How to Orchestrate a Smarter Phishing Response

We’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration.

Involve the Right Teams Faster with Cofense TriageTM

Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and freeing security teams to focus on real threats.

We also have out-of-the-box integrations with almost two dozen leading security solutions, including:

View the complete list.

Our integrations make it possible, for example, to connect intelligence on a suspicious URL to logs generated by your firewall and end points. Or, an operator working within Cofense Triage can push details about a phishing campaign to the help desk.

For solutions Cofense Triage isn’t integrated with (yet), we have a new API. It syncs to SIEM solutions, ticketing systems, threat intelligence system, and even sandboxing tools, so you can examine reported emails for overt threats or links to compromised servers. Email headers, which are often spoofed in phishing, can be examined too. And even the full text of the message, rendered but not actually assembled to protect the IT teams working within our solution, can be read and displayed.

Our fully documented REST API can pull information on individual emails, entire clusters (phishing campaigns), attachments, reporters, integrations, health stats and more. You can use it the preprocessing stage to notify teams of malicious attachments at soon as they’re reported.

This release also extends syslog alerting with Cofense Triage. With syslog enabled, Cofense Triage can send out alerts to other systems. Syslog alerts can be used to share information like the cluster velocity, operational SLA alerts, platform health, ingestion health and triage recipe monitoring.  This enables Cofense Triage to share alerts across the entire incident response team.

Automation is great—it’s a must in today’s world. But orchestration makes it work all the more effectively. Put the two together and your phishing defense wins. To learn more about Cofense Triage, sign up for a live 1:1 demo.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Why a phishing-specific SOAR? Because phishing is STILL the #1 cause of breaches.

SOAR is an acronym for Security Orchestration Automation and Response.  And it’s what Cofense™ does for phishing threats and attacks. And, according to researchers at ESG, 19% of enterprises have adopted SOAR technologies extensively, while 39% have dipped their toes in the water and 26% are currently working on SOAR-related projects.1

Why is SOAR soaring? Because organizations need to connect their layers of security systems and make the most of their limited, highly skilled security resources.

Phishing Alert! Alert! Alert!

Phishing isn’t going away. To the contrary, it’s still growing because it works. In fact, enterprises receive up to 150,000 security alerts a day2, many of them phishing alerts. When security teams are drowning in alerts and suffering from alert fatigue, they may miss actual attacks. The Cofense Phishing Defense Center (PDC) sees customers deal with widely fluctuating rates of crimeware—the same organization can go from 2% of reported emails verified as malicious to 20% or higher within a matter of weeks.

Even with a rate that high, 80% of reports are duds. Which is good, of course—false alarms being better than dangerous threats—but manual verification eats up lots of time. And, most organizations lack the needed resources to sift through phishing alerts, find genuine threats, and stop attacks in progress.  In fact, many organizations use a “best effort” approach to sorting through their abuse mailbox.

Automation, Orchestration and Response

A SOAR platform is meant to connect your systems for broader coverage, but it does require configuration and skilled resources to manage it. But, if the majority of your threats are from phishing, do you need a full SOAR platform or could you augment a full-service SOAR with a phishing-specific solution?

Using a phishing SOAR lets you respond to the crush of phishing alerts with fewer skilled man hours and powers a faster, automated, and more coordinated response. Again, automation drives this advantage, along with strong integrations. You gain operational efficiency as you disrupt unfolding attacks.

Cofense TriageTM, our phishing response platform, uses its Noise Reduction feature to help automate the filtering of spam or commercial emails that get reported as threats. By eliminating the noise, you can verify at scale and much faster. Speeding up the analysis means speeding up any needed response—the task at which you want your incident responders to excel.

To be clear, Cofense believes the human factor is still a key ingredient. Which brings us to recent upgrades to Cofense Triage, namely the addition of SOAR functionality.

The Cofense Approach to Phishing SOAR Leverages Human Intelligence

The Cofense approach to phishing response begins with training users to recognize attacks and easily report suspicious emails. Remember, perimeter defenses like secure email gateways don’t catch everything—witness the resurgence of the ZeroFont exploit and the FBI’s report that business email compromise (BEC) scams are fleecing targets to the tune of $12 billion annually.

One of the upgrades to Cofense TriageTM is an improved ability to score user-reporters for accuracy. This, coupled with automated analysis, makes human intelligence more usable as you act against threats.

Cofense Triage speeds the response with greater orchestration, thanks to API integrations as well as Noise Reduction. Our platform offers out-of-the-box integration with nearly two dozen security solutions, including a fully documented REST API.

Besides automating email analysis, Cofense Triage delivers automated security playbooks and workflows. Threat actors tend to recycle proven tactics and procedures, so Cofense Triage lets you define criteria and, when it’s met, execute an automated response to mitigate risk, for example, key notifications, new help-desk tickets, or proxy-block requests.

Cofense VisionTM, a new addition to our phishing response arsenal, helps find phishing threats wherever they may be lurking. Vision stores, indexes, and enriches emails for faster querying and quarantining before any damage is done. You can quickly pinpoint a suspicious email throughout your organization, by querying based on sender, subject, date, attachment name, attachment hash, and more.

And once you find offending emails, you can dig deeper and root out the whole campaign. One click allows you to quarantine emails in Microsoft Exchange and Office365. One more click will allow you to UN-quarantine depending on your findings.

Getting More Value from Phishing SOAR

In an article on the evolution of SOAR, ESG Principal Analyst Jon Oltsik noted that companies are adding to core SOAR functionality with, among other things, integration and canned playbooks:

“Rather than simply trigger a discrete remediation action, SOC teams want to automate their standard operating procedures (SOPs) to the fullest extent possible,” he wrote. “This means aligning automated actions with runbooks in an easy and intuitive way.”3

Cofense is checking those boxes as we evolve Cofense Triage and introduce Cofense Vision. With the SOAR marketplace evolving, it’s the kind of innovation that transforms the acronym into value.

To learn more about Cofense phishing SOAR capabilities, sign up for a 1:1 live demo.



1., May 2018. 

2., February 2018. 

3., May 2018. 


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  



Cofense Shortlisted for Three UK Computing Technology Product Awards

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners.

Following are the categories we are shortlisted for.

Best Business Security Provider

This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™, we’ve since innovated in phishing reporting, phishing incident response, and phishing intelligence. Our rebranding as Cofense earlier this year underscored the ways we deliver a complete, collective defense against phishing attacks in progress.

Best Security Product for SMB

We got the nod here for Cofense PhishMe FreeTM, our entry-level product for businesses with 500 employees or less. Roughly half of all cyber-attacks target small businesses. A similar percentage of SMBs have experienced an attack or breach in the past 12 months. PhishMe Free enables those with small budgets and limited staff to condition users to recognize and report phishing. Though it costs nothing, it comes with deep educational content, plus the reporting and analytics to grasp performance and exposure.

Customer Project of the Year

We’re especially proud of this one. It recognizes our mission to combat cyber-threats with a major university in London. The university picked Cofense to empower over 20,000 staff and students to be an active line of defence and source of attack intelligence in its fight against cybercrime. The university has deployed solutions across the Cofense product line: Cofense PhishMeTM, our phishing awareness solution; Cofense ReporterTM, our one-click email reporting button; and Cofense TriageTM, our automated phishing incident response platform.

Universities are hit with hundreds of successful cyber-attacks each year. Upping the difficulty factor, universities have a constantly shifting user base of students, administrators, and teachers—a moving target for security teams trying to protect data, valuable research and other intellectual property. For a detailed view of our work with City, University of London, read this article by Cofense Cofounder and CTO Aaron Higbee.

For nearly 40 years, Computing has assessed and reported on IT solutions, earning industry-wide respect from both vendors and end-users. These readers will be voting to determine this year’s winners after the final round of judging has been completed in September.

So, watch this space—next time we hope to be asking for your vote!

Learn more about the Cofense suite of phishing defense solutions.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.