About the customer
Netskope is a leading provider of Secure Access Service Edge (SASE) and Zero Trust solutions. It serves more than 3,000 customers worldwide, including over 30 Fortune 100 companies, across diverse industries such as retail, healthcare, telecommunications, and financial services. Netskope’s offerings follow a cloud-native, data-centric approach, delivered via the Netskope One converged security and network-as-a-service platform.
Executive summary
Netskope’s security team took on the ambitious task of moving operations in-house from a managed security service provider (MSSP). As they built their own SOC from the ground up, they quickly felt the strain of increasing workloads.
To scale effectively, they added capacity via automation. With Tines’ workflow automation, orchestration, and AI, they tripled the SOC’s operational efficiency, building workflows that both directly and indirectly contributed to improved metrics, including a 25% reduction in mean time to respond (MTTR). By increasing their capacity, Netskope also gained the bandwidth to focus on broader initiatives that strengthened their overall security posture.
The challenge
As Netskope transitioned from an MSSP to a fully in-house SOC, the team was under pressure to scale quickly. Three senior security professionals were responsible for onboarding tools, managing and triaging alerts, and building out processes simultaneously.
“We couldn't focus on one thing and then get to the other,” says Ally Troha, Manager, Security Operations. “We had to do everything at once.”
At the time, automation was minimal, limited to a basic integration for ticketing. “Building the SOC required a lot of different things from our partner teams, and the workload just increased,” says Senior Security Analyst Reggie Warner. “We just didn't have enough hands to keep up with it.”
Why Tines
The Netskope team also explored other SOAR solutions, but Tines stood out for its cost effectiveness, usability, flexibility to connect with any tool, and versatility of deployment options. Netskope soon became both a customer and a Technology Alliance Partner.
The impact
Tines has helped Netskope’s SecOps team become faster, more efficient, and more strategic, accelerating its vision of a next-generation SOC. For VP of Cyber Defense Damian Chung, the value was immediate.
“From a business perspective, Tines is one of those tools that actually contributed almost immediately to our operations.”
- Damian Chung, VP of Cyber Defense
Scaling and efficiency
Tines has proven essential to helping Netskope scale its SOC operations, effectively tripling the team’s capacity. By automating repetitive, time-consuming tasks, the team has significantly increased its output without increasing headcount.
“At one point, we were automating the equivalent of one person’s workload every week,” explains Ally.
Risk reduction
Improving SOC efficiency has helped Netskope move the needle on key metrics like mean time to respond (MTTR) and, as a result, strengthen its overall security posture. While multiple efforts contributed to this progress, Tines has played a key role, directly through specific workflows and indirectly by removing manual overhead.
By enabling quicker decision-making and reducing the burden of repetitive tasks, Tines has helped the team respond faster and with greater confidence.
“Having faster, more automated tasks across our security operations not only improves response time, but also reduces risk, because we can react much more quickly, even to complex issues.”
- Damian Chung, VP of Cyber Defense
Driving innovation
At Netskope, improving efficiency isn’t just about doing more with less - it’s about removing barriers to innovation. By eliminating repetitive work, Tines has helped empower analysts to focus on creative, higher-value tasks that energize the team and push the SOC forward.
“By taking away some of those low-level tasks and having them automated, it moves analysts up the stack a little bit where they can do things that are a little more complex, a little more exciting,” Damian explains. “And because it's more exciting, they are more engaged. And because they're more engaged, you have a better operating security team.”
That improved engagement has opened the door to deeper skill development and experimentation, he adds.
“It’s not just about taking away those low-level tasks. It’s about getting them excited about the possibilities of automation. They start thinking about how to build workflows, how to use APIs - they get to use the skills they were taught and think more creatively.”
“I think a key component of maintaining a really healthy, high-functioning security operations team is keeping them excited, not just stuck doing remedial tasks every day.”
- Damian Chung, VP of Cyber Defense
Ally has seen firsthand how this shift is transforming the team and setting Netskope apart.
“It’s helped level up my analysts, not just to the level of other teams at Netskope, but beyond what many security teams in other organizations are doing,” she says.
She’s shared Netskope’s journey with Tines at multiple conferences, encouraging other security teams to take a similar approach.
“A lot of security teams don’t have that automation piece,” Ally says. “We’re leading by example for teams that are looking to modernize.”
Top use cases
Vulnerability management
Threat detection
Top workflows
As a Tines Technology Alliance Partner, Netskope has contributed over 60 templates to the Tines template library, helping joint customers build workflows faster.
Some of the most impactful workflows built by Ally, Reggie, and their team include:
Phishing response
In this workflow, a bot pulls updates on quarantined emails from Mimecast every hour, and notifies end-users via Slack. They then have the option to release the email, reject it, or send it to security for investigation.
“It works in two ways,” says Reggie. “It helps users get their information faster, but it also gives us another avenue to respond to phishing attempts that may have gotten through.”
CrowdStrike monitoring
The workflow automatically detects if a CrowdStrike sensor was accidentally uninstalled and reports it to the security team via an email sent to Jira.
“The report shows us when the last activity was, and when the sensor event uninstall happened, so we can compare the timeframe,” Reggie explains.
Investigating suspicious links
When a security analyst is triaging and they find a potentially malicious link, they can send the URL to “remote browser isolation” (RBI) for investigation.
“This is essentially a sandbox environment where you can't download anything, you can't copy and paste, and you can't upload. You're really protected,” explains Ally. “So this workflow allows an analyst to use a Slash command in Slack to send a URL to our RBI. And then within minutes, you're able to analyze it instead of pushing a change and doing it manually through the UI for our Netskope product.”
Update URL lists used by Remote Browser Isolation in Netskope
Update a list of URLs to be accessed using Netskope's Remote Browser Isolation (RBI) to keep users secure from potentially suspicious websites. New URLs can be added to the list using a Slash command in Slack.
Tools
View and import more pre-built workflows that connect with Netskope in the Tines library.
Favorite feature
For Ally, Tines' reporting capabilities are a key differentiator. “It makes my life easy and gives me a great justification for keeping Tines onboarded,” she says.
For Reggie, it’s all about flexibility, especially when it comes to the event transform action. “It can do so much, and even in the past few months, I’ve learned several new things it can handle,” he explains.
One standout example involved pulling a list of users from a specific Okta group and filtering them by status - active or deactivated. “I initially started using explode mode, looping through the data with triggers to identify user status, then separating them all manually,” Reggie says. “But then someone showed me how to compile all the pagination events together in one step, without needing to go through that explode process. It made everything easier to maintain, easier to read, and just a small change that made a huge difference.”
What sets Tines apart, he adds, is how these small workflow improvements scale. “The flexibility of not only the actions, but the whole platform really makes life easier.”
Tines support
Reggie describes Tines’ customer support as “always responsive, always helpful.”
“It’s been wonderful,” he says. “I’ve never had a delayed response or received an answer without either a solution or clear guidance on where to find one.”
What’s next
Netskope plans to expand its use of Tines across new teams.
Internally, Tines is now part of Netskope’s foundational training for new hires. This growing confidence within the security function has made it easier to expand adoption.
“The IT and engineering teams, for example, can see how many workflows we’re building and how much time it’s saving us,” Damian says. “Having that proven success story internally makes it easier for other teams to get started - why not take advantage of what’s already working?”