Threat intelligence platforms (TIPs) process external threat feeds and internal log files to create a prioritized and contextualized feed of alerts for a security team. TIPs also enhance other business security tools with consolidated and improved threat feeds. To help you select the right platform for your business, I analyzed industry-leading threat intelligence products and their capabilities, pricing, and important features.
Here are the top seven threat intelligence platforms for businesses:
- ThreatConnect: Best overall for a mix of features and integrations
- Rapid7 Threat Command: Best for intensive security needs
- Anomali ThreatStream: Best for hybrid deployments
- Google Cloud Threat Intelligence (Mandiant): Best for Google Cloud customers with basic needs
- Recorded Future: Best for small-team requirements
- Palo Alto Networks Cortex XSOAR: Best for enterprise threat intelligence
- SolarWinds Security Event Manager: Best for log management
Featured PartnersFeatured Partners
eSecurity Planet may receive a commission from merchants for referrals from this website
Top threat intelligence platforms compared
This table briefly covers my top seven vendors, the availability of a few of their features, and free trials.
| Alert Management | Threat Scoring | Sandbox Integration or Add-On | MITRE Mapping | 30-Day Free Trial* | |
| ThreatConnect | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Rapid7 Threat Command | ✔️ | ✔️ | Plug-in | ✔️ | ❌ |
| Anomali ThreatStream | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| Google Cloud Threat Intelligence (Mandiant) | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
| Recorded Future | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Palo Alto Cortex XSOAR | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| SolarWinds Security Event Manager | ✔️ | ❌ | ❌ | ❌ | ✔️ |
* Trial is specifically for integrations with Splunk and Microsoft Sentinel SIEM products
While all of my top seven picks are strong business choices, ThreatConnect scored the highest overall and had the best selection of features.
Note: All per-user prices are based on a one-year commitment unless otherwise noted.
ThreatConnect – Best overall for a mix of features and integrations
Overall Reviewer Score
4.2/5
Core features
5/5
Integrations
4.8/5
Implementation and administration
4.3/5
Advanced features
3.4/5
Pricing
2.3/5
Customer support
3.3/5
ThreatConnect is a threat intelligence platform (TIP) that can be deployed on-premises, air-gapped, or in an AWS private cloud instance. Its deployment flexibility, strong array of threat intelligence features, and multiple third-party integrations make it a standout platform for enterprises.
ThreatConnect’s advanced features include threat graphing, which visualizes the connections between threat data and potential issues, and MITRE framework mapping. It’s ideal for businesses that need plenty of features and security integrations.
Pros
Cons
- Contact for quote: Custom pricing available
- Free trial: None mentioned
- Free demo: Contact to schedule
- Technology partnerships: Palo Alto, Splunk, Bitdefender, and Zendesk are just a few integration options.
- Alert triage: Automation allows security operations center (SOC) teams to prioritize threats that the platform surfaces.
- MITRE mapping: ThreatConnect connects each threat object to the corresponding information in the MITRE ATT&CK database.
- Threat graphing: ThreatConnect visualizes relationships between threat indicators and cases so you can more easily view the whole picture of a threat.
ThreatConnect is a top-notch threat intelligence product, but its customer support options are limited, with unclear team hours and no live chat. If you’re looking for more rapid support options, consider Rapid7, which offers phone calls and 24/7 support for Severity 1 issues.
Rapid7 Threat Command – Best for intensive security needs
Overall Reviewer Score
3.8/5
Core features
4.8/5
Integrations
2.8/5
Implementation and administration
3.6/5
Advanced features
3.4/5
Pricing
2.9/5
Customer support
5/5
Rapid7 Threat Command is a threat intelligence solution incorporating IntSights features, a TIP that Rapid7 acquired in 2021. Its key features include IOC prioritization, threat scoring, and integrations with open-source intelligence feeds. Threat Command integrates with InsightIDR, Rapid7’s combined SIEM, EDR, and incident response platform. If your business is considering multiple products from Rapid7, Threat Command is a great choice.
Pros
Cons
- Contact for quote: Custom pricing available
- Free trial: None available
- Free demo: Contact to schedule
- Alert management: Threat Command provides alert data such as a description and an alert header, as well as the option to remediate if possible.
- Threat Command dashboard: A nicely laid-out interface shows clear web and dark web threat stats, a system risk meter, and graphs of severity types.
- Threat scoring: Threat Command automatically calculates an IOC’s threat severity score based on multiple IOC parameters.
- Reporting: Threat Command’s report module offers multiple reports, including network types, alert types, executive summaries, and leaked credentials.
- Integrations with third-party cloud devices: Options include McAfee, Palo Alto’s Panorama, and Fortinet FortiGate.
Rapid7 Threat Command has a fantastic lineup of core threat intelligence features, but it’s missing some security integrations, especially SOAR. If you want more third-party integration options, check out ThreatConnect.
Anomali ThreatStream – Best for hybrid deployments
Overall Reviewer Score
3.5/5
Core features
3.7/5
Integrations
4.5/5
Implementation and administration
3.2/5
Advanced features
2.4/5
Pricing
2.9/5
Customer support
4/5
Anomali ThreatStream is a threat intelligence platform aggregating indicators to identify new attacks, discover existing breaches, and help security teams understand and contain threats. It includes over 100 open-source feeds. Anomali is a particularly good choice for teams that want their threat intelligence on-premises. You can deploy ThreatStream as software-as-a-service, on-prem, or in an air-gapped environment.
Pros
Cons
- Contact for quote: Custom pricing available; limited info from AWS
- Free trial: None available
- Free demo: Contact to schedule
- Threat scoring: Anomali ThreatStream uses machine learning to rank threats based on severity.
- Incident response integrations: ThreatStream connects to multiple EDR, SIEM, and firewall products, which automates attack blocking.
- Threat feed integrations: ThreatStream offers multiple options, including Anomali’s own feeds, many open-source feeds, and premium feeds.
- Sandboxing: ThreatStream’s integrated sandbox tool allows teams to investigate potential threats in greater detail.
Anomali has multiple deployment options but lacks some advanced threat intelligence capabilities, like alert management. Consider Rapid7 if you’re looking for more features or internal integrations that include them.
Google Cloud Threat Intelligence (Mandiant) – Best for Google Cloud customers with basic needs
Overall Reviewer Score
3.5/5
Core features
4.2/5
Integrations
4/5
Implementation and administration
2.9/5
Advanced features
1.9/5
Pricing
3.2/5
Customer support
3.9/5
Google Cloud Threat Intelligence, formerly Mandiant Advantage, offers threat intelligence along with attack surface management and managed defense. Its features include a dashboard, threat actor and vulnerability data, and OSINT indicators. While Google Cloud and the corresponding 24/7 managed Mandiant service are a suitable choice for enterprises, it’ll be particularly appealing to SMBs that want to start with basic cloud-based threat intelligence.
Pros
Cons
- Contact for quote: Custom pricing available
- Free trial: Google Cloud has a free trial, but Threat Intelligence isn’t specified as a product you can try — contact Google for more info
- Free demo: Very brief demo available via YouTube
- Global dashboards: Both threat intelligence and attack surface management widgets can populate data based on filters like location and industry.
- Reports: Options include finished intelligence (FINTEL) reports covering strategic analysis of threats and vulnerability reports.
- MITRE mapping: Mandiant’s threat intelligence security operations subscription allows teams to view actor and malware pivots with MITRE ATT&CK mapping.
- Threat scores: Advantage contains known vulnerability descriptions with CVSS ratings based on criticality.
Google Cloud is a solid threat intelligence platform for smaller teams and basic threat intel features, but it’s missing a few advanced features, like sandboxing. If you’re looking for more advanced capabilities or integrations, consider ThreatConnect.
Recorded Future – Best for small-team requirements
Overall Reviewer Score
3.3/5
Core features
3.7/5
Integrations
3.5/5
Implementation and administration
2.8/5
Advanced features
2.7/5
Pricing
3.1/5
Customer support
4/5
Recorded Future’s threat intelligence platform collects and structures threat data for security teams to analyze through its Intelligence Graph. Other platform capabilities include threat scoring and MITRE ATT&CK mapping. Recorded Future is a good choice for businesses on a budget because it offers a free browser extension with some features. However, for teams that want to pay for onboarding assistance, it offers a technical project manager.
Pros
Cons
- Contact for quote: Custom pricing available; limited reseller pricing information available
- Free trial: Available for exploring platform integrations
- Free demo: Contact to schedule
- Detection Rule API: Recorded Future’s API for rules allows users to download Snort, Sigma, and YARA detection rules.
- Risk lists: These contain multiple risks with scores for each and help correlate security events.
- Alerts: Recorded Future’s Threat Monitor product provides real-time email alerts based on data gathered from sources such as social media and the dark web.
- Correlation dashboards: Recorded Future’s dashboards show recently triggered rules by connecting security events with associated risk lists.
It’s not clear whether Recorded Future offers an on-premises deployment option. If your business needs one, check out Anomali ThreatStream.
Palo Alto Cortex XSOAR – Best for enterprise threat intelligence
Overall Reviewer Score
3.3/5
Core features
4.3/5
Integrations
2.7/5
Implementation and administration
3.3/5
Advanced features
2.3/5
Pricing
3.4/5
Customer support
3/5
Palo Alto Cortex is a broad security platform that offers SOAR, XDR, and threat intelligence, depending on which products and modules your business needs. The threat intelligence management product falls under the Cortex XSOAR specifically, while Unit 42 performs managed threat intel. Palo Alto topped the MITRE evaluation charts in 2023 with perfect scores, so it’s a great choice for enterprises that process highly sensitive data.
Pros
Cons
- Contact for quote: Custom pricing available
- Free demo: Contact to schedule
- Reports: XSOAR TIM supports out-of-the-box reports, including customizable ones, or you can create your own type of report.
- Automated response to indicators: XSOAR ingests alerts from email accounts, which then trigger the appropriate playbooks and perform the associated actions.
- MITRE mapping: XSOAR uses pre-established MITRE maps to correlate alerts and their appropriate remediation steps.
- Threat scoring: Using playbooks, XSOAR manages threat indicator lifecycles, including scoring the indicators.
Palo Alto is a great choice for existing Cortex customers and other enterprises that want a strong security solution. However, its information on third-party integrations is limited, and it’s unclear how many Palo Alto actually offers. I recommend looking at ThreatConnect if you want more third-party integration options.
SolarWinds Security Event Manager – Best for log management
Overall Reviewer Score
3.1/5
Core features
2.5/5
Integrations
2.4/5
Implementation and administration
4/5
Advanced features
2.3/5
Pricing
4/5
Customer support
5/5
SolarWinds Security Event Manager is a security event log solution with threat detection and response features. Highlights include configurable rules, responses to security events, and integrations with multiple firewall appliances. SolarWinds SEM is an ideal choice for teams that want basic threat intelligence capabilities but are focused on overall log and event management.
Pros
Cons
- Subscription: Starts at $3,292
- Perpetual: Starts at $6,477; customers can use indefinitely
- Free trial: 30 days
- Free demo: Contact to schedule
- Reporting: SEM has out-of-the-box and customizable report options for visualizing threat data.
- Incident response: SEM response actions help mitigate suspicious activity on your business’ information systems.
- SEM rules: Admins can configure specific fixes to occur based on specific security events.
- SEM connectors: SolarWinds SEM can integrate with other vendors’ software, including Malwarebytes, Check Point, Fortinet, and Oracle Alert Log for databases.
While SolarWinds offers plenty of strong security management tools, it’s not the most comprehensive threat intelligence platform. I recommend ThreatConnect if you’re looking for a traditional enterprise-grade threat intelligence management solution, particularly one with many advanced features and integrations.
5 key features of threat intelligence platforms
Threat intelligence platforms offer various core features that help security teams gather and manage threat intel, including data aggregation, threat and IOC scores, alert management, dashboards, and integrations with other security products.
Data collection
Aggregating information from several feeds is one of a threat intelligence platform’s most important tools. The more feeds you can incorporate, the more data you can use for threat information, as long as the feeds are reputable and process data well. Look for open-source feeds in particular; these are helpful because they find and compile publicly available data for free.
Threat scoring
Threat intelligence platforms should have some methodology for ranking the severity of business threats. Scores allow security operations teams to better determine which threats should be tackled first. Some platforms may have built-in Common Vulnerability Scoring System (CVSS) for known threats, while others may simply use their own rating system to let teams know which issues to prioritize.
Alert management
Threat intelligence solutions collect numerous alerts from business networks and systems, which can easily overwhelm security administrators if not triaged and appropriately prioritized. You’ll likely need some automation to sort through alerts and determine which are most important (and which are false positives). Threat intelligence products should offer alert management features to help security personnel triage issues more quickly.
Dashboards
Dashboards can help security teams prioritize the alerts they’re constantly receiving by organizing data into charts that are easier to understand. They provide a broad view of your threat intelligence ecosystem, improve data visualization, and give security teams a resource to report overall progress to executives and other company stakeholders.
Security integrations
TIPs integrating with other security products in your tech stack allow your teams to collect more comprehensive threat and vulnerability data from multiple sources. By feeding SIEM, EDR, and firewall information into a single solution, you eliminate some of the data silos inherent in IT infrastructures.
If a threat intelligence vendor isn’t clear about how their security integrations or partnerships work, ask them to demonstrate the direct integration between the platforms and how data syncs and populates within them.
Read our guide to different types of network security solutions to learn more about the threats to your business networks.
How I evaluated the best threat intelligence platforms
To evaluate business-facing threat intelligence products, I created a product scoring rubric that grouped threat intelligence features and characteristics into six major criteria buyers consider. Each of the six categories received a specific weight and contained multiple subcriteria, each with its own weighting. How well the evaluated products met each criteria determined their final scores. I also used the rubric to help determine product use cases.
Evaluation criteria
I first considered core features, which comprise the major functionality of threat intelligence platforms. Next, I assessed integrations with other security products, administrative capabilities like documentation, and advanced and add-on features such as incident response and sandboxing. Finally, I evaluated the threat intelligence platforms’ pricing availability, including free trials, customer support channels, demos, and team hours.
- Core features (30%): This category included major threat intelligence capabilities, such as alert management, reporting, and identifying indicators of compromise. Potential buyers should know what platforms can actually do before making a purchase.
- Criterion winner: ThreatConnect
- Integrations (20%): I looked at threat intelligence platforms’ integrations with multiple security products, including EDR, SIEM, and next-gen firewalls. Integrations can help users view more data than they’d otherwise have access to and potentially help them identify more threats.
- Criterion winner: ThreatConnect
- Implementation and administration (15%): I considered factors that can make threat intelligence platforms easier for your business to implement and learn, like a technical account manager and product documentation.
- Criterion winner: ThreatConnect
- Advanced features (15%): These were less common threat intelligence capabilities, such as MITRE mapping, dark web monitoring, and TIP add-ons like sandboxing. More advanced security teams may want to use these features to investigate potential threats more deeply.
- Criterion winner: Multiple winners
- Pricing (10%): I evaluated the availability of pricing information, free trials, and licensing options like annual and monthly billing so buyers know where to start when finding a TIP.
- Criterion winner: SolarWinds SEM
- Customer support (10%): I analyzed support channels like email, phone, and live chat, as well as support team hours and product demo availability. Knowing what support options are available before you commit to a threat intelligence provider is helpful.
- Criterion winner: Multiple winners
Frequently asked questions (FAQs)
What’s the difference between SIEM and a threat intelligence platform?
Security information and event management (SIEM) solutions centralize business-wide security data. Threat intelligence platforms specifically focus on aggregating internal and external data regarding business threats. However, these products’ capabilities can overlap, especially depending on the product or platform — some vendors may choose to combine them.
What is the NIST threat intelligence lifecycle?
The National Institute of Standards and Technology (NIST) has developed a five-step process for managing threat intelligence. The five steps include:
- Direction and planning
- Collecting
- Processing
- Analysis and production
- Dissemination and feedback
Following detailed, organized steps can help your business take charge of your threat intelligence management lifecycle.
What is cloud threat intelligence?
Cloud threat intelligence platforms focus on threats based in the cloud or most likely to affect cloud-stored data. Such threats include misconfigurations and strange behavior from privileged accounts. Note that a cloud-based threat intelligence platform could also refer to the TIP’s deployment method.
Bottom line: Threat intelligence platforms need context and careful management
Threat intelligence platforms are useful tools for enterprises as they work to understand their threat landscape.
But they need to be used and managed by administrators who know how to evaluate threats in their appropriate context. TIPs also need to process threat feed data accurately so teams know which issues are a priority and when to remediate them. Plan to devote the time necessary to develop a TIP to your organization’s specific needs.
If your business is considering other threat management products, check out our list of the best unified threat management solutions next.
