Demisto Announces Industry Standard for Building and Sharing Cyber Threat Incident Response Playbooks to Promote Security Automation and Collaboration




Dan Spalding

(408) 960-9297


Demisto Announces Industry Standard for Building and Sharing Cyber Threat Incident Response Playbooks to Promote Security Automation and Collaboration


Company also Introduces Free Edition of Industry’s Only Bot-powered Security ChatOps Platform to Facilitate Development, Sharing and Automation of Playbooks across Security Industry


LAS VEGAS (Black Hat USA 2016 Booth No. IC-16) — Aug. 2, 2016 — Demisto, Inc., an innovator in Security Operations technology, today announced an open industry standard (COPS, Collaborative Open Playbook Standard) to build and share cyber threat incident response playbooks, facilitated with the introduction of Demisto Free Edition, the free version of Demisto’s Bot-powered security ChatOps platform. The platform helps automate and streamline security operations and incident management processes.


The playbooks developed in Demisto Enterprise and Free Edition can be shared with other organizations to facilitate development and sharing of standard playbooks and incident response procedures. The open standard uses YAML as the exchange format and has a schema specifically designed for security operations, and is not proprietary. Hence the playbooks developed in Demisto Free Edition can be exported and converted to other product formats. The new solution will be unveiled and demonstrated this week at Black Hat USA 2016 in Las Vegas, in Demisto’s booth number IC-16 in the Innovation City on the expo floor.


As attackers collaborate to create more sophisticated attacks, the security industry has lacked an open incident response standard to create response procedures that use collective knowledge. While security intelligence solutions which share just threat information exist, today’s announcement is a step forward to building response standards for the industry. Now, organizations can collaborate and build response procedures together or contribute back to the community for use by other organizations. With the Demisto Free Edition and open standard for playbook exchange, organizations can begin collaborating on incident responses to address today’s complex cyber threats.


“Incident Response procedures have always been ad-hoc and unstructured with varying degrees of effectiveness,” said Stuart McClure, Author “Hacking Exposed,” former Global CTO McAfee and Founder & CEO, Cylance. “There is a real need for us to coordinate across companies and vendors to build standard, well thought out, response procedures. Demisto’s creation of a standard, non-proprietary, exchange format is a big step in the right direction. All organizations will be able to build and adopt playbooks, share them and improve them continuously using the standard. This will definitely result in organizations being better prepared for the future attacks.”


The new open standard also facilitates automation and coding into playbooks of internal procedures on security operations and incident response which previously remained in dusty folders, static documents, wiki docs and presentations. Now these documents and procedures can be shared across organizations by creating playbooks using the standard format. These tasks and procedures can also be automated via Demisto Free Edition and the library of open source automation scripts from Demisto. Demisto’s open source library of automation scripts contains hundreds of scripts which can be used to automate actions across more than 40 already integrated security solutions.


“While cyber criminals collaborate to attack and steal from organizations, our industry until now has lacked a means for sharing best practices around incident response and community development of playbooks,” said Dan Sarel, Demisto co-founder and VP of Product. “Organizations can now automate and track their processes for incident response using playbooks developed in Demisto Free Edition, which are easy to create and do not lock the organization into a single platform. At Demisto we believe that the only way to combat cybercrime is through collaboration and we are proud to offer today a major step in this direction.”


With a focus on collaboration, Demisto has built the industry’s largest incident response community using Slack. The community of more than 500 security analysts from all over the world shares best practices in incident response, tools and training courses. In addition to the community, open playbook standard and hundreds of automation scripts, Demisto has created numerous open sources projects, including a very popular Slack bot which has nearly 1000 teams using it for protecting Slack and for security analysts to aggregate threat reputation using ChatOps. These open source projects include open source SDKs in Go programming language for VirusTotal, IBM X-Force Exchange, Crowdstrike, Cylance and Slack.


Availability and Pricing

The Demisto Free Edition and open playbook standard are available today directly from

About Demisto
Demisto helps Security Operations Centers scale their human resources, improve incident response times, and capture evidence while working to solve problems collaboratively. Demisto Enterprise is the first comprehensive, Bot-powered Security ChatOps Platform to combine intelligent automation with collaboration. Demisto’s intelligent automation is powered by DBot which works with teams to automate playbooks, correlate artifacts, enable information sharing and auto document the entire incident lifecycle. Demisto is backed by Accel and has offices in Silicon Valley and Tel Aviv. For more information, visit or email

Demisto is a registered trademark of Demisto in the United States and other countries.  All other company and product names are either trademarks or registered trademarks of their respective companies.