Phishing-Specific SOAR Gets You to Mitigation Faster

Share Now


When a malicious email slips past perimeter tech defenses, you need to find it and respond in minutes, not two or three months. But no one has unlimited budget or staffing to sift through phishing alerts, verify threats, and help stop attacks in progress.

Enterprises see up to 150,000 security alerts a day1, many triggered by suspicious emails. To analyze and respond to all those emails faster, CofenseTM adds the power of Security Orchestration Automation and Response (SOAR) with Cofense TriageTM and Cofense VisionTM,  our comprehensive phishing incident response platform.

Save Time: Respond to Email Clusters, Not Every Single Email

Cofense Triage streamlines phishing analysis by automatically clustering malicious emails by campaign. Our platform finds key commonalities among multiple reported emails. As these commonalities are discovered, Cofense Triage creates a cluster of reports. That cluster represents what could be a phishing campaign. With Cofense Triage, you treat an email cluster as a unit, instead of sorting through and trying to match every single message that may be related. When you’re responding to phishing in volume, as most companies do, this is much, much faster than executing a response to this one, and this one, and this one…ad infinitum.

Once a cluster has been identified, the work of the analyst begins. The analyst can look at the headers, along with the bodies of emails, and start to analyze what kind of threat a cluster is. Suspicious attachments can be sent to tools like Cuckoo, VirusTotal or Palo Alto Wildfire to determine if it contains malware. Threat Intelligence feeds like Cofense Intelligence™ can be consulted for additional analysis.

Our out-of-the-box integrations enable analysts to work with all of your existing security tools. This is the “orchestration” in SOAR. Our API automates the process of involving the right teams quickly, while Cofense Triage integrations keep your array of solutions in sync. What’s more, our Noise Reduction feature cuts through spam to free your people to collaborate on hunting genuine threats.

Clustering, as part of our phishing-specific SOAR, provides an efficiency that traditional SOAR platforms don’t deliver. You can respond to the tsunami of phishing alerts and threats more effectively, with fewer man hours. You’ll quickly learn what to search for and block—again, at scale, in clusters.

Automation with Human Control Gives You the Right Balance

So, now that a threat has been identified, you need to get ahead of the threat. Our platform can automate your response with playbooks. A basic example… a playbook starts by assigning a category to the cluster, identifying the type of threat the messages represent, and continues in the following steps:

  1. Creates a ticket in a help desk system
  2. Automates the analysis of a malicious URL or attachment
  3. Determines who else received a message in the cluster but did not report it
  4. Notifies the proxy team to block a URL or a domain
  5. Sends a message to the employees who reported the messages

Once a playbook is created, it can be saved and reused for other threats.

However, while automation vastly improves efficiency, it doesn’t erase the need for “eyes on glass.” Cofense leaves the critical decision-making to human analysts. We give security teams information on phishing clusters, complete with indications of compromise (IOC’s), so teams can apply the human touch as they respond decisively.

So, we’re under attack – now what?

  • The bad email made it past the “next-gen” technology that should have caught it – Check
  • Resilient workforce recognized the threat and reported it – Check
  • Cofense Triage analyst recognized the threat and kicks off the response – Check
  • Where else does that email live on my servers? Uhhhh…

To find threats wherever they’re hiding, Cofense Vision TM, a new addition to our phishing response arsenal, stores, indexes, and enriches emails for faster querying and quarantining. How long does it typically take to search your email servers?  How many internal resources do you have to tap to be able to do so?  Does the mail team talk to incident response team?

Cofense Vision allows you to easily find offending emails, dig deeper, and root out the whole campaign. Then, one click allows you to quarantine emails in Microsoft Exchange and Office365 and un-quarantine later if further analysis proves it to be harmless.

Let’s be clear. A Phishing-specific SOAR won’t replace the need for a broader SOAR platform. Rather, it complements it by speeding response to threats from the #1 cyber-attack vector − phishing. Adding a quicker, smarter phishing response to your security stack gets you to mitigation, breach prevention, and peace of mind faster. Sometimes, one plus one really does equal three.

To learn more, request a 1:1 demo of Cofense Triage.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


  1., May 2018.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.