Skip to main content


about wombat security

Wombat Security Technologies was founded to commercialize products originally developed at Carnegie Mellon University as part of one of the largest anti-phishing research projects in the US.


CyLab Chronicles

Wombat: The Latest CyLab Success Story

posted by Richard Power

In this interview, three Carnegie Mellon CyLab faculty members, Norman Sadeh, Jason Hong and Lorrie Cranor share insights and inspiration from the collaborative efforts to turn their ground-breaking, phishing-related research into Wombat Security Technologies, another success story of CyLab technology transfer.

CyLab Chronicles: Tell us how Wombat evolved from your Carnegie Mellon research. Can you give us some insight on the process of transitioning something from a pure research environment into the entrepreneurial realm?

SADEH: Five years ago, it became clear to us that phishing attacks were going to quickly intensify and that there were no commercial solutions that were truly effective in this space. Vendors were still operating under the assumption that somehow digital signature and certificate solutions alone could solve the phishing problem, whereas, for many years, we had already been advocating multi-pronged security solutions that recognize the importance of human users. Wombat has its roots in a National Science Foundation grant proposal we submitted in 2004. NSF liked the proposal because it was so different from many of the more traditional projects they had been funding and because it recognized at the outset that any effective solution in this space has to acknowledge the importance of training and of making users part of an organization’s defense. We became one of the largest, if not the largest, national research project in the area. Additional funding was provided by CyLab and its Army Research Office grant. Within just a couple of years, our training and filtering solutions started making the headlines and we were getting requests for our solutions from organizations as diverse as the US Air Force, financial organizations, health care organizations, ISPs, and universities, to name just a few. Within a year of its launch, Phil, our anti-phishing game had been played by tens of thousands of users, and it was significantly more effective than traditional training would have been.

Evaluations of our filtering technology were also very promising, showing that we were catching significantly more phishing emails than any other filter we had compared against while having a near zero false positive rate – much better than the competition.

As demand for our solutions continued to increase, we also came to realize that, as a university, we would only be able to go so far in distributing and maintaining our solutions. So the path forward was fairly clear and Wombat was eventually launched earlier this year. As a commercial entity, we have gained further visibility and have daily opportunities to talk to customer organizations and to closely monitor phishing attacks as they continue to evolve. This in turn is helping us refine and extend our family of products.

We have also become much better at thinking in terms of ROI. Given the current state of the economy, Wombat’s success over the past six months can only be attributed to the unique ROI proposition we offer our customers. If you are a medium size bank and are facing the prospect of phishing attacks that can each cost you a million dollars, investing in our technologies is a “no brainer.” The argument for government organizations, whether at the federal, state or local level as well as for a number of other organizations is just as compelling.

CyLab Chronicles: The Wombat product suite has three dimensions -- employee training, customer training and automated solutions. Briefly, tell us what each of them offers, and what needs they address respectively.

SADEH: Whether you’re a bank, a government organization or an ISP, both your employees and your customers are potential targets of phishers. Our training games have been shown to be quite effective for both. In addition, we have developed an embedded training service specifically targeted at monitoring employee readiness and at continuously training your workforce to recognize phishing attacks, including particularly insidious attacks that people refer to as spear-phishing. These are attacks that have been specifically crafted to target employees in your organization, possibly just one employee such as your CEO, CTO or legal counsel.

Scientific evaluations of our training solutions show that they can significantly boost an organization’s readiness. Yet, training people is far from a foolproof solution. So from the very beginning, we have been asking ourselves what else we could do to help. In particular, when it comes to filtering phishing emails, we noticed that commercial filters were essentially spam filters that had been retrofitted to also catch some phish. Many of these filters essentially rely on so-called “black lists” that are manually updated to catch phishing emails (which, from a filtering perspective, are very different from spam emails). The problem with these filters is that they are always lagging behind. Instead, we focused on using advanced machine learning techniques to develop heuristic-based filters capable of reliably identifying combinations of attributes indicative of phishing. As a result, Wombat’s PhishPatrol filter is capable of reliably intercepting new phishing attacks from the very time they are launched, rather than lagging several hours behind.

CyLab Chronicles: What unique challenges of the phishing problem made this three-dimensional approach advantageous?

CRANOR: Phishing attacks are fundamentally about exploiting human vulnerabilities rather than software vulnerabilities. Thus it is critical to address the human element when combating phishing. Ideally, we would like to ensure that humans never see phishing messages. However, phishing is somewhat of an arms race. As attacks become more sophisticated and are propagated over different channels, it is difficult to provide 100 percent protection and cover all channels over which someone might receive a phishing message. Thus, it is important to complement automated detection with user education, so that people are better prepared to deal with phishing messages when they receive them. But most people don’t want to sign up for a computer security training class, so we need to find ways of reaching them and providing training in small doses. Companies can use our solutions to train their employees as well as their customers without having to send them to a security class.

CyLab Chronicles: Do you foresee applying this approach to other problems, e.g., spam, trojan horse e-mail attachments, and other e-mail security issues?

HONG: There is a lot of room for effective training solutions beyond just phishing and we have already identified a number of other security and regulatory areas we want to pursue in the future. As far as filtering is concerned, it’s an arms race and our focus on using advanced machine learning techniques puts us in a unique position to develop other related products in this space. In the longer run, we also envision broadening the range of products we offer by continuing to build on our unique expertise in usable security and privacy.

CyLab Chronicles: What message can CyLab's corporate partners or those contemplating becoming CyLab corporate partners draw from the Wombat story?

SADEH: Carnegie Mellon University is a very unique place that promotes both scientific excellence and research impact. Wombat’s story is far from unique and many of our colleagues at CyLab and in the School of Computer Science have been involved in similar ventures. We believe that it is this focus on research addressing practical challenges and the entrepreneurial spirit that permeates Carnegie Mellon’s culture that differentiates us from many other research organizations.

Related Posts:

See all CyLab Chronicles articles