Demisto Enterprise -

Demisto Enterprise is designed keeping an enterprise scale in mind. It is built on cutting-edge and proven technologies including Golang, Docker, and React. These technologies enable Demisto’s platform to be scalable and easy to manage.

Enterprise Grade Architecture


In cases of multi-segment networks and hosted deployments, Demisto’s server may not be on the same network as that of partner products. Our engine is designed as a proxy that connects (outbound) to the Demisto main server and prevents the need to open firewall ports to the engine.

Simplified Architecture
and Multi-tenancy

Demisto is written in Golang using embedded BoltDB database and Bleve search. These components are shipped in a single installer, enabling high scalability and multi-tenancy.

Modular UI and API

Demisto’s backend communicates with the web app using REST API. Thus, any action taken from the UI can also be executed via Rest API. Our UI is implemented using ReactJS, making it extremely fast and modular to give a seamless user experience.

Machine Learning Powered IR

Real-Time Indexing

All playbook automation data, user-generated forensics information, and collaboration information is indexed in real time. The powerful indexing engine enables real-time queries of correlated information.


Indicators like IP addresses, file hashes, URLs, and other artifacts are correlated across incidents. These correlations can be searched and used for deeper investigations.

DBot Insights

DBot’s learning engine applies algorithms to generate “Demisto Insights”. These insights include analyst assignments to incidents, most effective security commands, and relevant experts to invite for incident investigations.

Extensible Integration Framework

Out-Of-The-Box Integrations

Demisto integrates with hundreds of products across security domains. Bimonthly product content updates include new integrations pushed to existing Demisto deployments.

Custom Integration Builder

Demisto is equipped with a powerful SDK that enables fast and easy creation of new integrations. Integrations can be built using Python or JavaScript with no external tools or environments required.

Protocol Agnostic

Demisto can integrate with partner products using any of the standard protocols and interfaces including REST API, SOAP, SSH/CLI interface, and custom APIs, with illustrative examples provided for easy setup.

Open Source

Integrations can be shared within and across environments. Most of our integrations are open-source. We encourage customers and partners to leverage our repository and build new integrations.

Security and Isolation


Demisto uses Docker to ensure complete isolation during execution, preventing any inadvertent or malicious action from harming the entire system.

Credential Store

Demisto provides a credential store for integration passwords so that security teams do not need to repeatedly get access to credentials.


All communication with partner products and sub-components within Demisto are encrypted.

Single Sign-on and Authentication

Demisto supports SAML 2.0 and LDAP authentication to ensure that only authorized users can access the Demisto server.