Cyber threat intelligence solutions are designed to gather data, analyze trends, then provide your organization with actionable intelligence regarding cybersecurity threats. This information needs to be collated in a timely manner to ensure it remains relevant. Armed with this accurate intelligence, your organization can combat threats before they become more dangerous.
Each solution works in a different way, and will have a different configuration of AI, ML, human expertise, and automation. Ensuring you have the right solution for your organization is essential. Some might specialize in brand protection, and others threat-actor identification. You need to decide what you want out of your cyber threat intelligence solution, before you can select one.
It can also be very helpful for alerts to be prioritized as this prevents admin from having to respond to insignificant notifications. Instead, your human resources can focus on their other tasks, knowing that they will be warned of any significant risks.
In this guide, we’ve outlined the top cyber threat intelligence solutions, highlighting unique features, what user’s think, and who they are best suited for.
Users like: Intuitive user interface and easy integrations with other vendors, tools, and feeds.
Users dislike: Lack of customization and versatility.
Anomali is a California-based cybersecurity company that specializes in providing intelligence-driven XDR solutions for businesses globally. ThreatStream is its powerful threat intelligence product, which leverages automation to collect, curate, and disseminate threat data easily and effectively, providing customers with relevant and actionable intelligence.
What really differentiates this vendor from its competitors is the breath of commercial threat streams and tools that can integrate with the product via the Anomali Preferred Partner (APP) store, as well as its machine learning algorithm for scoring IoCs, which helps teams prioritize their response to threats.
The ThreatStream platform collects threat data from various feeds—including hundreds of open-source intelligence feeds, premium feeds, Anomali Lab curated feeds, intelligence from customers’ operational environment, and more—and leverages machine learning to augment the data, remove false positives, and score IoCs, enabling security teams to quickly prioritize and action intelligence.
Anomali ThreatStream can integrate directly into customer security tools—such as SIEM, EDR, SOAR, and more. ThreatStream is a solid option for organizations looking for a powerful threat intelligence tool that uses automation and machine learning to collect, analyze, and disseminate threats.
Users like: Fast, thorough, accurate, and insightful intelligence, as well as the option to benefit from a dedicated intelligence analyst (included with Falcon X Elite).
Users dislike: Poor support for Mac OS and Linux.
Founded in 2011, CrowdStrike is a global leader in cloud-native security and is particularly well known for its endpoint protection and powerful threat intelligence services. Its Falcon X platform tracks and reports IoCs in real-time, provides detailed actor profiles, automates threat detection and remediation, and performs thorough threat and vulnerability hunting.
What sets CrowdStrike apart is its detailed and contextualized integrated threat intelligence—that not only provides details of an incident, but also the wider context behind the threat. This can improve your understanding of why and how a threat has entered your network.
The Falcon X platform is available in three packages: Falcon X, Falcon X Premium, and Falcon X Elite. While all three include automated incident investigation and response, the Premium version provides tailored threat intelligence reporting, while Elite assigns an intelligence analyst to conduct specialized research and produce reports.
Popular with Fortune 100 organizations, as well as those in the finance, healthcare, and energy industries, CrowdStrike Falcon X is a great option for large enterprises looking for specialized, in-depth threat intelligence from one of the most advanced platforms globally.
Users like: Fast, responsive, and easy-to-use platform that does an excellent job at filtering out false positives.
Users dislike: Metrics and reporting could be improved.
Digital Shadows is a leading digital risk protection company that specializes in cyber threat intelligence and data exposure, and particularly excels in brand protection. SearchLight is its managed service that helps customers manage digital risk, reduce their attack surface, and gain access to high-quality technical, tactical, operational, and strategic threat intelligence.
Via the SearchLight Platform, customers can configure assets, collect threat data from a variety of sources (ranging across the surface, deep, and dark web), analyze risk, and respond to threats. The platform also provides access to Digital Shadows’ threat intelligence library, which houses more than ten years’ worth of reports, dark web data, and operational intelligence.
Additionally, as part of its advanced brand protection capabilities, users can initiate self-service takedowns on notification of leaked data or an impersonation attempt—or leverage end-to-end managed takedowns for an additional fee.
Digital Shadows’ SearchLight is a great solution for smaller teams across all industries that are looking for threat intelligence from a wide range of sources, as well as powerful brand protection capabilities.
Users like: Superior analytics and threat reporting capabilities.
Users dislike: Suitable for limited use cases and industries.
Headquartered in New York, FlashPoint is a globally trusted business risk intelligence (BRI) vendor that has a particularly strong reputation for detecting fraud and stolen data on the deep and dark web. FlashPoint’s Threat Intelligence Platform combines automated data collection and machine learning with expert human analysis to curate an archive of threat reports and research, as well as provide users with deep and dark web intelligence.
What sets the platform apart from its competitors is its deep insights into chatter and intelligence gathered from online communities, forums, chat services, and illicit marketplaces. FlashPoint can also engage with threat actors and obtain their customers’ compromised assets. The platform additionally comes with an easy-to-use dashboard for analytics, access to its knowledge base and finished intelligence, technical intelligence, and automated altering.
FlashPoint’s Threat Intelligence Platform comes in three plans: Core, Team, and Enterprise. While all plans include threat monitoring capabilities and vulnerability prioritization, the Team plan adds curated threat alerts and requests for information (RFIs), while Enterprise adds account takeover protection, detection of exposed data in the cloud, and on-demand support during a ransomware event.
The FlashPoint Intelligence Platform is a great option for both public and private sector organizations looking for powerful fraud and stolen data detection and in-depth visibility into deep and dark web community activity.
Users like: User-friendly and scalable platform with easy analytics and reporting capabilities.
Users dislike: High pricing and complicated online documentation.
As one of the world’s largest computer software, middleware, and hardware providers, IBM is a strong option for organizations looking for powerful threat intelligence capabilities. Part of the IBM Cloud Pak for Security (which also includes applications such as its data explorer, SOAR, risk manager, and Guardium insights) the Threat Intelligence Insights application enables you to quickly identify, investigate, prioritize, and remediate threats on one easy-to-use platform.
IBM Security X-Force comes with several built-in features, including a personalized Threat Score (which enables you to prioritize threats), Am I Affected searches (which enable you to search across sources to identify threats), powerful threat intelligence feeds (including details on threat activity and groups), reporting capabilities, and end-to-end threat management. This provides you with a holistic view of your threat landscape and the ability to protect against threats at every stage of the threat lifecycle.
There are two pricing options available for the platform: enterprise-wide pricing, which is based on the size of your infrastructure, and usage-based pricing, which is a more scalable option that enables you to add more capabilities as you go.
IBM Security X-Force is a great option for mid-market and enterprise organizations across all industries that are looking for easy-to-use, end-to-end threat management capabilities on one simple platform.
Users like: Easy implementation and helpful browser extension for details on IoCs.
Users dislike: Intelligence can be too technical.
Founded in 2004, Mandiant is an established, market-leading cybersecurity company that specializes in threat intelligence and visibility. Following its split from FireEye (now Trellix) in 2021, Mandiant continues to be a global industry leader in threat intelligence services, offering its Threat Intelligence module as part of the Mandiant Advantage platform.
Mandiant Threat Intelligence is a comprehensive module that manages the collection, analysis, curation, and dissemination of threat data, leveraging sources such as underground communities, incident and infrastructure analysis, and threat actor profiling to inform the Mandiant Intel Grid. Using the solution, users can gain a holistic view of ongoing threat activity—supported by daily insights and analysis curated by Mandiant experts—to act on intelligence quickly and effectively.
The platform is currently available via three subscriptions—Free, Security Operations, and Fusion. The free subscription enables users to investigate known threats, while Security Operations helps strengthen threat investigation and detect unseen threats. Fusion is the most comprehensive, with the addition of reporting, vulnerability analysis, and dark web monitoring.
Mandiant Threat Intelligence is particularly popular with enterprise-sized organizations—including law enforcement agencies and governments—that are looking for a powerful threat intelligence solution to protect against advanced threats.
Users like: Automated playbooks and a wide range of integrations with third-party tools.
Users dislike: Documentation is lacking, and the user interface can feel cumbersome.
Headquartered in California, Palo Alto Networks is a global leader in enterprise cybersecurity solutions. Its Threat Intelligence Management (TIM) platform is a part of its Cortex XSOAR offering—combining threat intelligence with SOAR capabilities to seamlessly integrate threat intelligence with automated workflows.
The TIM platform enables security teams to effectively prevent and respond to potential threats by managing and automating the threat intelligence lifecycle. This includes aggregating data, scoring IoCs, and leveraging automated playbooks to respond to threats.
Threat data is enriched by Palo Alto Network’s Unit 42 research team, which is a leading resource in threat hunting and analysis and aggregates global intelligence into a native repository. This intelligence is then automatically integrated into customers’ existing tooling, enabling teams to more effectively contextualize, prioritize, map out, and respond to threats.
Palo Alto Networks boasts more than 850 partner integrations via its XSOAR marketplace, making it a great option for organizations looking to integrate the solution as part of a large ecosystem. We recommend Cortex XSOAR TIM for enterprise-sized organizations—across both the public and private sector—that are looking for powerful automation and seamless integration with existing tools.
Users like: On-demand search capability with granular, easily understandable results.
Users dislike: Learning curve when adjusting to the user interface.
Founded in 2009, Recorded Future is a global threat intelligence provider that specializes in combining automated, AI-powered data collection with human expertise to enable organizations to better identify, disrupt, and remediate threats. The platform offers unrivaled open-source intelligence, including insights gathered from the dark web, technical sources, and more.
Intelligence insights are curated by a combination of Recorded Future’s proprietary “Intelligence Graph” and expert analysts. The Intelligence Graph is a repository housing threat data spanning over the past ten years and continuously updates with billions of new entities in real-time. The platform’s natural language processing capability finds associations and relationships between pieces of data—such as a type of malware and the vulnerabilities it targets—providing relevant, actionable intelligence.
The Recorded Future platform is built on several modules, including brand, SecOps, threat, vulnerability, third-party, geopolitical, identity, card fraud, and attack surface intelligence. It also includes optional add-ons for on-demand analysts, takedown services, and more. This modular approach makes it easy to integrate the solution across different teams and roles, and to provide them with relevant intelligence for their role.
The Recorded Future Intelligence Platform is a great option for larger enterprises looking for in-depth, open-source intelligence from a range of sources.
Users like: Easy-to-use and intuitive platform, making it suitable for non-technical users.
Users dislike: Analytical capabilities could be stronger.
Acquired by Microsoft in August 2021, RiskIQ is an attack surface management platform that specializes in providing detailed open-source technical threat intelligence and threat-actor infrastructure tracking via an array of powerful products. Two particularly stand-out products are Illuminate and PassiveTotal.
RiskIQ Illuminate is its security intelligence and analytics platform, which curates tailored insights spanning across each customer’s entire enterprise attack surface to enable a detailed insight into threats. While RiskIQ PassiveTotal aggregates data from across the entire web to deliver contextual operational intelligence—such as attacker identity, tools, infrastructure—as well as to enhance threat hunting and response using machine learning.
Partnering with RiskIQ also provides customers with access to unique “internet intelligence graphs”, which enables continuous attack surface visibility by mapping out the threats facing them, how they operate, and the relationships between those threats. This enables organizations to detect and respond to threats more quickly and effectively, using context-based operational insights to thwart attacks.
RiskIQ is a great option for businesses of all sizes that are looking for powerful open-source technical threat intelligence alongside advanced threat-actor infrastructure tracking.
Users like: Real-time impersonation alerts and takedown service, as well as support from highly qualified analysts and excellent customer service.
Users dislike: Onboarding and initial setup can take a while to complete.
An industry leader in the brand protection space, ZeroFox specializes in providing fully managed protection, threat intelligence, and takedown services across a range of public channels on the surface, deep, and dark web. This is via the powerful combination of AI, deep learning technologies, and its expert threat hunting team to deliver the right intelligence on potential threats and automatically remediate them.
The platform works by collecting data relating to dark web, brand, fraud, malware, vulnerability, geopolitical, physical, strategic, and third-party intelligence, and stores petabytes of this data in its “threat data lake”. This data is then analyzed using AI, machine learning, and human intelligence to produce relevant and actionable threat intelligence. This helps you quickly analyze, triage, and contextualize alerts, as well as perform unlimited takedowns and disruptions, and augment threat hunting capabilities.
ZeroFox is popular with organizations looking for brand protection and powerful takedown services. We recommend the platform for mid-sized to large enterprises across all industries that are particularly looking for strong brand protection, excellent customer support, and in-depth, AI-and human-powered insights.
What Is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) describes any data that is gathered and analysed to answer a specific question. There is not one set answer as to what network intelligence is as it very much a case-by-case basis.
Cyber Threat Intelligence may be used to investigate a specific threat such as a type of malware. Information can be gathered regarding the malware’s origin, attack method, and common features. This will make it easier to identify, thereby improving remediation times.
At the other end of the scale, organizations might use Cyber Threat Intelligence to identify market trends and plan future cybersecurity strategy. In this case, organizations will be looking at the “big picture” – such as new cybersecurity technology to implement – rather than the specific details of an individual cyber threat.
What Are The Uses Of Cyber Threat Intelligence?
Before addressing the uses, it is worth splitting Cyber Threat Intelligence into the three main intelligence groups.
Tactical Intelligence is the most granular and specific form of intelligence that focuses on individual threats.
- Attack behavior
- Indicators of Compromise (IoC)
- Best remediation actions
Operational Intelligence relates to the implementation of policies and effectiveness of security tools overall.
- Configuration policies
- Malware detection rates
- Network dwell time
Strategic Intelligence looks at the big picture, long term trends to plan a multi-year cyber security strategy.
- Emerging threats and vulnerabilities
- Competitor and peer experience
- Cost effectiveness and ROI of cybersecurity tools