantom App model, into simple Actions that can be automated from within Playbooks. This allows Phantom to act as an "operating system" for your security products.


Augment your security operations team with a consolidated platform


Supercharge, integrate and coordinate your existing security investments


Achieve in seconds what may normally take minutes or hours through digital “Playbooks”


Choose the level of automation that suits you, from supervised to fully unsupervised


Improve continuity, oversight, and drive predictable security response outcomes

Phantom Operates On

Data Sources

You can use Phantom to automate on arbitrary security data such as incidents, threat indicators, vulnerabilities, emails, and more.

Phantom consumes and operates on JSON internally making it extremely flexible and giving you full access to the contents of your security data for the purposes of automated decision‑making.

You can either push your data to Phantom, or pull it from a number of externally supported SIEM or analytics tools.

Phantom Executes


Playbooks are the codification of your security operations (SecOps) plan. In practice they’re high-level Python scripts that Phantom interprets in order to execute your mission WHEN you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute those actions, ensuring a repeatable and auditable process around your security operations.

Playbooks execute Actions on devices and assets that you’ve connected Phantom to. There are many different use cases that you can implement in a Playbook. Below are just some of the scenarios that can be executed via Phantom Playbooks.

Playbooks Call


Actions are the high level primitives that Phantom uses in order to abstract away the capabilities of individual point products. Phantom supports over 100 different actions across its set of supported products. Below are just a few examples of the many actions that Phantom supports.

"Detonate file"

detonate a file in a supported sandbox

"Geolocate IP"

perform a geolocation lookup on a given IP address

"Hunt file"

look for a particular file on endpoints

"Block URL"

block a URL on perimeter devices

"Quarantine Device"

disconnect a device from the network via NAC

Actions Are Exposed By

Phantom Apps

Phantom Apps extend the platform’s capabilities by supporting integration into third party security products and tools. Most security technologies have REST APIs, command line interfaces or other management interfaces that Phantom Apps connect to in order to execute investigative and containment actions to control your environment. Apps expose a set of Actions that they support back to the platform. These actions can serve a number of purposes – retrieving data for investigative purposes or changing policy on a security device for example. Below are just some of the Apps that Phantom integrates with.

Apps Connect To


Phantom orchestrates security operations on security and infrastructure assets that you connect it to. Examples of Assets include Firewalls, Endpoint Products, Reputation Services, Sandboxes, Directory Services, and SIEMs.

Assets can be configured to have owners, like the administrators or groups of users managing the asset. For example, you may have a group that manages your firewalls, your endpoints or your virtual infrastructure. When an action has to be executed on an Asset, it’s owners are engaged and notified about the details of the action and the context surrounding it.

They’re informed about why an action is being performed or why a change is being requested, including the parameters of that change. Owners can then review, approve, change parameters, deny or delegate the action. Phantom also facilitates group ownership where one or more, any or all members of the group have to review and approve an action. Phantom allows primary and secondary owners to be defined and in the event that an approval times out, a series of escalations can take place.

Phantom Community Edition is a free, consumption limited, version of Phantom Enterprise.

Phantom is providing the Phantom Community Edition to qualified organizations as part of our Early Experience program. Community Edition allows you to learn about and become one of the first users of this entirely new approach to gaining control over your disparate security technologies!

Get Phantom Now
Feature Community
Action Volume Maximum Actions per day
Dashboards Customizable dashboards
Mission Control Mission Control dashboard
Community Apps Open source community Apps
Certified Apps Cetified Apps provided by Phantom
Community Playbooks Open source Playbooks
Certified Playbooks Playbooks provided by Phantom
Executive Reporting On demand and scheduled reporting
Community Support Community message board support
Enterprise Support Support provided by Phantom
Talk to an Expert