GigaOm Radar for Threat Intelligence Platforms v3

A threat intelligence platform (TIP) aggregates, analyzes, correlates, and operationalizes cyberthreat data from multiple internal and external sources. Unlike pure intelligence providers that focus on collecting and publishing threat feeds, TIPs are workflow-driven platforms designed to transform raw indicators, adversary context, and telemetry into prioritized, actionable outcomes. They ingest structured and unstructured intelligence data, normalize it, enrich it with internal security data, score and correlate activity, and distribute intelligence directly into security controls such as security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), ticketing, and vulnerability management systems.

This technology matters because the volume, velocity, and variability of threat data have exceeded the capacity of human-driven analysis to process it. Organizations face thousands of daily indicators, actor reports, vulnerability disclosures, and emerging AI-enabled attack techniques. Without a platform to contextualize and operationalize intelligence, teams either drown in noise or fail to act on relevant signals. TIPs reduce manual triage, improve detection precision, accelerate response workflows, and enable intelligence-led security operations.

From a business perspective, TIPs are not simply analyst tools; they are risk management enablers. For the CISO, they improve visibility into threat exposure and align security investments with real-world adversary activity. For the CIO and CTO, they enhance integration across the security stack, reducing duplication and improving tool efficiency. For boards and executive leadership, TIPs support measurable risk reduction, improved incident response metrics, and defensible prioritization of cybersecurity spend. In regulated sectors, they also help demonstrate due diligence in monitoring and responding to emerging threats.

This report focuses on TIP vendors that provide platforms capable of taking operational action, not merely publishing threat intelligence. Inclusion requires robust ingestion, normalization, enrichment, correlation, workflow orchestration, and bidirectional integrations with security controls. Vendors with solutions limited to intelligence gathering, feed reselling, or research-only capabilities are excluded. Platforms must support operational workflows that enable teams to act, automating enrichment, triggering playbooks and automations, or updating controls.

This refresh comes two years after the previous report, and the category has evolved significantly. Vendors have embedded more artificial intelligence and machine learning into correlation, scoring, summarization, and automation. Modern TIPs increasingly apply AI to reduce analyst workload, surface relevant threat narratives, and accelerate defensive changes. As the market continues to evolve and platforms expand in scope, the emphasis has shifted from data aggregation to operationalized intelligence, reflecting the growing expectation that intelligence must directly influence defensive outcomes.

This is our third year evaluating the threat intelligence platforms space. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 13 of the top threat intelligence platform solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria). It provides an overview of the market, identifies leading threat intelligence platform offerings, and helps decision-makers evaluate these solutions so they can make a more informed investment decision.

To help prospective customers find the best fit for their use case and business requirements, we assess how well threat intelligence platform solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• SMB: These are smaller organizations with limited resources. They are likely to prioritize feature-specific platforms to meet business needs and limited budgets. They often seek to consolidate on a single platform for easier management.

• Large enterprise: These are larger organizations with complex IT environments. They are likely to have IT teams that collaborate with security teams and seek comprehensive, scalable TIP platforms that integrate with existing infrastructure

• Government: These organizations emphasize trust, resilience, and compliance. This market requires support for targeted intelligence gathering, standards alignment, auditability, and long-term vendor stability. Purchase decisions prioritize accreditation readiness, deployment flexibility (on-prem, single tenant, or sovereign cloud), predictable costs, and mission impact over short-term ROI

• Managed security service provider (MSSP): TIPs for MSSPs focus on multitenancy, scalability, and operational efficiency. Buyers prioritize per-tenant data isolation, automation, and integrations with SIEM and SOAR. Purchase decisions emphasize pay-as-you-grow pricing, analyst productivity gains, and faster onboarding, as well as demonstrable ROI through margin expansion and service differentiation

In addition, we recognize the following deployment models:

• Software-as-a-service (SaaS): This model is fully hosted and maintained by the vendor, enabling easy deployment and flexible data ingestion. It minimizes infrastructure overhead, accelerates time-to-value, and is favored by organizations prioritizing speed, scalability, and lower operational burden.

• On-prem/self-hosted public cloud: On-prem or self-hosted TIPs are deployed and managed by the customer, either in local infrastructure or customer-controlled cloud environments. This model appeals to regulated sectors that require strict data residency, custom integrations, or air-gapped intelligence workflows, but it demands greater internal expertise and operational investment

• Single-tenant public cloud: Here, the solution runs in a dedicated, isolated vendor-managed cloud instance, providing strong data isolation and policy control. This approach balances cloud scalability with heightened security and compliance needs, often serving government, critical infrastructure, or high-sensitivity intelligence use cases

• Hybrid cloud: Hybrid TIPs combine vendor-hosted intelligence services with on-prem or private-cloud components, enabling organizations to correlate external threat feeds with sensitive internal telemetry. This model supports phased cloud adoption, legacy integration, and resilience while maintaining control over critical data

• Managed service: This model pairs the platform with vendor- or partner-delivered intelligence operations, analysis, and tuning. This type of arrangement reduces staffing requirements, accelerates maturity, and delivers clearer ROI for organizations seeking outcomes-driven threat intelligence without building in-house expertise

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Data collection

• Data normalization and analysis

• Threat scoring

• Alerting and monitoring

• Industry standards alignment

• Reporting

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a threat intelligence platform solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. 

Key Features

• Integrations: Interoperability is fundamental for TIP functionality, and capabilities are defined by how effectively each solution connects to intelligence sources and with the broader security and IT ecosystem. Strong integration capabilities are essential for operationalizing intelligence, reducing manual effort, and maximizing return on existing security investments.

• Graph and link analysis: This capability is critical for understanding adversary behavior, uncovering hidden relationships, and prioritizing investigations based on context rather than data volume. This type of analysis uses specialized tools to model threats as interconnected entities rather than isolated indicators. 

• Automation and orchestration: Effective automation capabilities transform collected intelligence into coordinated security actions across tools and teams. This capability is critical for scaling response capabilities, reducing manual effort, and ensuring consistent execution as threat volume, risk, and complexity increase.

• Digital risk protection: Digital risk protection (DRP) enables organizations to identify, monitor, and mitigate external threats targeting brands, identities, and other exposed digital assets beyond the traditional IT security perimeter. This capability is increasingly critical as phishing, impersonation, and data exposure risks increase across social and dark web communities.

• Sandboxing: Sandboxing enables organizations to safely detonate and analyze suspicious files and URLs to uncover malicious behavior before it impacts production environments. This capability is critical for improving detection accuracy, accelerating investigations, and enriching intelligence with actual attack data.

• Threat modeling: Threat modeling enables organizations to translate raw threat intelligence into realistic attack scenarios that reflect the ways adversaries could impact their specific environment. This capability is essential for prioritizing threats based on relevance, exploitability, and business risk rather than volume alone.

• Incident response and forensic capabilities: By providing insights into potential threats, TIP solutions can also support detection, investigation, containment, and post-incident learning. This feature can be leveraged to reduce mean time to respond, preserving evidence, and turning incidents into actionable intelligence improvements.

Table 2. Key Features Comparison 

Emerging Features

• AI-assisted investigations: Integrated AI capabilities augment human analysts by accelerating reasoning, correlation, and decision-making across complex threat data. This emerging capability addresses analyst time constraints while improving consistency and depth of investigative outcomes.

• AI threat detection: Platforms with these capabilities monitor adversaries that leverage generative AI, automation, and autonomous systems to compromise organizations. This emerging capability is critical as traditional threat intelligence models often lack the ability to track and counter non-human attack behaviors.

• Brand intelligence: Brand Intelligence extends threat intelligence beyond infrastructure and malware to protect organizational identity, executives, and customer trust. It is becoming increasingly important as attackers blend cybercrime, fraud, and influence operations across open, social, and dark web channels.

Table 3. Emerging Features Comparison 

Business Criteria

• Collaboration and workflow support: This criterion evaluates how effectively analysts, security teams, and partners can investigate threats together within a TIP. Strong collaboration capabilities reduce friction, preserve institutional knowledge, and enable consistent, coordinated security operations.

• Interoperability: Interoperability defines how effectively a platform exchanges data, ingests threat source data, and triggers actions across security tools, platforms, and partners. Flexible interoperability maximizes intelligence value, prevents vendor lock-in, and enables intelligence-driven security operations at scale.

• Compliance: This business requirement supports regulatory, audit, and governance obligations globally and across diverse industries. Strong compliance capabilities reduce audit burden on organizations, improve accountability, and enable security teams to meet regulatory requirements without manual overhead.

• Ease of use: This criterion measures how efficiently security teams can configure, operate, and scale a TIP without extensive expertise or excessive overhead. Strong usability accelerates adoption, reduces operational friction, and enables intelligence to be used consistently across technical and nontechnical stakeholders.

• Cost transparency: Cost transparency reflects how clearly buyers can understand, estimate, and justify the total cost of a threat intelligence platform over time. Transparent pricing reduces procurement friction, improves trust, and enables organizations to align investment with measurable operational and risk-reduction outcomes.

• Scalability: Scalability defines a TIP’s ability to handle growing data volumes, users, and integrations without performance degradation. This capability is foundational for enterprise and global deployments.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Threat Intelligence Platform

As you can see in Figure 1, the chart illustrates a TIP market in transition, from feed aggregation and workflow management toward broader, intelligence-driven security platforms with embedded automation and AI. The vendors are moving toward platformization and operational depth. Vendors are expanding beyond narrow indicator management into integrated orchestration, contextual analysis, and cross-domain risk workflows.

On the Maturity versus Innovation axis, the distribution is relatively balanced, though slightly weighted toward Maturity solutions. This suggests a sector that is actively evolving as established platforms are refining automation, scalability, and integrations, while others are investing in artificial intelligence, graph analytics, and digital risk capabilities. That balance reflects buyer demand for both proven operational stability and forward-looking capabilities such as AI-assisted investigations and proactive threat hunting.

The Feature Play versus Platform Play axis shows a stronger skew toward Platform Play offerings. Fewer vendors remain tightly focused on industry verticals. Instead, most are positioned as operational hubs capable of ingesting, correlating, prioritizing, and triggering downstream action across security controls. This clustering on the Platform Play side indicates a market expectation that a TIP should not simply collect intelligence, but help teams decide and act.

Outperformers are distributed around quadrants rather than concentrated in one, reinforcing the reality that execution excellence can emerge from both mature and innovative strategies. The Leaders circle is not overcrowded, reflecting the complexity of delivering both depth and breadth at scale. Several vendors appear positioned to enter that circle as they operationalize AI, expand integrations, and demonstrate measurable improvements to security outcomes. Overall, the market is converging on platforms that translate intelligence into action, with innovation accelerating but maturity still valued.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency, or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Anomali: Anomali ThreatStream Next-Gen*

Solution Overview

Anomali focuses on threat intelligence operations, providing platforms that aggregate, analyze, and operationalize large volumes of threat data for security operations teams. Its primary emphasis is placed on enabling organizations to turn disparate internal and external intelligence sources into prioritized, actionable insights that support detection, investigation, and response.

The Anomali ThreatStream Next-Gen is offered as part of Anomali’s broader portfolio, alongside capabilities such as Anomali Match and optional managed intelligence services, and is typically deployed as an integrated suite rather than a single standalone tool. The platform operates through a layered architecture that ingests threat data from commercial feeds, open sources, and internal telemetry, normalizes and enriches indicators, maps them to frameworks such as MITRE ATT&CK, and distributes intelligence to downstream tools via integrations and APIs. Core capabilities include threat data management, scoring and prioritization, relationship analysis, automation, and integration with SIEM and SOAR platforms. Anomali’s strategy centers on serving large enterprises, government organizations, and MSSPs that require scalable intelligence operations, high-volume ingestion, and automation to support Security Operations Center (SOC) workflows.

Anomali is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the TIP Radar chart.

Strengths

Anomali scored well on a number of decision criteria, including:

• Automation and orchestration: The solution includes automated enrichment, normalization, and scoring of threat intelligence as part of investigation and response workflows aligned with integrated SOAR platforms. This solution supports playbook response actions, allowing intelligence to trigger downstream controls and remediation activities across integrated security tools. Agentic AI capabilities further reduce analyst effort by assisting with correlation, prioritization, and execution of routine intelligence-driven tasks.

• Integrations: The platform offers a broad, best-in-class integration ecosystem via the Anomali Marketplace, providing access to more than 200 threat intelligence feeds, enrichment tools, and turnkey connectors for SIEM, SOAR, firewalls, endpoint and network security, and risk assessment tools, all accessible directly within the ThreatStream Next-Gen console. This marketplace supports both evaluation and deployment of additional intelligence streams and security system integrations, and automation that operationalizes threat context across security controls. 

• Threat modeling: Anomali supports structured threat modeling through MITRE ATT&CK mapping, campaign tracking, and adversary profiling. These capabilities are leveraged by combining asset, identity, telemetry, and threat intelligence context to prioritize critical incidents and recommend next investigative and response steps. The platform prioritizes intelligence based on an organization’s defensive controls and exposure, helping teams focus analysis and response on threats most likely to impact their specific environment.

Opportunities

Anomali has room for improvement in a few decision criteria, including:

• Sandboxing: The platform has limited sandboxing capabilities and relies on integrations with third-party malware detonation platforms rather than native execution. Detonation results and extracted indicators can be ingested, correlated, and operationalized within the platform, but native capabilities would enable teams to respond more quickly to new malware.

• Digital risk protection: The solution provides solid coverage of external threat sources relevant to digital risk, including dark web forums, paste sites, leak repositories, and threat actor communications. It could improve by adding native takedown workflows and dedicated executive, brand, and asset protection dashboards.

• Brand intelligence: Brand-related threats are addressed indirectly through external threat data sources rather than through dedicated brand intelligence workflows. The platform could be improved by natively detecting impersonation or brand misuse attempts and providing targeted alerts that meet advanced brand intelligence criteria.

Purchase Considerations

Anomali is delivered as a single platform, with ThreatStream serving as the core threat intelligence management and operationalization layer. Additional capabilities, including advanced automation, managed intelligence services, and deployment-specific options, are offered depending on use case and environment, but there is limited public information about pricing. Buyers should clarify what capabilities are included in each product to avoid unexpected cost or functionality gaps during adoption and implementation.

Anomali fits best in large enterprise, government, and MSSP environments with dedicated threat intelligence or SOC engineering resources. The platform supports a wide range of deployment models, including SaaS, single-tenant cloud, hybrid, and on-prem or self-hosted public cloud deployments, enabling organizations with strict regulatory, data residency, or sovereignty requirements to adopt the platform without compromising compliance. 

Organizations will derive the most value from aggregation, enrichment, threat intelligence scoring, and extensive integrations with SIEM, SOAR, EDR, and network security controls, enabling the enterprise to improve SOC operations. The platform assumes moderate to high organizational process maturity, and ongoing operations benefit from an intelligence architect or experienced SOC analysts to manage integrations, scoring logic, and workflows. SMBs or lean teams may find operational complexity challenging without managed services. Additional enterprises seeking a platform with native coverage for brand protection and takedown-focused digital risk use cases will need to engage another vendor that integrates with ThreatStream.

Use Cases

Anomali ThreatStream supports organizations across financial services, technology, government, critical infrastructure, and MSSPs with use cases for threat detection, investigation and response, threat hunting, threat analysis, and intelligence distribution. The platform operationalizes curated, confidence-scored threat intelligence by aggregating and enriching data from global sources, mapping it to real-time security telemetry, and feeding contextualized insights into detection and investigation workflows. This enables a broad range of use cases in which security teams can improve defensive configurations by targeting active threats.

Bitsight: Bitsight Threat Intelligence

Solution Overview

Bitsight provides a threat intelligence capability focused on delivering timely, contextualized insights about external cyberthreats and risks affecting organizations. Its primary focus is on transforming large-scale collections from the clear, deep, and dark web into actionable intelligence that supports threat-driven security and risk decisions across detection, investigation, and response workflows. Bitsight acquired Cybersixgill in November 2024 to expand and deepen its threat intelligence capabilities, particularly its visibility into deep and dark web adversary activity.

Bitsight Threat Intelligence is a unified product composed of multiple modular capabilities and integrated into the broader Bitsight portfolio, including Security Performance Management (SPM) and Continuous Monitoring for Third-Party Risk Management (TPRM); modules can be purchased individually or bundled. The platform operates as a cloud-delivered SaaS solution through a centralized investigative portal that serves as the common interface across all modules. It is built on a shared intelligence backplane, a data lake ingesting millions of intelligence items daily, which is enriched and contextualized by Bitsight IQ, an embedded generative artificial intelligence engine. 

Core platform capabilities include Attack Surface Intelligence, Identity Intelligence, Vulnerability Intelligence, and Adversary and Ransomware Intelligence, along with Brand and Executive Protection Intelligence, supported by intelligence feeds and optional managed threat intelligence services. Bitsight’s strategy emphasizes broad external visibility and prioritization of emerging threats mapped to an organization’s digital footprint, supporting use cases such as threat monitoring, vulnerability prioritization, incident response, threat hunting, and brand and executive risk protection.

Bitsight is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the TIP Radar chart.

Strengths

Bitsight scored well on a number of decision criteria, including:

• Threat modeling: The platform supports threat modeling by automatically mapping threat actors, campaigns, malware, vulnerabilities, and observed behaviors to attack frameworks and correlates that intelligence with an organization’s external and internal attack surface. By linking real-world adversary TTPs to exposed assets and exploitable technologies, the platform surfaces prioritized, threat-driven scenarios, providing practical visibility into likely attack paths based on observed attacker behavior.

• Digital risk protection: The solutions monitor a broad range of clear, deep, and dark web source—including social media, forums, marketplaces, paste sites, domain  name system (DNS) records, app stores, ransomware and leak sites, and private or invite-only messaging channels—and correlate findings to align threats to an organization’s assets. The platform supports takedown workflows and delivers strong correlation and reporting to help teams prioritize action and communicate risk to operational and executive stakeholders.

• Graph and link analysis: The solution provides analysis that models threat intelligence as interconnected entities, such as threat actors, campaigns, malware, vulnerabilities, infrastructure, and TTPs, and automatically correlates and visualizes relationships. The solution uses AI-enhanced enrichment techniques, enabling analysts to pivot across entities and understand real-world attack patterns and scope. 

Bitsight was classified as an Outperformer due to its rate of development in the last year, with significant releases, including expanded Identity Intelligence for credential exposure and identity-based threat detection, enhancements to Brand Intelligence with stronger takedown workflows, and deeper malware analysis integrated with ATT&CK-mapped analysis. 

Opportunities

Bitsight has room for improvement in a couple of decision criteria, including:

• Sandboxing: This solution does not include native sandboxing or malware detonation as part of its core offering, but these capabilities are available through other Bitsight products and third-party integrations. To improve here, sandbox-derived behavioral intelligence would need to be native within the platform.

• Incident response and forensic capabilities: The platform supports investigation, correlation, and analyst-driven hypothesis development and preserves threat intelligence and investigation records, including saved investigations, referenced items, supporting context, and report outputs, which can provide additional context during post-incident activities. The solution lacks deep technical post-incident analytics derived from audit logging that could help with forensic correlation of bad actor activities across long time frames.

Purchase Considerations

Pricing is based on per-seat licensing for the Bitsight TI Portal, which includes modules for threat analysis, investigation, and reporting, with optional add-on modules for Dynamic Vulnerability Exploit (DVE) and Brand Intelligence. For automation and integration use cases, Bitsight offers API and Data Feed packages across key intelligence domains, including vulnerabilities, exploits, data leaks, threat hunting, and alerts. These are offered under a consumption-based model, measured by API query volume per month, with scalable tiers based on usage. This structure supports predictable entry costs but introduces potential overage risk for automation-heavy or MSSP-scale deployments.

Operationally, the platform aligns best with mid-to-large enterprise security teams and MSSPs that have dedicated threat intelligence or advanced SecOps functions. The solution is SaaS-based, and for regulated industries, it also supports single-tenant public cloud, while MSSPs can leverage the platform’s native multitenant architecture with role-based access controls (RBAC) to ensure data segregation. Optional managed TI services further extend the platform with analyst research, monitoring, and response support, reducing operational burden for teams with limited internal capacity.

Organizations looking to extend traditional threat intelligence with digital risk protection services should consider Bitsight as a complementary platform, as its DRPS add analyst-led intelligence operations, takedown support, and custom research delivered through a flexible, token-based model that can scale with shifting cyber risk priorities.

Use Cases

Bitsight Threat Intelligence supports enterprises across a broad set of regulated and operationally critical industries, including financial services, insurance, healthcare, government, technology, energy and utilities, retail, manufacturing, and education. The platform is designed to address sector-specific external threat exposure, fraud and cybercrime activity, ransomware targeting, and supply chain risk by aligning adversary intelligence and attack surface visibility to industry-relevant assets, workflows, and risk priorities. Additional coverage includes threat hunting, fraud and cybercrime monitoring, brand and executive protection, and third-party risk intelligence, with optional managed intelligence services augmenting internal teams.

Cyble: Cyble Threat Intelligence Platform

Solution Overview

Cyble focuses on delivering cyberthreat intelligence and digital risk protection to help organizations identify, prioritize, and mitigate cyber and digital risks across their entire attack surface. Its primary emphasis is on combining machine-driven intelligence collection with analyst-curated research to support strategic, operational, and tactical security decision-making.

Cyble Vision is the vendor's flagship, AI-native cyberthreat intelligence (CTI) and digital risk protection services (DRPS) platform, delivered as a single, integrated solution within Cyble’s broader cybersecurity portfolio. The broader platform can also address threat monitoring and external attack surface visibility with additional products. The platform operates on a common intelligence backplane and unified user interface, ingesting data from surface, deep, and dark web sources, cyber news, and external asset discovery, then enriching and correlating it through scoring, attribution, and attack framework-aligned analysis. 

Core capabilities include threat actor and malware profiling, campaign tracking, digital risk detection (such as leaked credentials, phishing, impersonation, and brand abuse), external exposure monitoring, and analyst workflows for targeted defensive operations. The platform also includes alerting, case management, and takedown coordination. Integrations with SIEM, SOAR, and ticketing tools enable organizations to operationalize threat signals. Cyble’s strategy centers on unifying threat intelligence, digital risk monitoring, and attack surface visibility to enable proactive detection and mitigation of cyber, brand, and reputational threats that impact infrastructure, executives, customers, and business operations.

Cyble is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the TIP Radar chart.

Strengths

Cyble scored well on a number of decision criteria, including:

• Sandboxing: This is offered via Threat Lens, which supports automated detonation of suspicious artifacts, including executables, scripts, documents, archives, and URLs, and applies AI/ML-assisted behavioral analytics to identify malicious activity. The solution combines static analysis with dynamic behavioral analysis to provide deeper insight into malware functionality and intent, which is then correlated with threat actor behaviors.

• Automation and orchestration: These capabilities are actioned primarily through integrations with SIEM and SOAR platforms, with the platform acting as an authoritative trigger. Connectors enable automated enrichment, scoring, and intelligence-driven workflows in integrated platforms, allowing intelligence to be embedded into existing playbooks, triggers, and approval logic. These integrations support bidirectional orchestration, enabling consistent IOC propagation, alert enrichment, and response coordination. 

• Digital risk protection: The platform has continuous monitoring across surface, deep, and dark web sources to identify data leaks, credential exposure, phishing, impersonation, brand abuse, and emerging threat activity. The platform can discover exposed digital assets, apply risk-based scoring, and correlate findings with organizational brands, domains, executives, assets, and sector context, with integrated takedown workflows enabling analyst-led remediation. Insights are correlated with broader threat intelligence via dashboards and reports to support proactive protection strategies.

Opportunities

Cyble has room for improvement in a few decision criteria, including:

• Incident response and forensic capabilities: The platform assists by serving as the central intelligence and investigation layer during security events, providing contextual threat intelligence, enriched indicators, and investigative insight to support triage and decision-making. However, the platform lacks native case management and deep forensic analysis capabilities, requiring organizations to rely on integrated incident response tooling.

• Integrations: It supports 17 out-of-the-box integrations with major security providers, enabling ingestion and enrichment of threat intelligence across common SIEM, SOAR, and security operations tools. While the available integrations cover core use cases, expansion to additional vendors and broader sources of internal telemetry would improve operational efficiency for organizations and reduce reliance on custom API development.

• Threat modeling: The solution provides intelligence-driven threat modeling focused on behavioral analysis and contextual risk correlation rather than full attack simulation. The platform maps indicators, threat actors, malware, campaigns, and behaviors to visualize attacker intent and likely attack paths. The platform could be improved by expanding into additional sources for internal telemetry, asset inventories, and vulnerability assessments, enriching the ability to correlate threats to an organization’s environment.

Purchase Considerations

Cyble should be purchased as a platform rather than a single point tool, with Cyble Vision serving as the core TIP that unifies CTI, digital risk protection, attack surface management, takedowns, and DFIR workflows. Buyers should consider licensing Vision, then expanding into other offerings, which include endpoint security, cloud security, and cyber risk quantification. Organizations should consider whether they can replace existing providers with overlapping features to consolidate their vendors around Cyble’s offerings. 

Pricing is available via the AWS Marketplace and follows a modular, subscription-based model aligned to customer size, use cases, and license entitlements. Costs are driven by monitored assets, brands, domains, data volume, and intelligence scope rather than per-user licensing.

Cyble is delivered as a SaaS platform that supports phased rollout and expansion through its flexible, modular design. However, its breadth introduces added operational complexity for less mature teams. Professional services and managed analyst support can help mitigate this complexity and accelerate adoption.

The solution has limited out-of-the-box integrations, relying instead on a well-documented API for extensibility. While this approach provides flexibility, it requires internal engineering or security operations resources to build and maintain integrations.

Use Cases

The solution has broad use cases across financial services, technology, retail, e-commerce, telecommunications, and government, supporting core requirements such as proactive threat detection, strategic and operational threat intelligence, digital risk and brand abuse protection, external attack surface monitoring, and incident response.

EclecticIQ: Intelligence Center

Solution Overview

EclecticIQ focuses on helping large enterprises and government agencies operationalize cyberthreat intelligence by reducing data overload and delivering contextual, decision-ready insights. Its primary emphasis is on enabling cyberthreat intelligence and SOC teams to manage the full intelligence lifecycle in a unified environment, enabling analysts to identify the most relevant threats.

The EclecticIQ Intelligence Center is offered as part of a broader EclecticIQ portfolio that also includes Threat Scout and Threat Intelligence Feeds, all accessible through a unified interface. Intelligence Center centralizes intelligence requirements, data collection, processing, analysis, actioning, and dissemination by ingesting commercial, open source, and internal data, normalizing it into STIX 2.1 and EclecticIQ’s EIQ-JSON format, and enriching it with AI-driven entity extraction, malware detonation, and threat behavior correlation. Core capabilities include graph-based link analysis, MITRE ATT&CK visualization, multilingual natural language processing search, automated reporting, and integrations with internal telemetry sources such as SIEM and EDR systems via APIs.

EclecticIQ’s strategy emphasizes analyst-led, intelligence-driven security operations, prioritizing contextual analysis, collaboration, and interoperability to support use cases such as threat hunting, incident response, intelligence production, and trusted intelligence sharing across enterprise, government, and MSSP environments.

EclecticIQ is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the TIP Radar chart.

Strengths

EclecticIQ scored well on a number of decision criteria, including:

• Automation and orchestration: The solution uses both rule and workflow-driven processes, powering automated triage, enrichment, and IOC-based blocking rules. Workflows can be scheduled or manually triggered and may include approval steps, supporting internal process governance requirements. The platform leverages its integrations catalog to drive AI-assisted triage and reporting to accelerate review, production, and dissemination of threat intelligence data.

• Integrations: The platform supports integrations across threat intelligence feeds, enrichment services, and core security tooling. The platform integrates with commercial and open source intelligence providers as well as SIEM, firewall, EDR, and IT service management platforms to enable automated data exchange and incident workflows. Built-in workflow automation supports collection, enrichment, organization, and export of intelligence, with bidirectional API access for lookups and data creation. EclecticIQ will support the development of new integrations as needed by customers.

• Graph and link analysis: The solution provides analysis for managing relationships and interactions across threat data using a native STIX 2.1 data model. The platform supports dynamic modeling through automated entity extraction, AI-assisted enrichment, and cross-source correlation, enabling analysts to create and explore relationships among threat actors, indicators, tactics, techniques, and procedures. Advanced query capabilities allow filtering across any entity attribute or relationship, with full graph interaction and automation available via APIs and integrations.

Opportunities

EclecticIQ has room for improvement in a few decision criteria, including:

• Digital risk protection: The solution does not have native capabilities or takedown services but supports DRP use cases through integration with other intelligence providers. Even without native support, when this type of data is ingested, the platform correlates it with broader threat intelligence to support investigations and analysis. In order to improve here, the vendor would need to include the ability to collect this type of risk data.

• Threat modeling: The solution supports threat modeling by automatically deduplicating and correlating indicators, threat actors, attack patterns, and vulnerability data, and mapping them to the MITRE ATT&CK framework for structured analysis. While these capabilities are robust, the platform could improve by performing predictive attack-path simulation, business-impact modeling, or automated defense recommendations based on live telemetry.

• Sandboxing: The vendor does not provide native sandboxing capabilities but relies on integrations with third-party sandbox solutions to ingest malware detonation reports containing behavioral and technical intelligence, including extracted indicators. These integrations allow sandbox outputs to be normalized, correlated, and analyzed alongside broader threat intelligence, but the solution could be improved by providing native detonation capabilities.

Purchase Considerations

EclecticIQ Intelligence Center is the core product within a broader portfolio that includes Threat Scout and Threat Intelligence Feeds, all delivered through a unified interface. Open source feeds are bundled, while commercial feeds and premium integrations are offered as add-ons. The platform follows a custom, quote-based pricing model rather than a publicly listed one, and organizations should validate use cases while engaging this vendor. Buyers should consider professional services or partners to assist with the implementation of platform deployment, intelligence modeling, and workflow tuning.

The platform is best suited for organizations with established cyberthreat intelligence or security operations teams and dedicated intelligence analysts and architects. It supports the full intelligence lifecycle, from direction and planning through dissemination, making it viable as a single platform. For organizations looking to consolidate a large range of data sources, the platform supports standards such as STIX 2.1 and TAXII formats, along with commercial and open source feeds. Lean teams may find the platform’s analytical depth exceeds near-term needs without careful scoping. Organizations seeking a full-lifecycle intelligence platform with strong context, automation, and interoperability should consider this platform.

Use Cases

EclecticIQ supports a broad set of industry verticals, including financial services, government, critical infrastructure, defense, and large enterprises, with primary use cases spanning alert triage, incident response, threat hunting, threat actor tracking, feed analysis, vulnerability prioritization, IOC management, reporting, and intelligence dissemination. The platform’s graph analysis, MITRE ATT&CK mapping, automation, and integrations enable operationalization across security teams. 

Filigran: OpenCTI Enterprise Edition

Solution Overview

Filigran delivers an open source eXtended Threat Management (XTM) suite that helps organizations understand threat environments, anticipate and detect incidents, and conduct attack simulations. Its primary threat intelligence offering is OpenCTI, an open source TIP positioned for organizations that require customization, sovereignty, and operational control.

OpenCTI is part of Filigran’s suite, which also includes OpenAEV, a security validation platform, and XTM Hub, a community portal providing ready-to-use intelligence resources and tradecraft. OpenCTI and OpenAEV are integrated but maintain separate user interfaces and can be purchased bundled or independently. OpenCTI, which is STIX 2.1-native, uses an API-first, graph-based architecture to correlate relationships across adversary, infrastructure, capability, and victim entities, and maps activity to the MITRE ATT&CK framework to contextualize tactics and techniques, supported by artificial intelligence-powered natural language processing extraction. The platform provides user-defined taxonomies and low-code automation workflows to operationalize intelligence. Deployment options include a vendor-hosted SaaS environment, on-prem, air-gapped, and hybrid models to meet customer requirements.

Filigran is positioned as a Challenger and Outperformer in the Innovation/Platform Play quadrant of the TIP Radar chart.

Strengths

Filigran scored well on a number of decision criteria, including:

• Integrations: The platform is built on an open source, API architecture with nearly 300 prebuilt integrations spanning threat intelligence feeds and downstream security tooling, including SIEM, SOAR, EDR and XDR (extended detection and response), vulnerability management, risk, and ITSM platforms. The platform also integrates natively with Filigran’s attack emulation and validation platform, enabling simulation and security validation workflows directly from the intelligence context. Integrations are delivered through no-code, one-click, self-service connectors, reducing operational overhead and making the solution well suited for environments that prioritize automation and interoperability.

• Graph and link analysis: The solution includes graph-based analysis that correlates relationships across four core entities (adversary, infrastructure, capability, and victim) to model real-world threat activity and dependencies. Threat data is mapped to the MITRE ATT&CK framework to contextualize observed behaviors by tactic and technique, supporting investigation efforts and campaign tracking. The platform applies natural language processing to extract data from unstructured intelligence sources, automatically identifying entities and relationships to enrich the graph and accelerate link analysis without heavy manual curation.

• Automation and orchestration: It supports user-defined taxonomies, allowing organizations to tailor data models, labels, and classifications to their intelligence workflows and operating context. The platform provides fully low-code automation workflows and playbooks that enable analysts to define enrichment, triage, and response logic without custom development. These workflows can trigger actions in connected downstream systems such as SOAR, SIEM, ticketing, or validation platforms, thereby helping to operationalize intelligence and close the loop between analysis and execution.

Filigran is classified as an Outperformer due to its rate of technology development in the last year, including a large expansion of its OpenCTI integrations and an agentic AI (XTM One), both enhancements within OpenCTI.

Opportunities

Filigran has room for improvement in a few decision criteria, including:

• Digital risk protection: The solution integrates with external threat intelligence sources, including OSINT and commercial feeds from DRP vendors, enabling customers to centralize diverse intelligence streams in a single platform. Filigran does not provide proprietary threat intelligence data and could improve this feature by developing in-house data gathering tools.

• Sandboxing: The solution does not include native malware sandboxing capabilities but integrates with third-party sandbox and detonation platforms to ingest analysis results. These integrations allow sandbox outputs to be correlated with adversaries, campaigns, infrastructure, and attack techniques. The platform could be strengthened by adding native sandboxing or lightweight detonation capabilities to reduce dependency on external tools.

• Brand intelligence: The vendor does not provide native brand or digital risk intelligence but integrates with external vendors to ingest signals such as phishing domains, impersonation attempts, leaked credentials, and fraud-related indicators. These external signals can be normalized, correlated, and linked to adversaries. If the solution included native brand intelligence gathering and takedown orchestration, it could improve this feature.

Purchase Considerations

Filigran OpenCTI can be purchased either as a vendor-hosted SaaS offering or licensed and installed by the customer. SaaS is sold per instance, with pricing structured around infrastructure rather than user counts or feature tiers. There are no limitations on the number of users, feeds, or integrations within a SaaS instance, and there are no modular add-ons, with all core capabilities included in the base license. Customers select between medium and large versions, sized according to infrastructure requirements and expected data volume. Organizations need to contact the vendor’s sales team for pricing.

Filigran also provides support packages, which are offered in standard and premium tiers, allowing organizations to align service levels with operational maturity and internal expertise. 

OpenCTI can be deployed as vendor-hosted software as a service (SaaS), on-prem, air-gapped, or in hybrid models, which is particularly relevant for regulated, government, or sovereignty-sensitive environments. Organizations should plan infrastructure sizing carefully to align performance, storage, and graph-processing needs with anticipated intelligence ingestion volumes and automation use cases.

Use Cases

Filigran OpenCTI supports broad industry use cases, including cyberthreat intelligence lifecycle management, adversary tracking, intelligence sharing, operational enrichment, and intelligence-driven security validation. The platform is best suited for complex enterprise, government, defense, and regulated environments that require a global presence, data sovereignty, air-gapped deployment options, and deep integration into existing security operations workflows.

Flashpoint: Flashpoint Ignite

Solution Overview

Flashpoint delivers external threat intelligence and digital risk protection, with the platform being a primary source for cyber, physical, and vulnerability intelligence, offering a broad risk view for organizations, threat actor insight, fraud detection, and operational risk reduction. The platform supports security, fraud, corporate security, and government teams by providing contextualized intelligence tailored to specific business risks.

Flashpoint’s platform includes core intelligence monitoring, digital risk protection, brand and executive protection, and analyst-led investigative services. It ingests data from criminal forums, marketplaces, leak sites, and other illicit communities, applying AI-driven correlation, summarization, and prioritization to surface relevant risks, and offers a notebook-style workspace for structured analysis and reporting. The platform integrates with security, incident response, and fraud tools to operationalize alerts, enrichment, and takedown actions. Flashpoint Ignite also provides extensive vulnerability intelligence, tracking more than 100,000 vulnerabilities not covered in the National Vulnerability Database (NVD) or Common Vulnerabilities and Exposures (CVE) listings. It also delivers context on emerging CVEs, active exploitation, and patch availability, alongside physical security intelligence derived from open source intelligence and geospatial data.

Flashpoint’s strategy centers on intelligence depth and human-in-the-loop validation rather than serving as a workflow-centric TIP, making it best suited for organizations prioritizing digital risk protection, investigations, and high-confidence external threat visibility.

Flashpoint is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the TIP Radar chart.

Strengths

Flashpoint scored well on a number of decision criteria, including:

• Digital risk protection: The solution has deep, continuous monitoring across the dark web, criminal forums, marketplaces, data leak sources, fraud channels, and broader threat actor ecosystems. This coverage enables early detection of credential exposure, brand abuse, ransomware extortion activity, and emerging threat campaigns targeting the organization. The platform can also initiate the removal of identified brand risks through a combination of automated workflows and analyst-led manual takedowns. This supports faster disruption of phishing domains, impersonation sites, leaked content, and fraudulent marketplace activity.

• Automation and orchestration: The platform supports automated enrichment, alerting, and downstream actions, with seamless integration into SOC, IR, and fraud tooling to operationalize intelligence quickly.

• AI-assisted investigations: The solution leverages AI-driven correlation, summarization, and prioritization to help analysts quickly extract relevant insights from large volumes of unstructured intelligence data. These capabilities improve analyst efficiency by reducing noise and accelerating investigation workflows, and the platform offers a dedicated notebook-style workspace to support in-depth analysis and structured reporting.

Opportunities

Flashpoint has room for improvement in a few decision criteria, including:

• Integrations: Flashpoint provides integrations with SIEM, SOAR, case management platforms, and industry data-sharing standards to operationalize intelligence across the security stack. It has APIs available for customization, enabling reliable ingestion, enrichment, and downstream distribution of threat data. While some vendors are available out of the box for integrations, the solution could be improved by adding additional solutions for both automation use cases and internal telemetry for threat assessment.

• Incident response and forensic capabilities: The solution delivers strong intelligence support during active incidents by providing contextual insight, threat actor attribution, and relevant external indicators. Ignite also provides native incident response workflows through one-click managed takedowns for phishing and brand abuse use cases. However, it does not offer native forensic analysis capabilities or built-in incident response execution tooling. 

• Graph and link analysis: The platform includes entity linking and relationship context across actors, indicators, and events to support investigative workflows. However, it does not offer a fully interactive graph exploration or deep pivoting environment.

Purchase Considerations

Flashpoint is purchased as a SaaS platform with licensing aligned to use case and data coverage. Core modules typically include Threat Intelligence (deep and dark web monitoring, actor intelligence, brand protection), Vulnerability Management intelligence enrichment, Managed Intelligence Services, and Physical Safety and Executive Protection. Flashpoint is purchased either through direct engagement with the vendor's sales team or through its reseller partners, with solution scope aligned to selected modules and organizational use cases. Prospective buyers should scope their technical and operational requirements to determine the best fit for bundled packages and whether managed analyst-led services meet their needs.

The solution is deployed in a multitenant SaaS model, with options for isolated environments for customers with heightened security or regulatory requirements. No on-prem deployment model is offered, but the platform can be integrated with either on-prem or cloud-based SIEM, SOAR, or incident response tooling supporting hybrid operational models.

Managed services can augment lean teams through curated alerting, proactive intelligence acquisition, tailored reporting, request-for-information support, executive investigations, threat response readiness, and enhanced monitoring. These services are particularly valuable for organizations lacking dedicated CTI staff or requiring high-confidence, human-validated intelligence alongside automated detection.

Use Cases

Flashpoint supports a broad set of use cases spanning security operations, fraud prevention, corporate and physical security, vulnerability management, national security, and insider threat monitoring. Organizations use Flashpoint to surface early-warning intelligence from the deep and dark web, enrich vulnerabilities and incidents with real-world exploit and actor context, and protect brands, executives, and physical assets from fraud, impersonation, and targeted threats. For government and high-risk enterprises, the platform enables strategic and operational intelligence workflows across geopolitical risk, extremist activity, and insider threat indicators, augmented by analyst-led investigations.

Microsoft: Defender XDR and Sentinel*

Solution Overview

Microsoft delivers threat intelligence as an embedded capability across its cybersecurity ecosystem, with a primary focus on operationalizing intelligence directly within detection, investigation, and response workflows rather than offering a standalone threat intelligence platform. The approach emphasizes applying Microsoft’s research-derived, threat actor-linked indicators of compromise with real-time alerts, incidents, and entity research.

Microsoft’s threat intelligence platform is no longer positioned as a standalone product. Instead, TIP capabilities are being embedded directly into Microsoft Sentinel and Microsoft Defender XDR, reflecting Microsoft’s strategy of operationalizing threat intelligence natively across detection, investigation, and response workflows. Threat intelligence is used within these platforms to enrich alerts, incidents, and investigations with adversary, infrastructure, and indicator context. The architecture relies on Microsoft’s global telemetry and research-driven intelligence, which is automatically correlated with security events and entities surfaced in Sentinel and Defender XDR. Intelligence is applied inline to investigations, supporting analyst decision-making without requiring a separate intelligence lifecycle or repository.

Microsoft’s strategy prioritizes tightly integrated, intelligence-driven security operations for organizations already using its security stack, with primary use cases centered on alert enrichment, incident investigation, and response acceleration.

Microsoft is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the TIP Radar chart.

Strengths

Microsoft scored well on a number of decision criteria, including:

• Automation and orchestration: The solution delivers automation through Sentinel playbooks built on Azure Logic Apps and automated investigation and response capabilities within Microsoft Defender XDR. These capabilities enable event-driven enrichment, ticketing updates, and remediation actions such as device isolation or account suspension, while adaptive incident correlation consolidates related alerts into unified cases. AI-driven response recommendations further prioritize and guide remediation actions based on threat intelligence context and behavioral analysis.

• Integrations: Microsoft has an extensive ecosystem of connectors spanning Microsoft 365, Azure, and native security tools such as Microsoft Sentinel and Microsoft Defender XDR. The platform also supports hundreds of third-party integrations, including SIEM and SOAR tools, enabling ingestion, enrichment, and bidirectional workflows. This connector ecosystem allows organizations to operationalize threat telemetry, apply context, and automate response actions within a unified operational framework.

• Graph and link analysis: Analysts can leverage Microsoft Threat Intelligence Center (MSTIC) research, MDR and XDR telemetry, and global threat signals to provide contextual linking across entities. Analysts can then pivot across users, devices, IP addresses, domains, files, and threat actors to understand relationships and attack techniques. This model enables enriched investigations by correlating internal telemetry with external intelligence to surface adversary infrastructure, campaign associations, and behavioral patterns.

Opportunities

Microsoft has room for improvement in a few decision criteria, including:

• Digital risk protection: It delivers partial coverage by monitoring threat actor chatter, identifying leaked credentials, and surfacing exposed infrastructure that may indicate elevated organizational risk. However, the platform lacks dedicated brand abuse monitoring and domain or impersonation takedown services, limiting its effectiveness for organizations seeking comprehensive external brand protection and disruption capabilities.

• Sandboxing: The solution provides basic detonation and behavioral analysis capabilities to evaluate suspicious files and URLs within its broader security stack. These capabilities support automated investigation and enrichment workflows but are primarily optimized for inline detection and response rather than deep malware research. Sandbox depth and analyst-facing transparency could be improved to provide more details regarding reverse engineering and advanced behavioral analysis.

• Threat modeling: The solution has threat modeling through MITRE ATT&CK mapping, kill-chain correlations, and entity-based context embedded. These capabilities help analysts understand adversary techniques, campaign progression, and relationships across users, devices, infrastructure, and indicators. However, the platform does not include a dedicated threat modeling module for full adversary simulation or structured attack path modeling within the threat intelligence capabilities.

Purchase Considerations

Microsoft’s threat intelligence capabilities are not licensed as a standalone platform; they are embedded within Microsoft Defender XDR and Microsoft Sentinel subscriptions. Organizations need to consider their broader security stack vendor procurements, including endpoint, identity, cloud, and SIEM licensing, to determine whether the organization has existing entitlements if they are a Microsoft customer. The platform is delivered as SaaS only, so organizations must align with Microsoft’s cloud delivery model and associated data residency options. Buyers should also evaluate bundled licensing tiers and Sentinel data ingestion costs when forecasting the total cost of ownership.

Organizations of all sizes can access Microsoft’s global threat intelligence; however, smaller and midsize teams should assess staffing and operational maturity to ensure they can review, contextualize, and operationalize threat actor intelligence alongside detection, orchestration, and response workflows. Enterprises in highly regulated sectors should confirm that Microsoft’s SaaS architecture, data handling controls, and compliance certifications meet industry-specific requirements before standardizing on the platform.

A key limitation is reduced suitability for organizations requiring a standalone, vendor-agnostic threat intelligence lifecycle or extensive third-party intel sharing outside the Microsoft ecosystem.

Use Cases

Microsoft supports most industry verticals (including financial services, healthcare, government, retail, and technology) by embedding threat intelligence directly into security operations within the Microsoft ecosystem. Use cases include alert and incident enrichment, threat hunting, adversary and infrastructure tracking, incident investigation and response, and SOC automation. Support is delivered through native integration with Microsoft Sentinel and Microsoft Defender XDR, leveraging global telemetry, prebuilt analytics, and deep integration across identity, endpoint, email, and cloud workloads. 

Rapid7: Rapid7 Threat Command*

Solution Overview

Rapid7 is a security operations and risk management vendor focused on helping organizations detect, manage, and respond to threats across their internal and external attack surface. Within this report context, Rapid7’s primary focus is on delivering actionable threat intelligence and digital risk visibility that supports security operations, fraud prevention, and brand protection teams.

Rapid7 Threat Command is not a standalone product; it is part of the broader Rapid7 Insight platform and is commonly deployed alongside products such as InsightIDR (SIEM) and InsightConnect (SOAR). Threat Command works by continuously collecting and analyzing external threat data from surface, deep, and dark web sources to identify credential leaks, brand impersonation, fraud indicators, and emerging threats targeting an organization. The platform correlates this intelligence with exposed assets and integrates findings into Rapid7 workflows for investigation, alerting, and response. Strategically, Threat Command is positioned as a digital risk protection and external threat intelligence capability, optimized for enterprises already using the Rapid7 ecosystem and primary use cases such as credential monitoring, brand abuse detection, and pre-incident risk identification rather than full-spectrum, standalone threat intelligence platform operations.

Rapid7 is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the TIP Radar chart. 

Strengths

Rapid7 scored well on a number of decision criteria, including:

• Digital risk protection: The platform delivers these protections through continuous monitoring of surface, deep, and dark web sources to identify credential leakage, fraud indicators, and other external exposure risks. These capabilities are integrated into Rapid7’s security operations workflows, enabling organizations to tailor monitoring and response to their specific digital footprint and threat profile.

• Threat modeling: This solution supports threat modeling by correlating external threat intelligence with an organization’s exposed digital assets to highlight how adversaries may target brands, domains, and leaked credentials. Intelligence is also operationalized through integration with InsightIDR and InsightConnect, where external threat signals are correlated with an organization’s exposed assets and security events, helping organizations prioritize defensive strategies.

• Brand intelligence: This specific data is collected by monitoring bad-actor-hosted sources for brand impersonation, fraudulent domains, phishing activity, and leaked credentials, correlating these signals to an organization’s brand assets to enable early detection and response, helping organizations identify situations in which their organization is being targeted.

Opportunities

Rapid7 has room for improvement in a few decision criteria, including:

• Graph and link analysis: The solution has basic threat actor and tactic correlation and contextual linking across digital risk artifacts, but does not offer the advanced graph traversal, relationship scoring, or interactive path analysis. The solution could be improved by adding a graph-based data model with automated entity extraction and relationship correlation.

• Incident response and forensic capabilities: The platform focuses on pre-incident intelligence and external risk identification rather than deep forensic investigation. The tool has native integration into Rapid7 Incident Response tooling to support investigation efforts and response workflows. 

• Integrations: The solution has native platform integration with Rapid7 InsightIDR and InsightConnect, as well as some SIEM and SOAR tools, but offers a more limited third-party TIP ecosystem. Broader integration coverage across a wider range of security tools would improve interoperability.

Purchase Considerations

Pricing and packaging are dependent on bundled products and are quote-based, with limited public information on pricing. Buyers should validate whether there are data ingestion limits and service dependencies during the procurement process.

Threat Command is well suited for enterprise SOC teams already invested in the Rapid7 Insight platform, particularly those seeking to augment internal detection with external threat, brand, and credential exposure intelligence. The implementation difficulty is moderate and favors teams with existing security architecture resources rather than SMB organizations. The strongest operational value is realized when integrated with InsightIDR and InsightConnect, where external signals can be triaged and actioned. Additionally, teams looking to expand traditional TIP capabilities to digital risk and brand intelligence should consider this solution, but it is not a full replacement for a standalone TIP.

The solution is delivered as a SaaS offering, eliminating the need for customer-managed IT infrastructure, and the implementation can be accelerated by Rapid7 managed services. This model simplifies operations but may limit suitability for organizations with strict data residency, sovereignty, or on-prem deployment requirements.

Use Cases

Rapid7 Threat Command is well suited for organizations seeking specific capabilities for brand risk and digital risk protection. The solution is well suited to large enterprises across industries such as retail, financial services, technology, and healthcare, where external exposure, fraud, and impersonation risk are elevated. Core use cases include monitoring leaked credentials, brand and domain impersonation detection, phishing and fraud intelligence, and early identification of external threats. These capabilities are delivered through continuous monitoring of surface, deep, and dark web sources and are operationalized through integration with Rapid7 security operations workflows.

Recorded Future: Intelligence Platform*

Solution Overview

Recorded Future delivers a cloud-native TIP designed to provide real-time, AI-driven insights across cyber, supply chain, brand, identity, and geopolitical risk domains. The platform aggregates and analyzes data from surface, deep, and dark web sources, technical telemetry, and proprietary analyst research to help organizations proactively identify, prioritize, and mitigate threats. Recorded Future was acquired by Mastercard in 2024 as part of Mastercard’s expansion into threat intelligence and cyber risk insights.

The Recorded Future Intelligence Platform is part of a modular portfolio that includes Threat Intelligence, SecOps Intelligence, Vulnerability Intelligence, Brand Intelligence, Third-Party Intelligence, and Identity Intelligence, which can be licensed individually or bundled. It applies machine learning, natural language processing, and risk scoring to correlate indicators, adversaries, campaigns, malware, and vulnerabilities mapped to MITRE ATT&CK and linked through entity-based intelligence graphs. The platform supports automated enrichment, exposure monitoring, ransomware mitigation, digital risk protection, and security workflow automation through integrations with security tools and case management systems. 

Recorded Future is designed to process and operationalize very large volumes of global intelligence and is strategically focused on large enterprises and government organizations with mature security teams that require scalable analytics, automation, and cross-functional intelligence workflows.

Recorded Future is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the TIP Radar chart.

Strengths

Recorded Future scored well on a number of decision criteria, including:

• Digital risk protection: The solution has AI-driven monitoring of impersonation, fraudulent domains, credential leaks, phishing infrastructure, and dark web exposure. The product integrates multilingual dark web intelligence and real-time risk scoring into a unified platform that links together insights with broader threat intelligence and risk workflows. Takedown actions and mitigation can be initiated directly from the platform, involving the analyst in the loop for validations.

• Threat modeling: The platform provides strong threat analysis capabilities aligned to MITRE ATT&CK, with detailed adversary profiling, infrastructure tracking, and campaign correlation across global telemetry. The platform supports scenario-based and organization-specific threat modeling by linking actor TTPs, vulnerabilities, and sector targeting patterns to customer-relevant risk context. Its Autonomous Threat Ops capabilities leverage AI-driven correlation and prioritization to streamline investigations and accelerate operational response.

• Sandboxing: The solution includes malware detection and sandboxing capabilities, which includes detailed detonation analysis across multiple OS environments. Behavioral output is mapped to MITRE ATT&CK techniques and enriched with broader threat intelligence, including actor, campaign, and infrastructure context. Results can be correlated with organizational exposure data to help determine whether related indicators or malware families pose direct risk to the enterprise.

Recorded Future is classified as an Outperformer due its rate of technology development in the last year, notably in expansion of its Intelligence Cloud with Identity Intelligence, enhanced Brand Intelligence and takedown capabilities, deeper malware sandboxing, and continued investment in AI-driven risk scoring and automated investigation workflows. 

Opportunities

Recorded Future has room for improvement in a couple of decision criteria, including:

• Incident response and forensic capabilities: It supports incident response through rich investigation context, timeline reconstruction, and automated enrichment of indicators, actors, and infrastructure. Analysts can pivot across related campaigns, TTPs, and vulnerabilities to accelerate containment decisions. However, it lacks deep native forensic tooling, relying instead on integrations with EDR and IR platforms for full forensic workflows.

• AI threat detection: The platform incorporates AI-driven detection and classification across phishing, malware, and adversary campaigns, including some tracking of LLM-enabled phishing and generative AI-assisted tactics within actor and campaign profiles. While the solution supports tagging and MITRE ATT&CK mapping of AI-driven TTPs, it could improve the solution by developing an engine for detecting additional AI-generated threat artifacts and threats independently of broader threat intelligence workflows.

Purchase Considerations

Recorded Future is purchased through a subscription-based licensing model. Each intelligence module is licensed separately, and bundled pricing must be quoted directly by the vendor sales team. Pricing is typically structured as multiyear agreements and depends on the number of user seats and selected modules. Transactions can also be executed via AWS Marketplace, but large enterprises might benefit from working with the vendor directly.

The solution is not designed for most SMB organizations due to cost, platform depth, and operational complexity. It is best suited for large enterprises, government entities, and mature security teams that can operationalize high-volume intelligence across SOC, vulnerability management, third-party risk, and brand protection workflows.

The vendor can also provide managed services, intelligence services, integration and advisory support, and an “analyst on demand.” These services can extend a customer's team’s capacity with expert-led monitoring, reporting, custom briefings, and program development, which can accelerate value for enterprises with complex or global threat landscapes.

Use Cases

Recorded Future supports ransomware mitigation, exposure management, security workflow automation, supply chain risk mitigation, and digital risk protection across a wide range of industries by leveraging global intelligence sources and AI-driven analytics. Its modular platform correlates adversary activity, vulnerabilities, third-party risk, and brand threats into operational workflows, making it particularly well suited for large enterprises with mature security programs and complex threat environments.

SOCRadar: Extended Threat Intelligence (XTI)*

Solution Overview

SOCRadar provides an external threat intelligence and digital risk protection platform focused on monitoring and mitigating risks that originate outside the organization. The platform aims to democratize threat intelligence so all organizations can benefit from an early warning system against cyberthreats. The company’s primary emphasis is on brand protection, credential and data leak detection, phishing domain monitoring, and external attack surface visibility.

The SOCRadar Extended Threat Intelligence (XTI) Platform is delivered as a cloud-based SaaS offering with tiered plans and optional managed analyst services. The platform continuously collects and analyzes data from surface, deep, and dark web sources to identify exposed credentials, impersonation campaigns, leaked data, malicious domains, and third-party risks. It correlates findings to monitored assets, domains, brands, executives, and suppliers, and then generates alerts and supports integration with other security tools for downstream action.

SOCRadar’s strategy centers on delivering wide coverage digital risk and brand intelligence with ease of deployment, positioning the platform as an accessible external intelligence layer that augments existing SOC workflows rather than replacing them.

SOCRadar is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the TIP Radar chart.

Strengths

SOCRadar scored well on a number of decision criteria, including:

• Digital risk protection: The platform monitors this risk through continuous monitoring of surface, deep, and dark web sources to detect impersonation, phishing domains, leaked credentials, and exposed sensitive data. The platform identifies lookalike domains, compromised third-party data, and underground marketplace activity and generates structured alerts with source attribution and asset context. The solution also includes takedown actions for external threats.

• Brand intelligence: The solution provides this type of protection through specific monitoring of brand risk, checking social platforms, marketplaces, and underground forums to identify impersonation, trademark abuse, and fraudulent use of corporate assets. The platform detects newly registered and lookalike phishing domains, monitors brand-related chatter, and provides structured alerts tied to monitored keywords and digital assets. It also extends visibility to executive and VIP exposure, identifying impersonation attempts, leaked credentials, and targeted abuse affecting high-risk individuals associated with the organization.

• AI-assisted investigations: The solution incorporates AI capabilities to summarize threat findings, prioritize alerts based on risk context, and assist analysts in reviewing external intelligence. It also includes AI-driven automation to streamline analysis and surface relevant insights more quickly within the platform workflow. AI functionality focuses on summarization and prioritization.

Opportunities

SOCRadar has room for improvement in a few decision criteria, including:

• Graph and link analysis: The platform provides basic entity relationships and contextual linking of actors, domains, and infrastructure. The solution could be improved with additional advanced graph-based analytics, detailed attack path analysis, and analyst-driven exploration using linking in a graph database format.

• Incident response and forensic capabilities: The solution supports investigations by providing contextual threat intelligence, historical exposure tracking, and attribution data tied to monitored assets and external activity. Analysts can review prior leak events, phishing campaigns, and actor associations to inform response decisions. However, the platform does not provide native incident response, case management, forensic artifact collection, or formal evidence-handling capabilities typical of dedicated IR platforms.

• Automation and orchestration: It supports automation through configurable alerting, external intelligence enrichment, and automated notifications tied to monitored assets and threat conditions. It enables downstream orchestration by integrating with SIEM, SOAR, and ticketing platforms, allowing indicators and alerts to trigger response workflows externally. However, it does not provide robust native response automation or complex playbook execution within the platform itself, relying on integrated tooling instead.

Purchase Considerations

SOCRadar is best positioned for organizations as a digital risk protection intelligence platform offering transparent, tiered pricing. The solution is purchased in a tiered pricing model of Freemium, Essentials, and Ultimate, which provides clear entry points, improving procurement transparency. The Free tier enables limited evaluation with access to vulnerability, dark web, and sandbox intelligence. Essential is structured for small to midsize teams, with defined seat limits, feed sources, threat hunting access, and usage-based credits for search and malware analysis. The Ultimate-Flex tier supports MSSPs and enterprise use cases with API access, expanded hunting rules, flexible seats, and higher credit volumes. Buyers should validate which operational security areas they are looking to enhance to determine which tier suits them best.

The platform is a strong fit for SMB and mid-market teams seeking rapid external threat visibility with low administrative burden. Enterprise deployments typically require minimal ongoing tuning and can be operated by a lean security or threat intel function without dedicated architect resources. Managed analyst services are also available to augment smaller security teams.

The solution is deployed in a multitenant model well suited for most organizations. Companies with strict data residency, regulatory, or compliance requirements should evaluate whether this architecture aligns with their governance and compliance needs.

Use Cases

SOCRadar supports multiple industries rather than focusing exclusively on one type of organization, but it is particularly well aligned with sectors that have high brand exposure and external attack surfaces, such as financial services, retail, e-commerce, technology, and critical infrastructure. Its value proposition centers on protecting digital assets and customer trust in industries where phishing, impersonation, and data leaks have direct reputational and regulatory impact. 

ThreatConnect (Dataminr): Threat Intelligence Platform*

Solution Overview

ThreatConnect provides a platform focused on operationalizing cyberthreat intelligence across security operations. The company targets enterprises, government organizations, and MSSPs seeking structured intelligence management, automation, and integration with downstream security tooling. In late 2025, its parent company was acquired by Dataminr, but the platform continues to be available as a standalone product.

The ThreatConnect platform is a modular solution comprising core TIP capabilities and integrated playbooks, which include SOAR. The solution is delivered primarily as a SaaS model with options for single-tenant and self-hosted deployments. Core components include a unified threat library, relationship and graph analysis, STIX and TAXII support, automated enrichment, case management, and broad integrations with security tools. The platform ingests and normalizes internal and external intelligence, correlates entities across campaigns and adversaries, and enables workflow-driven dissemination and response through playbooks, security operations processes, and collaboration.

ThreatConnect’s strategy centers on delivering a full-featured, automation-driven TIP capable of displacing point intelligence tools while integrating deeply into existing security ecosystems to support use cases such as intelligence-led SOC operations, incident response, threat hunting, and intelligence sharing.

ThreatConnect is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the TIP Radar chart.

Strengths

ThreatConnect scored well on a number of decision criteria, including:

• Integrations: The solution has an extensive library of integrations, with a wide range of native connectors for standard platforms like SIEM, SOAR, EDR, and an expanded catalog including other tools such as email security, risk management, and network security. The platform also integrates broadly with commercial and open source threat enrichment providers, enabling automated context expansion and bidirectional data exchange. This mature integration ecosystem supports intelligence ingestion, operationalization, and automated response across the security stack.

• Graph and link analysis: The platform has robust relationship modeling across indicators, threat actors, campaigns, vulnerabilities, and incidents, enabling analysts to visualize and explore complex threat relationships. The platform supports pivoting, contextual enrichment, and interactive visual analytics that are central to investigative workflows and adversary tracking. This graph-centric design enhances correlation, attribution analysis, and intelligence-driven decision-making, allowing analysts to build extensive threat profiles.

• Automation and orchestration: These capabilities allow teams to automate cyberdefense tasks via a no-code drag-and-drop interface, enabling automation directly within the platform. Workflows can be fully manual, semi-automated, or fully automated, allowing teams to build automation into investigative processes using tasks, conditional logic, and playbooks tied to operational intelligence workflows. Native workflow and case management streamline collaboration, prioritize analyst effort, and shorten response times by reducing friction across enrichment, investigation, and response actions.

Opportunities

ThreatConnect has room for improvement in a few decision criteria, including:

• Digital risk protection: The solution provides digital risk coverage through third-party intelligence feeds and integrations, enabling visibility into external threat signals but not delivering deep native digital risk protection workflows. The platform could improve by including native capabilities such as brand abuse monitoring, impersonation detection, social media surveillance, or takedown orchestration. 

• Sandboxing: The platform currently does not provide native malware sandboxing or embedded detonation capabilities within its core platform. This presents an opportunity to expand into integrated behavioral malware analysis, either through native features or integrated partnerships to deliver deeper visibility into file and payload behavior, allowing correlation with threat actor techniques. 

• AI threat detection: The solution uses AI for scoring, correlating, and prioritizing intelligence, improving signal-to-noise reduction and analyst efficiency. However, it does not explicitly highlight detection or categorization of AI-enabled attacks like LLM-assisted phishing, automated malware generation, or synthetic identity abuse. Expanding coverage to identify and tag AI-driven TTPs would help organizations understand their attack surface against these novel threats.

Purchase Considerations

ThreatConnect is purchased across three modules: the Threat Intelligence Platform (TIP), Polarity, a tool that provides context delivery at the point of analysis, and Risk Quantifier, which helps organizations quantify their risks. Buyers will need to engage directly with sales to determine pricing, module bundling, user tiers, automation limits, and data volume considerations, as packaging is modular and configurable.

ThreatConnect fits best for midsize to large enterprises, government teams, and MSSPs with a dedicated intelligence function. The platform offers a wide breadth of features that can displace incumbent TIPs and some SOAR use cases, while also functioning well as an augmentation layer via strong APIs, STIX and TAXII support, and a broad integration ecosystem. Deployment is primarily SaaS, with options for single-tenant, on-prem, and self-hosted environments. Implementation complexity is moderate, and new customers might want to consider working with partner organizations for structured implementations and ongoing support. Buyers should plan for upfront design and onboarding to optimize workflows and automation.

Use Cases

ThreatConnect supports financial services, large enterprises, government, healthcare, and MSSPs, delivering AI-driven intelligence through a unified threat library, federated search, and automated intelligence enrichment. Broad use cases include automated malware analysis via integrations, threat detection and prevention, vulnerability prioritization, alert triage, threat hunting, incident response, and intelligence dissemination to streamline SOC operations. 

ThreatQuotient (Securonix): ThreatQ Threat Intelligence Platform*

Solution Overview

ThreatQuotient enables organizations to operationalize threat intelligence by aggregating, contextualizing, and prioritizing threat data to support security operations. Its primary emphasis is helping security teams move from raw indicators of potential threats to actionable intelligence that improves detection, investigation, and response outcomes. ThreatQuotient was acquired in 2025 by Securonix, a fully integrated cyberthreat defense company, to broaden detection and investigation capabilities. This platform can still be purchased independently.  

The ThreatQ Threat Intelligence Platform is delivered as part of a broader portfolio rather than a single standalone product, with core SKUs including ThreatQ Platform (TQ), ThreatQ Investigations (TQI), ThreatQ Data Exchange (TQX), and ThreatQ TDR Orchestrator (TQO). Together, these components provide intelligence ingestion and normalization, collaborative investigation and case management, bidirectional sharing and standards-based exchange, and orchestration of threat detection and response workflows. Architecturally, the platform integrates external and internal intelligence sources, applies scoring and correlation to prioritize relevance, and feeds enriched intelligence into downstream security tools and processes. ThreatQuotient’s strategy centers on serving as a central intelligence layer for SOCs, incident response teams, and MSSPs, with primary use cases in threat intelligence operations, alert triage, incident investigation, and intelligence-driven response orchestration.

ThreatQuotient is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the TIP Radar chart.

Strengths

ThreatQuotient scored well on a number of decision criteria, including:

• Integrations: The platform includes connectors across SIEM, SOAR, EDR, sandboxing, ticketing systems, and threat prevention tools. Its integration ecosystem spans enrichment and analysis, intelligence feeds, artificial intelligence, orchestration, log platforms, network management, and vulnerability management. With hundreds of integrations, bidirectional workflows, and APIs, the platform enables interoperability across complex security tool environments.

• Automation and orchestration: The platform provides playbooks, scoring-driven workflows, and integration with SOAR platforms to operationalize intelligence across detection and response processes. The addition of customer-defined prioritization and scoring reduces noise and accelerates response, while automation simplifies and improves playbook execution based on gathered intelligence. The integration framework and marketplace support hundreds of connections that enable scalable, low-code workflow creation and orchestration across an organization's security ecosystem.

• Graph and link analysis: The solution provides entity relationship mapping and contextual linking across indicators, threat actors, campaigns, and incidents to support investigation workflows. Analysts can pivot across related objects to understand associations, attribution patterns, and operational impact within a unified intelligence context. This relationship-centric model improves prioritization and accelerates root cause analysis across the threat lifecycle.

Opportunities

ThreatQuotient has room for improvement in a few decision criteria, including:

• Digital risk protection: These capabilities rely on integrations with external intelligence feeds and third-party providers rather than deep native functionality. While this enables flexible coverage, the platform could strengthen its position by expanding native monitoring (including takedown workflows) and brand abuse management capabilities to deliver more comprehensive digital risk protection.

• Sandboxing: The solution relies on integrations with third-party sandboxing and malware detonation solutions rather than offering native analysis capabilities. While this supports flexibility of deployment, adding built-in detonation, behavioral analysis, and analyst-facing transparency could strengthen investigation workflows and reduce dependency on external tools.

• AI threat detection: The solution applies machine learning for scoring, correlation, and prioritization but does not offer dedicated AI-specific threat profiling to detect and categorize emerging AI-centric attack techniques. Expanding detection and reporting for AI-driven phishing, automated malware generation, and LLM-enabled social engineering would strengthen the platform's intelligence data for customers.

Purchase Considerations

ThreatQuotient is primarily provisioned as a SaaS platform, with pricing structured in tiers based on instance size and number of users. Organizations can scale capacity and user access as intelligence operations mature, making the platform adaptable to both growing and established security teams. Alternative deployment models may be available for regulated environments, but SaaS remains the standard consumption model.

ThreatQuotient also offers professional services to support onboarding, including implementation, integration, customization, workflow design, and analyst training. These services can be particularly valuable for smaller or less mature teams that need assistance establishing intelligence processes and operational playbooks. The platform is well suited for organizations pursuing a greenfield TIP deployment, as it provides structured ingestion, scoring, and workflow capabilities that help formalize intelligence operations from the outset. Buyers should plan for integration configuration and workflow tuning to maximize value, especially in complex security environments.

Use Cases

ThreatQuotient supports a broad set of industries, including financial services, government, healthcare, technology, and MSSPs, by serving as a central threat intelligence operations layer. Use cases include threat intelligence aggregation and normalization, alert triage and prioritization, incident investigation and response support, intelligence sharing, and detection-and-response orchestration. Support is delivered through prebuilt integrations with a wide range of cybersecurity tools, standards-based exchange, and modular components tailored to SOC workflows.

ZeroFox: ZeroFox Platform

Solution Overview

The ZeroFox Platform is a unified threat intelligence platform focused on identifying and disrupting digital, cyber, and physical threats targeting organizations, executives, and customers. It combines cyberthreat intelligence, attack surface intelligence, brand and domain protection, executive and VIP protection, and physical security intelligence to provide centralized visibility into risk across digital and real-world environments.

The solution is delivered as the ZeroFox Platform, a single, integrated product suite in which individual capabilities can be purchased separately or bundled, all operating through a common user interface and shared underlying data and services architecture. The platform continuously monitors surface, deep, and dark web sources, social media, domains, mobile applications, and physical-world signals, correlating intelligence, alerts, and workflows across use cases. Detection is paired with built-in disruption capabilities that use automation and expert analysts to take direct action, including the removal of malicious content. Strategically, ZeroFox emphasizes proactive detection and response for digital risk and threat intelligence use cases, particularly where brand abuse, executive targeting, and external attack surface exposure require coordinated intelligence and takedown operations.

ZeroFox is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the TIP Radar chart.

Strengths

ZeroFox scored well on a number of decision criteria, including:

• Digital risk protection: This platform evaluates these risks with continuous global monitoring across social media, domains, marketplaces, forums, paste sites, code repositories, messaging apps, and surface, deep, and dark web environments to detect brand abuse, phishing, credential exposure, impersonation, and data leaks. The platform maps risks directly to a customer’s assets, including brands, domains, executives, customers, and infrastructure. The solution applies dynamic risk scoring and supports automated takedown and disruption workflows that combine automation with analyst-led enforcement. This data is also correlated with broader threat intelligence to enable coordinated response across security, fraud, and risk teams. 

• Threat modeling: The solution provides threat modeling based on observed adversary behavior, using an intelligence graph and analytics framework to map indicators, threat actors, campaigns, and TTPs to attack frameworks. The platform correlates external threat intelligence with internal telemetry, asset inventories, and vulnerability data through integrations to prioritize risks based on exploitability and active threat activity. AI-driven analytics continuously update entity relationships and campaign linkages, enabling teams to anticipate likely attack paths and operationalize insights through automated enrichment and response workflows.

• Graph and link analysis: The platform uses a threat intelligence graph that connects threat actors, campaigns, infrastructure, indicators, TTPs, and victim assets using data collected from surface, deep, and dark web sources, technical sensors, and human research. Intelligence is normalized into structured entities and mapped to frameworks such as MITRE ATT&CK, enabling analysts to pivot across indicators of compromise, adversaries, vulnerabilities, and customer-specific assets for investigation and attribution.

Opportunities

ZeroFox has room for improvement in a few decision criteria, including:

• Incident response and forensic capabilities: The platform supports incident investigations and enrichment through built-in case management capabilities, including structured case objects, analyst assignment, evidence and artifact attachment, investigation timelines, correlation of alerts and exposure data, and full audit trails. It could be further enhanced with AI-assisted triage, automated evidence preservation, and post-incident analytics to better identify root causes and adversary patterns.  

• Integrations: The solution integrates with a wide range of SIEM, SOAR, XDR, case management, and vulnerability management platforms through bidirectional APIs and integrates threat intelligence feeds of all types. Integrations enable external intelligence, indicators of compromise, risk scores, and disruption actions to enrich internal telemetry and drive automated workflows across detection and response environments. While the platform supports a broad range of integration options, it could be slightly improved by introducing a low-code integration builder to give customers more flexibility in creating custom integrations with less engineering effort.

• AI threat detection: The solution supports the detection of certain AI-enabled threats, including deepfake content and AI-driven impersonation campaigns identified across social and digital channels. This platform could expand coverage to additional AI-specific TTPs, representing an opportunity to improve detection and profiling of AI-enabled attack methods across the full threat lifecycle. 

Purchase Considerations

The platform uses a modular, per-product subscription model with bundled platform packages based on assets, users, and service levels. Digital risk protection is sold by asset type: brands, domains, executives, and mobile apps, while Executive Protection is tiered Essential or Premium, and External Attack Surface Management (EASM) is measured by seed domains and IPs. Physical Security Intelligence and Intelligence Search are licensed per analyst user, and takedowns can be purchased in success-based buckets. Managed services depend on reporting frequency or the number of analyst hours required. Organizations must carefully consider their specific organizational requirements due to the complexity of licensing and options, and should work with the vendor to find the best bundled options.  

The platform is delivered as a self-managed SaaS offering, and can be comanaged with a provided analyst team or fully managed through ZeroFox. Pricing is transparent and forecastable, with clear visibility into each module’s cost and no hidden data or integration fees within standard usage. This provides a flexible model for smaller organizations that do not have a large internal security operations team.

This platform can operate as a central hub (rather than a research-only tool) that fuses cyber and physical security intelligence, including travel risk, protected locations, and personal safety, making it well suited for organizations seeking coordinated digital and real-world risk protection.

Use Cases

ZeroFox supports a broad range of industry verticals and delivers comprehensive threat intelligence, digital risk detection, investigation, and disruption use cases spanning cyber, brand, executive, third-party, and physical security domains. Core use cases include deep and dark web monitoring, brand and domain protection, anti-phishing and fraud detection, attack surface and vulnerability intelligence, and executive and VIP protection, with integrated takedown and disruption capabilities. The platform is particularly suited for organizations seeking unified visibility and response across external attack surface exposure, reputational risk, financial fraud, and physical threat signals within a single platform.

The TIP market is shifting from data aggregation toward outcome-driven risk orchestration. Historically, platforms were focused on collecting indicators, IOCs, normalizing feeds, and enriching alerts. Today, the baseline expectation is automation, correlation, and workflow integration across security operations, vulnerability management, and exposure management teams.

For purchasers, the place to start is not necessarily feature comparison; organizations should first determine whether they need a data-centric intelligence repository, an operational intelligence hub embedded in detection and response workflows, or a cross-functional risk platform that informs cyber, physical, and executive protection stakeholders. The most advanced platforms now serve as a common backbone across all threat layers, linking adversarial intelligence, sector intelligence, and attack surface intelligence into a unified exposure view.

The market is rapidly embracing agentic AI within SOC workflows. Buyers should expect AI not only to summarize intelligence but to proactively expand collection, classify and correlate signals, initiate enrichment, and trigger response actions. However, explainability is becoming equally critical. AI-driven prioritization must be transparent and auditable to support compliance, governance, and executive trust.

Leading platforms are combining agentic workflows with behavioral modeling and predictive analytics to forecast campaign evolution, targeting shifts, and attacker intent. Threat hunting is becoming embedded into daily activities, not just alerting on what happened, but providing insight into where risk is heading.

Threat teams are also having to consider new avenues of risk beyond technical IOCs as adversaries increasingly target any digital channels and cause real-world harm. Harassment campaigns, doxxing, impersonation, and activist mobilization often begin online before manifesting physically. Future platforms must correlate cyber telemetry, social narrative analysis, geopolitical context, and physical security signals. Executive and VIP protection capabilities, integrating identity monitoring, personal data exposure, travel risk, and threat actor chatter, are becoming board-level concerns. This also includes brand risk and reputational exposure, which are also moving into the intelligence domain. Sentiment tracking, narrative propagation mapping, and influence analysis help organizations anticipate reputational crises and escalation pathways toward physical disruption, giving threat teams even more extensive responsibilities and importance within organizational risk analysis programs.

Executives are looking to measure the value of intelligence by whether it changes security outcomes. This requires merging threat-driven prioritization with exploitability, likelihood, and business impact. Partnerships or integrations with attack emulation and breach and attack simulation tools are increasing, enabling organizations to validate controls against live threat intelligence. 

Cybersecurity decision-makers should begin by mapping intelligence to outcomes. Determine which decisions need to be made faster and which risks are most material to the business. Then assess whether the platform supports desired workflows, from detection to validation to measurable remediation impact. Other considerations include an evaluation of AI maturity within platforms that determines whether they can automate tasks versus orchestrating complex workflows. It is also important to determine whether AI-derived insights are explainable and defensible and whether agents can integrate across SOC, exposure management, executive protection, and geopolitical risk functions.

The final consideration to prioritize is interoperability. The right platform should serve as connective tissue across existing tooling rather than a siloed feed repository.

The next phase of growth in the market will be autonomous, predictive, and cross-domain. Agentic AI will increasingly handle triage, enrichment, and coordinated response, allowing human analysts to focus on strategic decisions. Exposure intelligence will expand beyond traditional attack surface monitoring to encompass social volatility, supply chain risk, brand attacks, and personal executive exposure.

Platforms that succeed will unify intelligence lenses into a shared risk model, link real-world adversary behavior to validated control effectiveness, and deliver a measurable reduction in exposure. Preparation requires more than tool selection. Organizations must evolve governance models, clarify accountability across cyber and physical risk teams, and build trust frameworks for explainable AI.

Ultimately, the defining question for buyers is simple: Does the platform help the organization decide faster, focus on what matters, and prevent real-world harm? The solutions that can demonstrate measurable changes in outcomes will define the future of the market.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Security Information and Event Management v5

• GigaOm Radar for Attack Surface Management v4

• GigaOm Radar for Cybersecurity Data Fabric v1

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Seth Byrnes has extensive experience in developing strategic roadmaps, implementing robust technology solutions, and leading cross-functional teams to drive operational excellence.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Threat Intelligence Platforms" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.