Campaigns & Incidents
Campaigns organize your PhantomID deployments with clear objectives and tracking. Incidents capture and manage security events when planted identities are contacted.
Campaigns
What is a Campaign?
A campaign is an organized deployment of PhantomIDs to specific injection targets with a defined objective, timeline, and tracking. Campaigns help you:
- Group related injection activity for reporting
- Track deployment success rates across targets
- Measure detection effectiveness over time
- Organize investigations by initiative
Campaign Statuses
| Status | Description |
|---|---|
| Draft | Campaign is being planned — targets and PhantomIDs are being assigned |
| Active | Campaign is live — injections are running and monitoring is active |
| Completed | Campaign has ended — all planned injections are done |
Creating a Campaign
- Navigate to Campaigns
- Click Create Campaign
- Configure the campaign:
| Setting | Description |
|---|---|
| Name | Descriptive name for the campaign |
| Objective | What you're trying to detect or test |
| Affiliation | Business unit scope |
| Start/End dates | Campaign timeline |
Assigning PhantomIDs
After creating a campaign, assign PhantomIDs to it:
- Select individual PhantomIDs — Choose specific identities for targeted deployment
- Select by tag — Assign all PhantomIDs with a specific tag
- Select by affiliation — Assign PhantomIDs from a specific business unit
Each PhantomID assignment can include injection context — which target it should be deployed to and any specific configuration.
Assigning Injection Targets
Configure which targets the campaign will deploy to:
- Select from your existing injection targets
- Each target can have campaign-specific settings
- Track per-target success rates within the campaign
Campaign Statistics
Active and completed campaigns show real-time statistics:
- Total PhantomIDs — Number of identities assigned
- Injections completed — Successful deployments
- Injections failed — Failed deployments
- PhantomIDs compromised — Identities that have been contacted
- Incidents created — Security events triggered by this campaign
- Detection rate — Percentage of injected PhantomIDs that were later contacted
Incidents
What is an Incident?
An incident is a security event created when a PhantomID is contacted. It represents a potential data exposure that needs investigation and response.
How Incidents Are Created
Incidents can be triggered by:
| Trigger | Description |
|---|---|
| Call | Someone calls a PhantomID phone number |
| SMS | Someone texts a PhantomID phone number |
| Someone emails a PhantomID email address | |
| Manual | An analyst creates an incident based on external intelligence |
When an automatic trigger fires, the system:
- Creates an incident with initial severity based on the trigger type
- Links it to the relevant PhantomID
- Checks if the source matches a known threat actor
- Assigns it to the appropriate affiliation
Severity Levels
| Severity | Description | Examples |
|---|---|---|
| Low | Single, isolated contact with no clear pattern | One call to one PhantomID from an unknown number |
| Medium | Multiple contacts or contact from a known threat actor | Same caller reaching two PhantomIDs; known telemarketer |
| High | Coordinated activity across multiple PhantomIDs or channels | Systematic calls to 5+ PhantomIDs within hours |
| Critical | Confirmed large-scale breach or active, ongoing attack | Mass contact across dozens of PhantomIDs; data appearing on dark web |
Severity can be auto-assigned based on rules or manually adjusted by analysts.
Incident Workflow
Every incident follows a structured response workflow:
New → Acknowledged → Investigating → Confirmed → Remediated → Closed
| Status | Meaning |
|---|---|
| New | Incident just created, not yet reviewed |
| Acknowledged | An analyst has seen the incident and accepted ownership |
| Investigating | Active investigation is underway |
| Confirmed | The incident is confirmed as a real security event (not a false positive) |
| Remediated | Corrective actions have been taken |
| Closed | Investigation complete, incident resolved |
Incident Details
Each incident contains:
- Summary — What happened (auto-generated or manually written)
- Severity — Current severity level
- Status — Current workflow status
- Trigger type — What created the incident (call, SMS, email, manual)
- PhantomID — The identity that was contacted
- Threat actor — Linked threat actor (if identified)
- Assigned to — The analyst responsible for investigation
- Affiliation — Business unit scope
- Campaign — Associated campaign (if applicable)
Incident Timeline
The timeline provides a chronological record of everything that happens during an incident's lifecycle:
- Status changes — When the incident moved between workflow stages and who changed it
- Comments — Analyst notes, findings, and observations
- Evidence — Attached files, screenshots, or references
- Threat actor links — When a threat actor is associated or updated
- Severity changes — Upgrades or downgrades with reasoning
Working with Incidents
Assigning Incidents
Incidents can be assigned to specific team members:
- Open the incident
- Select an assignee from your team
- The assignee receives notification and becomes the primary investigator
Adding Comments
Use comments to document your investigation:
- Record findings as you investigate
- Tag relevant team members
- Attach supporting evidence
- Document decisions and their rationale
Linking Threat Actors
When you identify the source of an incident:
- Search for existing threat actors by phone number or email
- Link the matching threat actor to the incident
- Or create a new threat actor if this is a previously unknown source
Closing Incidents
When investigation is complete:
- Update status to Remediated with a summary of corrective actions
- Move to Closed when fully resolved
- The incident and its full timeline remain in the system for historical reference
Incident Notifications
Incidents can trigger external notifications:
- Webhook — Send incident data to your SIEM, ticketing system, or custom integration
- Email — Alert specific team members or distribution lists
- Slack — Post incident alerts to a designated channel
Configure notification rules in Settings → Integrations.