LLMpediaThe first transparent, open encyclopedia generated by LLMs

Demisto

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: CrowdStrike Holdings, Inc. Hop 5
Expansion Funnel Raw 60 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted60
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Demisto
NameDemisto
TypePrivate
Founded2015
FounderYossi Naar; Slavik Markovich; Eran Tamir
FateAcquired by Palo Alto Networks (2019)
HeadquartersPalo Alto, California
IndustryCybersecurity
ProductsSecurity Orchestration, Automation, and Response (SOAR) platform

Demisto is a security orchestration, automation, and response platform originally developed by a startup founded in 2015 and later acquired by Palo Alto Networks in 2019. The product combined case management, playbooks, and automated workflows to assist analysts in triage, investigation, and incident response across diverse tooling stacks. Demisto was positioned in the same market segments as established and emerging vendors and was adopted by enterprises, service providers, and government organizations seeking to reduce mean time to remediate.

History

Demisto was founded in 2015 by engineers with experience in enterprise security and incident response, during a period of rapid expansion in interest for Splunk, IBM Security, Cisco Systems, McAfee, and cloud-native security tooling. Early investment rounds involved venture capital firms and angel investors active in the Silicon Valley cybersecurity ecosystem, frequently intersecting with founders from Check Point Software Technologies, Imperva, Palo Alto Networks, and Symantec. As the platform matured, Demisto integrated with products from Microsoft, Amazon Web Services, Google Cloud Platform, and identity providers like Okta and Ping Identity. In 2019 Demisto was acquired by Palo Alto Networks and its technology became part of the vendor’s broader incident response and security operations offerings, aligning with other acquisitions in the space such as APC Networks and strategic moves into cloud security and extended detection and response.

Product and Architecture

Demisto’s architecture combined a web-based console, a playbook engine, and an extensible integration layer to connect to security and IT systems. The console provided analyst-facing dashboards and case management analogous to features in ServiceNow, JIRA, and Atlassian toolchains. The playbook engine used a visual flow design akin to automation tools from Ansible and orchestration concepts from SaltStack, enabling conditional logic, human-in-the-loop steps, and automated remediation. Integrations were delivered as connectors or integrations similar to the plugin ecosystems of Splunk, Elastic NV, and IBM QRadar, allowing interaction with endpoint agents from CrowdStrike, Carbon Black, and Symantec Endpoint Protection as well as network devices from Cisco Systems and cloud services from Amazon Web Services and Microsoft Azure.

Features and Capabilities

Demisto emphasized several principal capabilities: playbook-based automation, case management, chat-driven investigation, and analytics. Playbooks enabled automation comparable to Chef or Puppet workflows but focused on incident response actions like containment, enrichment, and notification to platforms such as Slack, Microsoft Teams, and PagerDuty. Case management integrated evidence handling and audit trails similar to systems used by Deloitte and KPMG incident response teams. The platform included a war-room chat feature inspired by collaboration practices at GitHub and Atlassian, facilitating coordinated investigations with role-based access controls resembling those from Okta and Ping Identity. Analytics and reporting capabilities produced metrics aligned with frameworks such as NIST Cybersecurity Framework and best practices promoted by SANS Institute and MITRE ATT&CK.

Integrations and Ecosystem

A major design focus was broad ecosystem interoperability. Demisto shipped integrations for SIEMs like Splunk and IBM QRadar, endpoint detection tools like CrowdStrike Falcon and VMware Carbon Black, threat intelligence platforms including Recorded Future and ThreatConnect, and network appliances from Cisco Systems and Palo Alto Networks. It also connected to cloud platforms Amazon Web Services, Microsoft Azure, and Google Cloud Platform for asset discovery and remediation. The integration catalog mirrored patterns seen in the marketplaces of Elastic NV and Microsoft Azure Marketplace and supported community-developed playbooks shared in forums similar to those run by SANS Institute and GitHub.

Deployment and Scalability

Deployments supported on-premises, cloud-hosted, and hybrid topologies to meet requirements of customers ranging from Fortune 500 enterprises to managed security service providers (MSSPs) such as Secureworks and IBM X-Force. Scalability was addressed via clustered architectures, horizontal scaling of worker nodes, and stateless service design patterns seen in Kubernetes and Docker environments, enabling throughput for large alert volumes comparable to traffic handled by Splunk and Elastic NV deployments. High-availability configurations, multi-tenant capabilities, and role-based access controls made the platform suitable for regulated sectors including financial institutions like JPMorgan Chase and healthcare organizations that align with compliance regimes such as those adopted by PayPal and Visa.

Security and Compliance

Security features included role-based access control, encrypted data at rest and in transit, audit logging, and integration with authentication providers like Active Directory and Okta. The platform’s logging and audit trails supported forensic investigations in the style of procedures recommended by NIST and incident response playbooks advocated by SANS Institute. Compliance-oriented reporting and retention policies helped customers align with regulatory regimes influenced by PCI DSS, HIPAA, and national data protection laws referenced by organizations such as Deloitte and KPMG.

Reception and Industry Impact

Within industry analyst reports and reviews, the platform was recognized for accelerating analyst productivity and reducing repetitive tasks, a value proposition echoed in assessments by Gartner and Forrester Research. Security operations teams at enterprises and MSSPs reported improved mean time to detect and mean time to respond, paralleling outcome claims from vendors like Splunk Phantom and IBM Resilient. Following acquisition by Palo Alto Networks, components influenced product roadmaps across NGFW, cloud security, and SOAR offerings, contributing to consolidation trends in the cybersecurity vendor landscape observed alongside deals involving Symantec, McAfee, and Trend Micro.

Category:Cybersecurity companies