Cofense Logo - Email Security Solutions

Phishing Defense Solutions for Technology Alliance Partners

Trusted partner to some of the best technology brands of the world.

A Trusted Security Ecosystem

Cofense provides the capabilities necessary to make more effective decisions on phishing threats facing your company. Our Technology Alliance Program (TAP) provides a strong and mutually beneficial ecosystem with our partners to provide a comprehensive anti-phishing solution. Cofense solutions seamlessly integrate to simplify deployment, improve efficiency, reduce costs, and optimize security investments.

Our integration partners

Partner with Cofense

Increase resiliency, speed up response times, and stop phishing attacks in real-time.

Cofense MSSP partner program badge

Value Added

We provide an unmatched phishing detection and response portfolio that empowers resellers in every sector to offer customers a comprehensive level of security.

Learn more

Cofense phishing defense solutions

Managed Service

Built from the ground up for MSPs, Cofense Protect provides quick deployment of advanced email security & awareness training from a single multi-tenanted UI.

Learn more

Email Security experts analyzing data on computer screen

Managed Security Service Partners

Cofense Managed Security Service Providers can equip your business with the defenses, processes, and resources necessary to stop inevitable threats.

Learn more

Partner with Cofense

Increase resiliency. Improve your security posture.
Grow your business. Drive new revenue..


Cofense Intelligence and Triage integrate with Anomali ThreatStream to help organizations operationalize workflows with Cofense’s human-verified intelligence that identify indicators by severity and correlate with active phishing campaigns, automate the ingestion for action and eliminate the manual processes and potential for human error while updating other security solutions.


Cofense Intelligence human-verified phishing intelligence ingested into Centripetal CleanINTERNET to filter networks from accessing phishing infrastructure. Protect against access to phishing URLs, domains, IPs, and command and control sites.

Cisco Umbrella

Cofense Triage submits suspected phishing domains to Cisco Umbrella Investigate to determine risk. Domain indicator results populate Cofense Triage to prioritize phishing investigation and response workflow.

Cortex XSOAR

Cofense Intelligence, Triage and Vision integrate with Cortex XSOAR to streamline multiple sources of threat intelligence, suspicious emails for analysis and remediation, and to search and quarantine for suspicious emails.


Cyware CTIX can ingest Cofense Intelligence phishing indicators in JSON format. Each indicator ingested can be used in playbooks and threat lookups from CTIX to use the threat impact rating of each Cofense Intelligence indicator.

Cofense Triage can bidirectionally exchange phishing indicators including domains, URLs, hash values, and more with Cyware CSOL. Cyware can ingest malicious or suspicious emails from Cofense Triage to use in playbooks.

Eclectic IQ

Cofense Intelligence and EclecticIQ Platform deliver the ability to acquire, aggregate and act from phishing- specific indicators. EclecticIQ Platform ingests phishing IOCs and contextual reports via Cofense’s API. Security teams can act based on Cofense Intelligence indicators through their existing infrastructure to alert or block ingress or egress traffic.


Cofense Triage automatically submits email attachments to Hatching Triage at ingestion. Cofense Triage admins can also resubmit supported attachment types from Triage to Hatching using the API. Analysis results of the submitted attachments are available for review in Hatching’s platform.


IBM QRadar ingests Cofense Intelligence by using Cofense’s app within IBM App Exchange. The intelligence ingested is used in a SOC to monitor and alert on activity matching indicators.

Joe Security

Cofense Triage operators can use a Cofense-provided Python script that can safely submit files from Cofense Triage at ingestion to an instance of Joe Sandbox using its API. Analysts can then view the file results in Joe Sandbox to assess its risk.


Cofense Intelligence is ingested into LogRhythm’s platform using Cofense’s API. The ingestion of intelligence is used in a SOC to monitor and alert on activity when a domain, URL, or IP address matches Cofense provided intelligence.

LogRhythm receives CEF-based syslog events from Cofense Triage. Triage will output events based on rules, recipes, and categorizations. Triage admins configure based recipe or report categorization as well as when a YARA rule is matched.


Cofense Intelligence and Cofense Triage both support McAfee event data fields, allowing analysts to recognize, report, and respond to phishing events based on customizable criteria. Cofense Intelligence data in McAfee Enterprise Security Manager has one-click access to humanreadable reports providing detailed insight into the attacker tactics, techniques, and procedures (TTPs); email message content; malware artifacts with full threat detail; and executive summaries.

Micro Focus

Cofense Intelligence ingested via API with CEF support into ArcSight. Operationalize from Cofense Intelligence phishing URLs, domains, hashes, IPs, malware families, contextual reports, and more.

Cofense Triage operators send their syslog events in CEF to their ArcSight instance. ArcSight will receive events based on rules, recipes, and categorizations. This is done matching recipes, report categorization, or when a YARA rule is matched by an analyst.


The Cofense Intelligence and MISP integration helps organizations to operationalize phishing intelligence for faster threat defense & response. The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. The Cofense Intelligence MISP feed provides a way to ingest file and network phishing indicators. Analysts are then able to correlate Cofense Intelligence with other intelligence feeds as well as understand the malware tactics from the indicators received.

Palo Alto Networks

Cofense Intelligence ingests into Palo Alto Networks MineMeld application. Create an open source MineMeld server which formats Cofense Intelligence and ingest indicators into Palo Alto Networks next-generation firewalls. The firewalls using external dynamic lists consume the indictors and are applied to firewall security policies.

Cofense Triage automatically submits hashes of attachments or full files to Palo Alto Networks WildFire at ingestion. Cofense Triage admins manually submit any hash or supported attachment type from Triage to WildFire using the API. WildFire will return the results to Cofense Triage with a full malware contextual report. Additionally, Cofense Triage integrates with MineMeld to obtain threat indicators.


Cofense Intelligence and Paterva’s Maltego application integrate, and analysts can gather, interrogate, and visualize data to find threat relationships. Cofense developed transforms for Maltego to visualize relationships between observables within a specific attack and explicitly pinpoint how attackers are delivering their malicious payloads.

Recorded Future

Recorded Future has an extension available within the platform to leverage Cofense Intelligence API for human-verified phishing intelligence. Analysts in Recorded Future seamlessly pivot to Cofense Intelligence and obtain indicator validation on IPs, domains, and files.

Cofense Triage operators can query file hash values in the Recorded Future platform. Analysts can view information on the Recorded Future website to validate a file disposition. There is no account required to get “basic” information. The Triage analyst views information from Recorded Future with the option to create an account for more in-depth review.


Cofense Triage can bidirectionally communicate with Siemplify to ingest phishing indicators for Siemplify to process as part of a playbook. Cofense Triage sends reports, threat indicators, reporter information, and phishing incident observables for Siemplify to receive and orchestate. Categorized reports along with indicator analysis tags are capable of ingestion into Siemplify to use in playbooks.


Cofense Intelligence, Triage and Vision integrate with Splunk SOAR to streamline multiple sources of threat intelligence, suspicious emails for analysis and remediation, and to search and quarantine for suspicious emails. 


ServiceNow Security Operations polls the Cofense Intelligence API in a search-based integration to validate incidents that may be related to phishing. Security Operations makes use of Cofense Intelligence indicator IPs, domains, URLs, and files. Analysts use the results and context for additional actions and orchestration.

Cofense Triage and ServiceNow Security Incident Response leverage Cofense Triage’s bidirectional API to ingest phishing events and create security incidents in ServiceNow SIR. ServiceNow analysts can update reported phishing data in Cofense Triage as well as enrich their threat indicator and observables table received from Cofense.


Cofense Intelligence is a value-added data source integrated with Swimlane’s orchestration platform. Swimlane correlates Cofense Intelligence’s IPs, hashes, domains, and URLs to prioritize and remediate events.

Cofense Triage is a supported application in Swimlane to ingest phishing indicators and employee-reported phishing attributes. Cofense Triage sends IPs, domains, URLs and hashes, for Swimlane to receive and act on. Categorized reports along with indicator analysis tags are capable of ingestion to use in playbooks.


Cofense Intelligence integrates with ThreatConnect to ingest phishing intelligence into the platform. Cofense’s API is leveraged to pull in actionable phishing indicators for analysts to create process around indicator impact ratings.


Cofense Intelligence can be ingested into the ThreatQuotient Threat Intelligence Platform (TIP) using Cofense’s API. Enable Cofense Intelligence from within ThreatQ platform and ingest threat IDs, malware families, URLs, IP addresses, and more.

The joint solution integration of ThreatQ™ and Cofense Triage enables security teams to receive, analyze and respond to phishing threats that have evaded technical systems.


Trellix, FireEye’s Helix Cloud Connect solution, can ingest Cofense Triage reports and threat indicators using Cofense Triage’s API. Helix makes calls to Triage’s API and ingests reported email attributes that can then be used in hunting and incident response initiatives.

Cofense Intelligence is ingested into ESM using Cofense’s API via a standalone Python script. This CEF ingestion is then used in a SOC to monitor/alert on activity when a domain or IP address matches Cofense Intelligence.

Cofense Intelligence and FireEye Helix Security Orchestrator deliver the ability to investigate, validate, and orchestrate based on indicator impact ratings from phishing-specific intelligence. Ingestion of phishing indicators allow analysts to investigate, search, and respond to phishing events.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.