Demisto’s interactive investigation features – a ChatOps-based War Room, an ML-powered chatbot, and a responsive command-line interface – form a potent toolkit for analysts to collaborate, run real-time security commands, and learn from each incident.

What is Security ChatOps?

ChatOps is a platform for conversation-driven investigation. When security analysts, security tools, chatbots, and incident response workflows exist in the same chat window and reinforce each other: that’s ChatOps in action. All these components feed each other in a virtuous cycle, enabling investigation, collaboration, and documentation from one source.

View Infographic

The Need for Interactive Investigation

Lack of skilled analysts

With a shortage of millions of analysts expected over the coming years, many SOCs are understaffed, leading to increased workload, stress, and rate of error among existing analysts.

Rising alert numbers

With an increased threat surface, a greater number of entry vectors for attackers, and an increase in specialized cyber security tools, the number of alerts is constantly on the rise.

Product proliferation

Analysts use numerous tools to coordinate and execute their response to incidents. This involves lots of screen switching, fragmented information, and disjointed record keeping.

Siloed work environments

An implicit but dangerous problem that mid to large sized SOCs face is security analyst tunnel vision and extreme narrowing of skill-sets. There is rarely any cross-pollination of skills across analysts, preventing joint investigations and faster response times.

The Bus Factor

Since security analysts are at such a premium, a sudden personnel loss can leave SOCs in a state of disarray. Senior analysts take most of their expertise with them when they leave and little knowledge remains stored within the SOC.

With these challenges still present and growing, interactive investigation can be a force multiplier for SOCs, providing teams with a virtual shared space to conduct joint investigations, coordinate across security products in real-time, and document the results of their actions on the same platform.

Download Whitepaper

Interactive Investigation with Demisto

Virtual War Room

Analysts can conduct joint investigations and run real-time security commands for efficient hand-offs, faster resolution, and auto-documentation of incident context.

Indicator Repository

All indicators (IPs, file hashes, domains, usernames etc.) are auto-discovered across incidents. A powerful search interface allows for proactive threat hunting.


Demisto’s hypersearch captures indicator correlations across incidents, allowing security teams to narrow down on malicious indicators that are persistent in their environment.

Related Incidents

A visualization of related incidents across time with UI-based options to link incidents and mark duplicates for faster identification of attack campaigns.

Machine Learning

DBot (Demisto’s chatbot) trains on incident, indicator, and analyst data to generate insights for simpler workflow creation, increased analyst productivity, and more effective security operations.

When is the Right Time to Deploy Interactive Investigation?

There is a right and wrong time to introduce interactive investigation features for your security operations and incident response. If you roll out interactive investigation when the timing, resources, or need fitment aren’t right, you will not only fail to get benefits out of those features, but also potentially close the door for future implementation when the need is more explicit.

Read Evaluation Criteria
Register for Demo