Demisto
Demisto was an Israeli SOAR pioneer acquired by Palo Alto Networks in 2019 (reported ~$560M); its playbook-driven incident response automation and cross-tool orchestration are now delivered as Cortex XSOAR for enterprise and government SOCs.
Visit WebsiteCompany Overview
Demisto built a security orchestration, automation and response (SOAR) platform that operationalized incident response through playbook automation, integrations across heterogeneous security stacks (SIEM/EDR/network/security tooling), and SOC case management. The product’s core value proposition was reducing mean-time-to-respond (MTTR) and analyst workload by standardizing response actions, automating repetitive steps, and enabling consistent execution of workflows across teams and shifts.
Commercially, Demisto became a leading SOAR vendor before being acquired by Palo Alto Networks in 2019 (widely reported at approximately $560M). Under Palo Alto, the capability set is sold as Cortex XSOAR and positioned alongside broader SOC transformation offerings (including endpoint/network telemetry and analytics). Competitive dynamics have shifted toward “platform SOAR” embedded within SIEM/XDR ecosystems (notably Microsoft Sentinel and other integrated SOC suites), increasing the importance of native telemetry access, packaged content, and procurement simplification rather than standalone orchestration.
For defense and intelligence organizations, SOAR is a genuine dual-use capability: it enables rapid, repeatable cyber defense actions across mission and enterprise networks, supports standardized playbooks aligned to doctrine/TTPs, and can be deployed to coordinate response across multiple enclaves and toolchains. Strategic value is strongest where organizations must scale response to high alert volumes while preserving auditability, chain-of-custody, and operator accountability—though adoption can be constrained by air-gapped environments, classified data handling, and vendor/platform lock-in considerations.
Dual-Use Assessment
Security automation and orchestration has critical dual-use applications for both commercial and defense security operations. Military and intelligence SOCs require automated incident response and tool orchestration to manage threats at scale and respond rapidly to attacks on defense infrastructure.
Key Technologies
- SOAR (security orchestration, automation, and response) workflow engine
- Playbook-driven incident response automation (human-in-the-loop approvals)
- Security tool integrations/APIs and orchestration across SIEM/EDR/NDR/email/ticketing
- SOC case management and collaboration with audit trails
- Content packs/playbook templates and enrichment connectors (threat intel, asset context)
- Metrics and reporting for MTTR/operational performance tracking
Use Cases & Applications
- Automated phishing triage and response (enrichment, containment, user remediation)
- Ransomware/endpoint incident containment workflows coordinated across EDR, IAM, and network controls
- SOC case management and standardized playbooks for regulatory/audit-ready incident handling
- Threat intel-driven enrichment and automated blocking across security controls
- Defense/government SOC orchestration across multiple enclaves with approval gates and evidentiary logging
- Rapid response to exploitation of known vulnerabilities (ticketing, validation, isolation, and reporting)
Strategic Value to U.S.-Israel Alliance
Demisto technology (now Cortex XSOAR) enables automated incident response for defense and intelligence SOCs, providing orchestration capabilities essential for managing security operations at scale across military networks.
Interested in this startup?
Learn more about our investment approach or get in touch to discuss opportunities in dual-use technology.