We have developed a proprietary Security Orchestration, Automation and Response (SOAR) Platform, named Certego PanOptikon, to enable the process of Real Time Security Monitoring and Incident Response.

The Platform enables and supports processes of data gathering, security event correlation and operation analysis, in real-time .

Thanks to the in-depth investigation work, carried out by the Certego Computer Security Incident Response Team (CSIRT), it is possible to investigate and hunt potential cyber threats and orchestrate the entire life cycle of a security incident.

Platform Architecture


Schedule a demo

Modular implementation
for threat detection

Certego Managed Detection & Response services are based on the Certego PanOptikon® SOAR Platform which adopts a modular approach to meet the specific needs of organizations.

It provides a Web Portal, as well as a Mobile APP for iOS and Android, that serves as a common interface between Certego IRT and the organization’s IT Team, making it easier to orchestrate the whole incident management process.

Detection Modules

Detection Modules are used to gain visibility into the organization’s infrastructure at many levels (network traffic, system behaviors, vulnerabilities, cloud infrastructures, amongst others) and to identify potential cyber threats requiring manually investigation.

Response Modules

Response Modules are used to orchestrate and - where necessary - automatically automate the containment activities needed in the early stages of incident management to limit the propagation of an attack.

Intelligence Modules

Threat Intelligence Modules are used to collect and analyze information from multiple sources. Certego’s proprietary Threat Intelligence Platform (Quokka) enables Certego to produce “actionable” tactical information to prevent, detect or counteract potential cyber threats.

Incidents Response Procedure

In PanOptikon®, every ticket follows a precise structure. This is particularly useful to distinguish the various phases of the incident response process, as suggested in the NIST guidelines.

The header section, under the navigation menu, supplies some general information about the ticket (i.e. severity, classification, creation date and title) and other contextual data including a summary and CIA Risk indicators (i.e Confidentiality risk, Integrity risk and Availability risk).

The menu on the left will guide you through the incident response phases.


Into the “Detection” phase, raw events generated by the platform are collected, and a directory containing attachments is uploaded on the ticket.


The analysis tab contains an incident description and details about the internal host involved in the ticket.

Info gathering

This phase involves an info gathering actions required (e.g., during a ransomware attack, we may ask you to list and check all network drives where the infected user has write permission).


This phase involves any task linked to threat containment actions (e.g., list of domains to block on firewall).


Includes any task concerning threat eradication, inlcuding antivirus scans or manual removals.

Post Incident

The last part involves actions to be implemented once the threat is fully removed (e.g., changing passwords after an infostealer infection).

Each phase will be flagged with an arrow pointing downwards. When the arrow is filled in black/blue, this indicates that tasks in that phase have been already acknowledged or completed. A striped fill pattern indicates the most advanced phase with at least one acknowledged task, while a white arrow indicates that all tasks in this phase are still pending acknowledgement.

Each phase can also have a counter, highlighted in a red circle, displaying the number of tasks still to be completed.