Cofense Triage 


Cofense TriageTM provides our response teams with the rapid, detailed information they need to address e-mail threats quickly and efficiently without wasting time chasing false positives.Kevin Emert, CISO, Scripps Networks Interactive

No matter how much you invest in “next-gen” email technologies, malicious email makes it past the perimeter. Whether it’s an attempt to deploy malware on your network or steal user credentials, the leading cause of breaches are successful phishing campaigns. It’s easy for organizations to point to the everyday employee as the root cause – as the problem to be solved. We disagree. Cofense™ believes employees – humans – should be empowered as part of the solution to help strengthen defenses, gather real-time attack intelligence, and stop phishing attacks in progress.

Find Bad Faster.

Cofense TriageTM, the first phishing-specific incident response platform, can help you stop active phishing attacks in progress. By leveraging real-time, internally reported attack intelligence from conditioned users, Cofense Triage makes it easy to stop phishing attacks in progress by eliminating the noise of the abuse mailbox, automating standard responses, and orchestrating across your other security systems to quickly respond to and eliminate phishing threats.


Like a composer arranging music for an ensemble,  your phishing response needs to involve multiple parts of your organization. Cofense Triage helps your incident responders work across  teams to mitigate the phishing threat.  To help orchestrate your response Cofense Triage includes:

  • Triage Noise Reduction: Cofense Triage uses an industry-leading spam engine to remove non-threatening reported messages, freeing your team to focus on real threats.
  • Robust API: Cofense Triage is built around a set of APIs designed to help it “talk” to Triage to automate the process and get the right teams involved, faster.
  • Integration with Existing Solutions: Cofense Triage seamlessly integrates with your existing security solutions, including SIEM, anti-malware, analysis, and threat intelligence solutions.


Mitigating a phishing attack in progress can involve a lot of steps. The key to getting ahead of these threats is anticipating them. Cofense Triage offers a number of ways to define repeatable processes to deal with threats, including:

  • Playbooks: Create repeatable workflows to automate response to a threat, speeding mitigation. Operators can create new playbooks from scratch, or create a playbook based upon a Cluster summary.
  • Rules Editor: An easy-to-use editor allows operators to quickly create rules that can be used for future analysis. Triage also supports YARA rules to dig deeper for more advanced analysis.
  • Workflows with Playbooks: Playbooks offer flexibility on how they can be integrated with an Incident Response process. Workflows help to automate for threats, reducing an analyst’s workload.


A phish landed. What happens next is the key to mitigating the threat. Cofense Triage helps you respond faster, ultimately making your organization safer. To respond to phishing threats, Cofense Triage includes:

  • Quarantine the Threat: It’s great that users have reported an email, but where else is that malicious email? Together with Cofense VisionTM, you can search across the entire organization to find that email and quarantine it.
  • Trusted Informants: The more trusted the reporter, the more likely that a reported email is a genuine threat. Cofense Triage factors in recent reports from a user to create a score that an operator can use to evaluate and prioritize risk.
  • Cluster Processing: An operator can have any future messages that meet the criteria of a cluster processed in the same way. This eliminates the need for repeated action by the operator, enabling them to focus on other threats.

Flexible Deployment Options

Cofense Triage is now available via multiple deployment options—making phishing incident response more available and attractive to enterprises of all needs and sizes:

  • Cofense Triage – Available as a virtual appliance, completely managed by your internal teams.
  • Cofense Triage Cloud – Dedicated instance hosted in Cofense’s secure cloud infrastructure with operational usage by customer.
  • Cofense Phishing Defense Services – Hosted and fully managed by our Phishing Defense Center.

Cofense Triage organizes reported phishing emails by campaign. This lets you respond to an entire cluster of emails with similar attributes versus responding again and again to individual messages.

With Cofense Vision now integrated with Cofense Triage 2.1, operators can quickly find unreported emails that match reported clusters—and mitigate the risk by quarantining them directly from within Cofense Triage. Stop unfolding attacks quickly and seamlessly.