top of page

Cisco Threat Response 


Security that works together


Hunt for the riskiest 1% of threats. Cisco Endpoint Security can help you go from exposed to empowered in seconds.

Solution overview

Security attacks wait for no one, making threat investigations increasingly complex, all the while with understaffed security operations teams. Security analysts need to stay ahead of current threats and minimize impact in the event of an attack, but they’re often pivoting between multiple, disparate cybersecurity tools and spending valuable time and resources in the process.

Cisco® Threat Response is a security investigation and incident response application. It simplifies threat hunting and incident response by accelerating detection, investigation, and remediation of threats. Threat Response provides your security investigations with context and enrichment by connecting your Cisco security solutions (across endpoint, network, and cloud) and integrating with third-party tools, all in a single console. Threat Response is included at no additional cost with the following Cisco security licenses:

End Points: 

  • Cisco Advanced Malware Protection (AMP) for Endpoints

  • Email Security

  • Web Security


  • Cisco Firepower®

  • Cisco Stealthwatch® Enterprise


  • Cisco Umbrella™


  • Cisco Threat Grid


To understand whether a threat has been seen in your environment as well as its impact, Threat Response aggregates contextual awareness from Cisco security product data sources along with global threat intelligence from Talos® and third-party sources via APIs. Threat Response identifies whether observables such as file hashes, IP addresses, domains, and email addresses are suspicious or malicious, and whether you have been affected by them. It also provides the ability to remediate directly from the interface and block suspicious files, domains, isolate hosts, and more without pivoting to another product first.

With Threat Response you will:

●     Simplify threat investigations

●     Get rapid, coordinated incident response

●     Lower Mean Time To Respond (MTTR) and dwell time


Incident response:

Leverage multiple security technologies in a single console to address and manage the aftermath of an attack in your environment by aggregating multiple security technologies for a holistic investigation and remediating in a single console.


Threat hunting:

Proactively search for active threats in your environment with a holistic, integrated approach by aggregating multiple security technologies in a single console.

Solution Overview
  • More Than $3.5 Billion Was Lost to Cyber Crime Globally in 2019

  • 57% of Survey Respondents Used Third-Party Cyber Security Assessments in 2019

  • IoT Platform Revenue Forecast to Reach $66 Billion in 2020

  • 73% of “Leading” Organizations View Strong Cybersecurity as a Contributor to Business Success


How Threat Response works

Threat Response aggregates intelligence from both Cisco security product data sources and third-party sources via APIs to identify whether observable such as file hashes, IP addresses, domains, and email addresses are suspicious. The left-hand side of the diagram below shows the intelligence sources that are used to generate verdicts on the Indicators of Compromise (IOCs). When you paste the observable to the Investigate interface of Threat Response and start an investigation, the product adds context from integrated Cisco security products automatically, so you know instantly which of your systems was targeted and how. It brings that knowledge back from Intel sources and security products, displaying results in seconds. From there, security operations teams can take action immediately or continue their investigation with the tools provided

Umbrella Message

Main features and capabilities


Tool for saving, sharing, and enriching threat analysis that allows to document all the analysis in a cloud casebook and to save snapshots from all integrated or web-accessible tools.


Get a correct verdict on dispositions on observable quickly and intuitively and pivot to individual data sources for more information, working across multiple integrations in the Cisco security portfolio.

Incident Manager

Automated triage and prioritization of alerts from Cisco Firepower and Cisco Stealthwatch Enterprise. Allows for investigating and enriching events with context from integrations across security products as well as responding to high-urgency incidents.


●  Convenience of common UI for all Cisco-detected security incidents
●  First-level triage, promoting raw security events to Incidents
●  Customizable auto-promotion rules


Remediation actions:

●  Isolate hosts
●  Block files
●  Block domains


Respond to threats immediately through the convenient interface of one console

Browser plug-in

Browser extension that allows for pulling IP addresses or domains from anywhere an observable is seen, for an investigation


Quickly and easily pull in indicators of compromise from any web page or browser-based console, Cisco or otherwise, and start an investigation.

Relations graph

Part of the Threat Response interface that shows all the observable found during the investigation and indicates relationships between them. Intuitive color and shape coding helps determine the nature of the events and the relationships


Visually intuitive guide to enrichment results, which allows for an at-a-glance verdict for the observable you are investigating (malicious, benign, and unknown) and helps you immediately tell if these observable are seen locally in your network

Open-source integrations

Custom integrations of any security operations tools and workflows available through open and well-documented APIs.


Leverage your full security stack by integrating all tools into one console, enhancing your existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, Response (SOAR) technologies.

bottom of page