Skip to main content

Frequently Asked Questions

What Are the Technical Requirements and Steps for Deploying CheckMate in Hybrid or Complex Environments?

CheckMate powered by Phen.AI is designed for rapid deployment across hybrid, multi‑site, and complex infrastructures. The platform supports both secure cloud and on‑premises installations, allowing organizations to choose the model that best aligns with their operational and regulatory needs.

Flexible Deployment Options: Phen.AI supports multiple deployment scenarios, including:

  • Internal‑network threat detection
  • External‑network threat detection
  • Offline PCAP ingestion and analysis
  • Hybrid environments combining cloud analytics with on‑premises sensors

This flexibility ensures that CheckMate can be introduced into virtually any architecture without requiring major infrastructure changes.

Core Architectural Components:

A standard deployment includes several key elements:

  • AdminCore – for centralized management and orchestration
  • Sensors – for endpoint, network, and device telemetry collection
  • Distributed shippers – for data transport across sites
  • Ingest and Compute nodes – for processing and analytics
  • Cloud or private‑site analytic engines – depending on customer preference

These components can be scaled or distributed across multiple locations to support large or segmented environments.

Deployment Timeline and Operational Readiness: Phen.AI’s streamlined deployment process allows most environments to be fully installed in under two hours. Once deployed, organizations typically achieve initial operational capability within 24 hours, including active data ingestion, baseline analytics, and early detection functions.

Outcome: CheckMate’s modular architecture and rapid deployment process make it well‑suited for hybrid and complex infrastructures. Organizations gain immediate visibility and threat detection capabilities without lengthy integration cycles or extensive configuration requirements.

How CheckMate Integrates with Existing Client Security Stacks and Legacy Systems?

CheckMate, powered by Phen.AI, is built to operate across diverse enterprise environments, supporting both modern security platforms and long‑standing legacy systems. Its architecture enables flexible ingestion, normalization, and real‑time analysis of security telemetry, allowing organizations to maximize existing investments without disruption.

Integration with Enterprise Security Tools: The platform connects natively with solutions such as Nessus, Trellix, and Splunk, enabling automated ingestion of vulnerability data, endpoint telemetry

SIEM events, and threat intelligence: This creates a unified operational picture and consistent analytics across the customer’s security ecosystem.

Support for Legacy and Heterogeneous Telemetry Sources:
CheckMate ingests and correlates data from a wide range of systems, including:

  • Unix, Linux, and Windows system and application logs
  • DNS and DHCP logs
  • NetFlow and DPI telemetry
  • Firewall and IDS/IPS logs
  • Honeypot and deception system logs
  • Endpoint and EDR logs
  • PCAP data
  • Vulnerability scan outputs

This broad compatibility ensures effective operation in environments with mixed generations of hardware, software, and network infrastructure.

Multi‑Interface Operational Capability: Phen.AI interacts with systems through Bash, PowerShell, WMI, and Cisco CLI. These interfaces enable automated analysis, configuration, and response actions across cloud‑native, on‑premises, and legacy platforms.

Outcome: By integrating cleanly with existing tools, modern devices and legacy systems, CheckMate strengthens an organization’s security posture without requiring costly rip‑and‑replace efforts. The platform delivers unified analytics, improved detection fidelity, and greater operational efficiency across the entire security stack.

What Changes Will SOC Analysts Notice in Their Daily Monitoring and Incident Response Routines?

CheckMate powered by Phen.AI introduces a more streamlined, accurate, and centralized operational experience for SOC analysts. Daily monitoring becomes more cohesive, and investigative workflows become significantly faster and more informed.

Centralized and Enriched Monitoring: Endpoint, network, cross‑domain, and cloud telemetry are correlated in real time, giving analysts a unified operational picture. The AI‑driven ingest engine reduces noise by enriching events with context, allowing analysts to focus on meaningful activity rather than sifting through fragmented alerts.

AI‑Assisted Investigation and Faster Triage: Phen.AI accelerates triage and root‑cause analysis by automatically correlating logs, events, and behavioral indicators. Built‑in profiling, signature alerting, and anomaly detection reduce manual workload and help analysts quickly identify patterns, anomalies, and emerging threats.

Enhanced User and Entity Behavior Analytics (UEBA): Behavioral analytics provide deeper visibility into user activity, insider threat indicators, and lateral movement. Continuous evaluation of deviations from normal behavior gives analysts early alerts signals and actionable insights.

Active and Automated Mitigation Options: CheckMate supports both guided and automated response actions. Analysts can initiate mitigations directly or rely on Phen.AI to execute predefined countermeasures based on weighted recommendations. This approach improves response speed while preserving human oversight.

Continuous Testing and Proactive Security Posture Management: Phen.AI enables ongoing validation of the organization’s defenses through daily penetration testing, continuous vulnerability assessments, and Red and Blue Team exercises, all with minimal operational impact. Trend analysis and real‑time risk scoring help analysts prioritize remediation based on actual exposure and threat likelihood. This continuous validation ensures controls remain effective and misconfigurations are addressed early.

Overall Impact: SOC operations shift from reactive alert handling to a proactive, intelligence‑driven model. With centralized monitoring, accelerated investigations, and automated mitigation, CheckMate reduces analyst fatigue while improving speed, accuracy, and consistency of incident response.

Can Detection Rules, Response Playbooks, or Dashboards Be Customized to Fit Our Organization’s Needs?

Yes. CheckMate is built on a modular and highly extensible architecture that allows organizations to tailor detection logic, response workflows, and operational dashboards to their unique security requirements. The platform supports full customization of detection rules, alert thresholds, correlation logic, and automated response actions, ensuring alignment with each customer’s environment, risk profile, and operational processes.

Active Response Capabilities: Phen.AI’s Active Response engine further extends customization by enabling automated or semi‑automated remediation actions. For example, in patch management scenarios, Phen.AI identifies unpatched systems, engages a human‑in‑the‑loop for validation, and applies the required updates, unless security teams have already addressed the issue or instructed the system to disregard a specific patch. This model ensures both operational efficiency and analyst oversight.

Active Response capabilities continue to expand across additional operational domains, providing organizations with increasing flexibility to automate routine tasks, accelerate incident response, and reduce operational burden.

Role‑based dashboards, visualizations, and reporting modules can be adapted to meet the needs of SOC analysts, incident responders, executives, and compliance teams. This flexibility enables organizations to highlight the metrics, alerts, and operational insights most relevant to their mission.

To support deeper customization, Phen.AI aids with:

  • Custom report and dashboard creation
  • Threat analysis and rule tuning
  • Alert configuration and correlation logic
  • Development of tailored response playbooks
  • Integration of customer‑specific workflows and data sources

These services ensure that CheckMate not only fits into an organization’s existing processes but enhances them.

Outcome: Through modular design, customizable workflows, and expert support services, CheckMate ensures that detection rules, response playbooks, and dashboards can be fully tailored to meet the unique needs of any organization, without compromising security, visibility, or control.

To What Extent Can Consultants Customize Detection Rules, Analytics, or Response Workflows Within CheckMate?

Consultants have extensive flexibility to tailor CheckMate to an organization’s specific security requirements. The platform’s modular architecture allows for deep customization across detection logic, analytics workflows, and automated or guided response actions. This ensures that CheckMate aligns with each customer’s operational environment, threat landscape, and internal processes.

Consultants can adjust and refine detection rules, correlation logic, and analytic models to improve accuracy and reduce noise. They can also customize alert handling, reporting formats, and dashboards to match organizational workflows and role‑based needs.

CCG’s professional services team supports these efforts by providing expertise in implementation tuning, report development, threat analysis, alert optimization, and broader product enhancement planning. This partnership ensures that customers receive a solution tailored to their operational maturity and evolving security priorities.

Phen.AI’s Active Response capabilities further expand customization options. Consultants can design automated or human‑validated remediation workflows, such as identifying unpatched systems, confirming actions with analysts, and applying updates unless instructed otherwise. These capabilities continue to grow, enabling broader automation across additional operational domains.

Outcome: Through this combination of platform flexibility and expert support, CheckMate powered by Phen.AI empowers consultants to deliver highly customized detection, analytics, and response workflows that evolve alongside the organization’s security program.

How Does CheckMate, Powered by Phen.AI, Scale to Support Global, Multi‑Site Organizations with Complex Infrastructures?

CheckMate is engineered to operate reliably across large, distributed environments by leveraging a scalable architecture built around distributed sensors, and AdminCore. This design allows the platform to expand seamlessly as organizations grow or as monitoring needs increase across multiple geographic locations.

Distributed sensors collect telemetry from endpoints, networks, and security devices across all sites, feeding data into AdminCore and the analytic compute layer for correlation, enrichment, and real‑time analysis. Additional compute nodes can be deployed to handle increased ingest volume, higher event throughput, or expanded device coverage, ensuring consistent performance even in complex, high‑density environments.

Phen.AI enhances this scalability by providing a secure environment and flexible compute resources that can be added as needed. Its architecture supports incremental expansion, whether adding more ingest capacity, increasing analytic horsepower, or integrating additional device types.

For organizations requiring on‑premises deployments, Phen.AI offers appliance tiers up to the Enterprise level, capable of supporting unlimited IPs (Class C network), endpoints, or devices. This configuration includes AdminCore consisting of a utility node, multiple ingest nodes, compute resources, and sensors, providing a robust foundation for large, multi‑site operations.

Outcome: Through this combination of distributed collection, modular compute scaling, and flexible deployment options, CheckMate powered by Phen.AI delivers reliable performance and unified visibility across global infrastructures, regardless of size or complexity.

What Is CheckMate Powered by Phen.AI’s Pricing Model?

The CheckMate powered by Phen.AI platform, offers both secure cloud subscription pricing and on‑premises annual appliance options to accommodate different deployment needs.

Cloud Subscription Model: Phen.AI provides monthly cloud tiers based on the number of IPs or endpoints being monitored. Pricing begins at $1,699 per month for environments up to 25 IPs/endpoints and scales to $3,750 per month for up to 150 IPs/endpoints. Cloud deployments include a one‑time installation fee, sensors and providing organizations with a fully managed, continuously updated service.

On‑Premises Appliance Model: For customers requiring local deployment, on‑premises pricing starts at $75,699 annually for support of up to 500 IPs, endpoints, or devices. Higher‑capacity tiers are available, including an Enterprise appliance that includes the AdminCore consisting of a utility node, multiple ingest nodes, compute resources, and 25 sensors. Enterprise‑level pricing is provided through direct consultation to ensure alignment with infrastructure scale and operational requirements.

Operational Efficiency and Cost Reduction: Because CheckMate powered by Phen.AI is an all‑in‑one security operations AI platform, organizations often reduce reliance on traditional manned operations centers and lower workforce‑related costs. The platform consolidates monitoring, analytics, investigation, and response capabilities, delivering measurable operational savings alongside improved security outcomes.

What ongoing support, training, and SLAs are included with Phen.AI?

CCG’s customer service program is built on four pillars: responsiveness, escalation discipline, technical depth, and continuous improvement.

1. Customer Support Intake and Initial Response

All customer service requests, whether submitted via email, phone, or support portal, are routed through CCG’s centralized support system. Each request is automatically logged, time stamped, and assigned a severity level based on impact and urgency.

Standard Support

  • Initial response: within 48 hours (M–F, excluding holidays)
  • Issue acknowledgment: within 5 working days
  • Resolution target: within 3 working weeks

Gold Support

  • Initial response: within 24 business hours (M–F, excluding holidays)
  • Issue acknowledgment: within 3 working days
  • Resolution target: within 2 working weeks

Platinum Support

  • Initial response: within 2 business hours
  • Issue acknowledgment: within 1 working day
  • Resolution target: within 1 working week

These response objectives are contractually defined and monitored to ensure consistent performance.

2. Escalation Protocols

CCG uses a structured, multi tier escalation model to ensure that issues are resolved quickly and by the appropriate level of expertise.

Tier I (Partner or CCG Frontline Support)

  • Handles basic troubleshooting, configuration questions, and common operational issues
  • Provides initial triage and gathers diagnostic information
  • Escalates unresolved or complex issues to Tier II

Tier II (Advanced Technical Support)

  • Performs deeper investigation, log analysis, and system level troubleshooting
  • Coordinates with deployment engineers when needed
  • Escalates platform level or code level issues to Tier III

Tier III (CCG Engineering & Development)

  • Manufacturer direct support from the engineers who build and maintain the platform
  • Handles complex, high severity, or security critical issues
  • Provides patches, hot-fixes, and advanced remediation guidance

Escalation is automatic when response thresholds are reached or when issue severity warrants immediate elevation.

3. Issue Resolution Procedures

CCG follows a disciplined, repeatable process to ensure timely and accurate issue resolution:

  • 1. Issue Logging & Severity Classification
    • Categorized as Critical, High, Medium, or Low
    • Determines response and escalation timelines
  • 2. Initial Diagnosis
    • Tier I collects logs, system data, and user context
    • Quick fixes are applied when possible
  • 3. Technical Investigation
    • Tier II or Tier III performs root cause analysis
    • Reproduces issues in lab environments when needed
  • 4. Remediation & Verification
    • Fixes are applied, validated, and documented
    • Customer confirms resolution
  • 5. Closure & Reporting
    • Ticket is closed with full documentation
    • Lessons learned are fed into continuous improvement

For critical issues affecting security or system availability, CCG initiates an immediate escalation to Tier III and provides continuous updates until resolution.

4. Incentives and Quality Assurance

CCG maintains several internal incentives and quality controls to ensure service excellence:

  • Performance based metrics for support staff tied to response times, resolution rates, and customer satisfaction
  • Quarterly service reviews to evaluate partner performance and adherence to SLAs 
  • Continuous training and certification for all support personnel
  • Root cause analysis reviews for recurring issues to prevent future incidents
  • Customer satisfaction scoring integrated into support workflows

These incentives ensure that both CCG employees and authorized partners consistently meet or exceed service commitments.

5. Customer Communication and Transparency

Throughout the support process, CCG provides:

  • Regular status updates
  • Clear timelines for next steps
  • Documentation of findings and resolutions
  • Escalation contacts for urgent matters

Customers always have direct access to CCG’s Tier III engineering team for high severity issues. CCG’s customer service program is a structured, disciplined, and Manufacturer direct support model designed to meet the mission critical needs of Sourcewell Participating Entities. With defined response times, clear escalation pathways, rigorous issue resolution procedures, and strong performance incentives, CCG ensures that every customer receives timely, expert, and reliable support throughout the lifecycle of the CheckMate powered by Phen.AI platform.

How Does CheckMate, Powered by Phen.AI, Minimize False Positives and Alert Fatigue for Analysts?

CheckMate reduces false positives and alert fatigue by combining multi‑source correlation, behavioral context, and advanced cognitive learning to ensure that only meaningful, high‑confidence alerts reach analysts. The platform focuses on identifying genuine vulnerabilities, threats, and active attacks rather than overwhelming teams with noise.

Multi‑Source Correlation for High‑Fidelity Alerts: Phen.AI correlates data across a wide range of telemetry sources, including logs, NetFlow, DPI, firewalls, honeypots, endpoints, vulnerability data, and behavioral indicators. By evaluating events in context rather than isolation, CheckMate filters out benign activity and elevates only those alerts that demonstrate true risk.

Cognitive Learning and Behavioral Analysis: The platform applies cognitive learning models, historical network knowledge, and user/entity behavior analytics to distinguish normal patterns from suspicious deviations. This continuous learning process improves detection accuracy over time and reduces repetitive or irrelevant alerts.

MITRE ATT&CK Mapping for Threat Relevance: CheckMate aligns detections with MITRE ATT&CK techniques, ensuring alerts are tied to real adversary behaviors. This mapping helps analysts quickly understand the significance of an event and reduces time spent investigating low‑value signals.

Automated False Positive Resolution: Phen.AI can ingest alerts from other security tools and automatically suppress or resolve false positives. When an alert is validated as benign, the system learns from the outcome and adjusts future detection logic, further reducing unnecessary noise.

Actionable, Context‑Rich Notifications: When alerts are generated, they include clear context, recommended actions, and supporting evidence. This reduces investigation time and helps analysts focus on events that truly require attention.

Outcome: By combining correlation, behavioral analytics, cognitive learning, and automated suppression, CheckMate significantly reduces false positives and alert fatigue. Analysts receive fewer, higher‑quality alerts, enabling them to concentrate on real threats and respond more effectively.

Can CheckMate Reduce Workforce Costs, Improve ROI, and Deliver Operational Gains for Similar Enterprises?

CheckMate powered by Phen.AI is designed to streamline security operations and significantly reduce the manpower required to maintain a compliant and resilient cybersecurity posture. By consolidating monitoring, analysis, and response into a single platform, organizations can support 24/7 operations without the staffing levels typically associated with traditional SOC models.

The platform provides real‑time, automated evidence of CMMC compliance, eliminating the need for extensive manual data collection and documentation. For many Level 2 environments, this continuous monitoring replaces an estimated 300–600 hours of manual effort that would otherwise be required each month to maintain compliance readiness.

CheckMate’s automation, integrated analytics, and centralized workflows reduce operational overhead, lower escalation and staffing costs, and improve overall efficiency. Phen.AI’s documentation library also includes a dedicated ROI analysis, helping organizations quantify cost savings and operational improvements achieved through platform adoption.

Outcome: By reducing labor demands, improving compliance efficiency, and consolidating security functions, CheckMate delivers measurable ROI and long‑term operational benefits for enterprises with similar security and regulatory requirements.