How the tiny startup Phantom Cyber scored big at RSA

By any measure, Phantom Cyber is a David in a world of security Goliaths. Yet it scored top honors as the Most Innovative Startup of RSA 2016 Innovation Sandbox contest. It has raised less money than most of other contenders. Yet it’s offerings were seen as novel, even ground breaking.

At a standing room only event at Moscone North, 10 startups pitched. Each had precisely 3 minutes, and a nerve-jangling buzzer cut them off if they exceeded the time.

The judging panel of Asheem Chandna, a partner at Greylock; Patrick Heim, who serves as the Head of Trust at Dropbox; Gerhard Eschelbeck, a VP of Security at Google; Renee Gutman, the CISO at Royal Caribbean; and Paul Kocher, who serves as the President of Crypto Research at Rambus had seen it all. Their role was to shred some of these pitches apart – gently & one at a time. With one presenter, the judges even asked if the markets care about the companies offering. But not for Phantom.

Top 10 Contenders – RSA2016 Innovation Sandbox (Data: Crunchbase)

Company Thesis Year Started Capital Raised ($m) Key Investors
Phantom Cyber Security Automation & Orchestration 2014 $9.2 Foundation Capital, Blackstone
Bastille Networks IoT Security 2014 $11.5 Bessemer Venture Partners
Illusive Networks Deception Networks 2014 $22.0 Team 8, NEA, Bessemer Venture Partners
Menlo Security Malaware prevention 2013 $35.0 Sutter Hill, General Catalyst
Prevoty Runtime Application Self-Protection (RASP) 2013 $11.1 US Venture Partners
Protectwise Cloud Network DVR 2013 $37.1 Trinity Ventures, Crosslink
Safebreach War games simulation 2014 $4.0 Sequoia
Skyport Application Security 2013 $30.0 Index Ventures, Sutter Hill
Vera Data Security 2014 $31.0 Battery, Sutter Hill
Versa Networks Enterprise / Branch Security 2012 $57.3 Sequoia, Verizon Ventures


What makes Phantom the ‘most innovative’

According to 451 Research, over 100 new security startups are formed each year. Add that to ~1300 existing security vendors that are shouting each other out in the marketplace. What you have is a lot of noise, confusion and me-toos.

As Brendon Daly of 451 Research says, security is the only sector where both fear and greed are at play at the same time. Classical ROI driven sales exercises greed by driving even more greed – of higher revenues. Security vendors often exercise their greed by fostering a reign of fear, not unlike an arms vendor. And no arms vendor prays for world peace.

The vendor driven FUD (Fear Uncertainty and Doubt) fatigue leads to a chain of mistrust and short-term madness. Rumors that CISOs have even hired post-breach fall guys are prevalent.

Large enterprises often deal with as many as fifty security products. Getting them to integrate / interoperate with each other so that the CISO can see the big picture is a nightmare.

In such a messy gold-rush, Phantom’s platform acts as a layer of connective tissue to the industry, simplifying and automating the life of security teams. Phantom Apps can perform 120 different actions across forty disparate technologies allowing investigation, hunting and containment. Its philosophical approach is fresh – to let the security community share playbooks via its Github repositories making its platform open and extendable. With both northbound and southbound API integration, investigation and containment can become much faster.

Why does the world care about automation

Patrick Heim, Head of Trust at Dropbox was one of the judges at RSA Sandbox 2016. He points out that there are three challenges that make security automation appealing:

  • A shortage of highly skilled security professionals requires that we make them as efficient as possible.
  • With manual process, the time between a detection event and a response event can be too long to prevent a significant loss.
  • A best of breed strategy involving numerous vendors is required to defend against agile threats. 

“Security automation appeals to all three of these constraints by integrating diverse products, reducing detection-to-response time, and raising the productivity of skilled security engineers” he says.

According to Oliver Friedrichs, CEO of Phantom, over 75% of security teams suffer from alert fatigue and routinely ignore alerts. In a 7 step automated process, he demonstrates how Phantom can auto-magically contain malware.

“With numerous security analytics providers, we have a lot more data but that has created a new bottleneck. Analysts are on a hamster wheel, trying to keep up and the action loop is needed” says Friedrichs.  If you look at how the NSA moved from addressing 65 events a day to tens of thousands a day, the value proposition starts to become much clearer.

As a part of Active Cyber Defense Initiative at John H Hopkins University, Phantom worked with various federal agencies for over 11 months and contributed towards development of Integrated Adaptive Cyber Defense technologies.

For Friedrichs, who practised his Sandbox pitch over 50 times to perfect the 3 minute pitch, he has seen it all before. This is his fourth startup, with three previous security companies having been acquired by the likes of McAfee, Symantec and Sourcefire.  

His innovations in advanced malware at Immunet (acquired by Sourcefire, which in turn, got acquired by Cisco) have now reached over 10,000 companies. Phantom’s team has grown to 20 people and Friedrichs gives much credit to his co-founder Sourabh Satish and team for getting Phantom ready over the past two years.

Now, the challenge is to make sure Phantom itself does not become compromised. As risk gets centralized, security platforms need to ensure robustness and build layers of protection. “We have hardened the OS, added two factor authentication with multiple approval layers, encrypted stored credentials and routinely use outside firms to conduct pentesting,” says Friedrichs.


Phantom’s goals to automate the enterprise SOC (Security Operation Center) is a start. “We are creating a new category of connective security software and are ambitions of building a scalable company” he adds.

“The competition for us is an engineer writing Python scripts to do this internally” says Friedrichs. Validating the opportunity is Fireeye’s recent acquisition of Invotas. This opens up the playground for Phantom. In a 451 Research Survey  of 803 survey respondents, majority believed that culling of the vendor pool is bound to occur. This may bode well for Phantom.

One of the early investors in Phantom, Jay Leek, CISO of Blackstone says “Phantom is the first-mover in the automates the workflow from alerts to investigation and remediation. Such automation can empower one FTE (Full Time Equivalent) to do as much as five FTEs once deployed at scale. We can now drive consistency across operational functions by eliminating human errors. We can isolate a computer with one click, or a “kill switch”, if destructive malware is detected. This is why we think this is so important.”

In this David vs. Goliath battle for innovation, larger security companies have seemingly been blindsided by this opportunity to integrate and automate. Like Goliath, their heavy armor of bureaucracy weighs them down, and even as they try, no existing entity can bring all vendors to become the “Switzerland” of security. That’s where innovative startups have an edge.