eSecurity Planet may receive a commission from vendor links. Our recommendations are independent of any commissions, and we only recommend solutions we have personally used or researched and meet our standards for inclusion.
Threat intelligence platforms (TIPs) process external threat feeds and internal log files to create a prioritized and contextualized feed of alerts for a security team. TIPs also enhance security tools with consolidated and improved threat feeds.
Our editorial team analyzed leading threat intelligence platforms and selected seven top tools for an organization to consider. To provide context, this article also explores features, alternative technologies, market trends, and other TIP vendors to consider.
Table of Contents
- Top Threat Intelligence Platforms
- What are Threat Intelligence Platforms?
- How the List of Top Threat Intelligence Platforms was Determined
- Bottom Line: Threat Intelligence Solutions Enhance the Security Stack
1 ESET Threat Intelligence
Enrich your view of the worldwide threat landscape based on unique telemetry. ESET feeds come from our research centers around the globe, providing a holistic picture and enabling you to quickly block IoCs in your environment. IDC recognizes ESET Threat Intelligence as a valuable service that can “improve ability to predict and prevent potential security incidents, thanks to geographically unique mix of curated TI data coming from European Union, CEE, Japan, Asia, Africa, and Middle East.”
2 ManageEngine Log360
Log360 is a SIEM solution that helps combat threats on premises, in the cloud, or in a hybrid environment. It also helps organizations adhere to several compliance mandates. You can customize the solution to cater to your unique use cases.
It offers real-time log collection, analysis, correlation, alerting and archiving abilities. You can monitor activities that occur in your Active Directory, network devices, employee workstations, file servers, Microsoft 365 and more. Try free for 30 days!
Top Threat Intelligence Platforms
Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. In addition to more than 100 open-source feeds included with the product, Anomali makes it easy to extend the information collected by the TIP through the purchase of additional commercial feeds in the Anomali App store.
- Threat intelligence scoring: Uses machine learning (ML) algorithms to rate confidence in the score that reflects the severity of the threat.
- Automated data collection: Incorporates threat data from hundreds of multiple sources and in multiple formats — notably Anomali Labs, open-source OSINT feeds, and information sharing and analysis centers (ISACs).
- Data cleansing: Normalization, enrichment, de-duplication of data, and removal of false positives at scale
- Turnkey threat feed integration for security tools such as SIEMs, SOARs, firewalls, IPS, endpoints, etc.
- Security tool integration for inbound data ingestion and outbound response orchestration
- Flexible integrations using RESTful API and SDKs
- Data analysis tools: Workflows and functionalities to analyze and share data
- Brand monitoring via automatic search for typosquatted domains & compromised credentials
- Phishing response: Extracts data from suspected phishing emails for immediate blocking
- MITRE ATT&CK mapping of global threats
- Threat visibility and identification sharing with more than 2,000 other organizations in ThreatStream Trusted Circles
- Offers threat bulletins and other finished intelligence products for publishing reports to stakeholders
- Flexible deployment options: cloud-native, virtual machine, on-premises private instance, or even ThreatStream AirGap, a completely stand-alone instance
- Visual link analysis to connect indicators to associated higher-level threat models
- Integrated sandbox to investigate suspicious files
- Users complain of lack of transparency in assigning the confidence rating for indicators of compromise (however, this is common for ML and most vendors do not reveal their algorithms)
- Customers complain of the high system requirements for on-premises installations
- Some complain of rigid APIs and inflexible customization options
Anomali does not publish pricing on their own website, but the AWS marketplace prices a 12 month subscription to Threatstream Enterprise for 3,500 employees at $150,000.
For more, see our in-depth look at Anomali ThreatStream.
IBM X-Force Exchange
IBM X-Force Exchange is a cloud-based, collaborative threat intelligence platform that helps security analysts focus on the most important threats and helps speed up time to action. This TIP combines human-generated intelligence with a global security feed, offering a unique perspective on potential threats. Between the internal research team and the software behind its feed, IBM X-Force Exchange monitors and pulls threat intelligence from over 25 billion websites and hundreds of million endpoints from around the world.
- Research includes human-generated threat intelligence data
- Threat intelligence collaboration and information sharing with other users of the platform
- Centralized data platform dynamically integrating feeds from world-wide sources, both public and private
- Early warning feed of the newest attacks
- Customizable dashboard to prioritize relevant intelligence
- Visible risk level assigned for potential threats
- Changing risk levels can be observed over time using the Timeline view
- IP address specific intelligence and URL reputation
- Cloud-based with unlimited scalability
- APIs enable external threat intelligence feed connections to provide automated threat updates to firewalls, intrusion detection and prevention systems (IDS/IPS/IDPS), security information and event management (SIEM) tools, and other security monitoring systems
- Pulls information from billions of websites and millions of endpoints secured by IBM
- Offers multiples maps, graphs, timelines, and reports to visualize data
- Additional analysis tools can be purchased from the App Exchange
- Can be accessed and used for manual lookup as a guest
- Basic X-Force Exchange only provides a research platform — threat feeds for internal tools (firewalls, etc.) requires additional licenses
- Multiple licenses are required to obtain full TIP capabilities
- Basic X-Force Exchange offers limited self-service support
- The web-based user interface (UI) can take a long time to load
- Customers complain of limited vendors monitored for vulnerabilities
IBM offers four different options for X-Force threat intelligence products and offers free trials for each. A free X-Force Exchange non-commercial API is also available.
- X-Force Exchange: Cloud-based intelligence sharing platform with unlimited record access but limited support
- Advanced Threat Protection Feed: A RESTful API in JSON format threat feed for internal security tool integrations with unlimited Record Access
- X-Force Exchange Commercial RESTful API in JSON format
- For integration with commercial applications
- Perform bulk-queries for IPs and URLs
- Usage Based records
- Includes X-Force IRIS (incident response service) reports and indicators of compromise
- X-Force Exchange Enterprise RESTful API in JSON format
- Unmetered bulk usage of threat feeds and premium content
- Unlimited Records
- Includes X-Force IRIS (incident response service) reports and indicators of compromise
For more information, see our in-depth look at IBM X-Force Exchange.
IntSights Threat Intelligence Platform
IntSights – acquired by Rapid7 in 2021 – combines threat intelligence, data and tools, helping cybersecurity professionals stop attacks faster and see a greater return on investment (ROI). While IntSights remains a separate brand and website, Rapid7 has also integrated IntSights technology into its Threat Command platform.
- Plug-and-play functionality with existing security devices
- Real-time threat prioritization
- Dark web and deep web monitoring capability
- Research malware, phishing scams and threat actors
- Extensive database of graphs to visualize attacks and threats
- Aggregates native IoCs (indicators of compromise) for consolidated and efficient threat management
- Integrated remediation and takedowns of threats
- Prioritizes threats based upon an organization’s context
- Considered easy to use
- Integrates with other security tools to allow for automated threat response
- Promotes use through managed IT service-providers (MSPs) and managed IT security service providers (MSSPs)
- Some customers complain about a lack of customization options
- Vulnerability feed may lag other products
- Agent can be resource hungry during scans
- Priced for enterprise customers and service providers
Organizations can request a free report branded as Instant IntSights to research clear, deep and dark web resources to identify threats to the domain associated with the organization’s email address. IntSights also provides free demos of their product to help explain how it works.
IntSights does not publish pricing on their website, but the licensing costs pre-acquisition started in the low six figures for an enterprise license. Potential customers can contact IntSights or their resale partners for more information.
LookingGlass Cyber Solutions
LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. It’s augmented by a worldwide team of security analysts who enrich the data feeds.
LookingGlass aggregates structured and unstructured data from over 87 out-of-the-box feeds, as well as other commercial feeds purchased separately. It provides the most relevant data to a business by categorizing network elements into a repository called Collections. Its Threat Indicator Confidence scoring tool then uses this information to identify the highest priority risks facing an organization.
- Dynamic Internet Footprinting: monitor and analyze internet-accessible assets and networks to detect connections to known command-and-control nodes
- Risk Scoring and Prioritization: a proprietary Threat Indicator Confidence score ranks threats based on the attack surface, an organization’s environment, and threat landscape
- Aggregation: Aggregates, indexes, and normalizes data sources, proprietary indicators, and intelligence feeds
- Relationship monitoring: Classifies assets into groups and subgroups to monitor and develop categorized risk profiles
- Reporting: Unlimited automated and on-demand management reports and scorecards
- Reduces alert fatigue and threat intel noise through risk priorities
- Helps identify, investigate, and manage risks across partners, supply chain, and the organization
- Consolidates information into a single pane of glass for analysts and integrates with additional tools such as geolocation, pDNS, Shodan, and WhoIs/Reverse WhoIs
- Exports threat intelligence to security appliances
- Real-time alerts
- Affiliation with the NSA can be a turn-off for international organizations
- Lack of transparent pricing makes it hard to compare value against competitors
LookingGlass licenses scoutPrime separately as part of the LookingGlass Suite. License terms and fees are not disclosed on their website.
See our in-depth look at LookingGlass Cyber Solutions.
The Threat Intelligence Cloud Platform from Recorded Future provides actionable insights through its Intelligence Graph, which collects and structures threat data for analysis. This repository calls on over a decade of observations from billions of discrete entities and sees continuous additions and enhancement.
Intelligence Platform provides a modular experience to facilitate integration with other enterprise security tools. The whole package is also capable of fine-tuning its delivered intelligence in the context of specific personnel or roles within the company.
- Deep data: One of the world’s most comprehensive data sets to draw from
- Identity management: Monitors identity and can warn of potentially compromised accounts
- Attack surface: Can detect and monitor an organization’s attack surface
- Dark web: In addition to normal threat feeds, the tool can investigate dark and deep web sources for more proactive monitoring
- Flexible, modular deployment
- Can use natural language keyword searches for deep and dark web
- Risk scores reflect actual malicious activity, not just theoretical risk
- Can be used to inform vulnerability management and patching priority
- Initial use can see heavy volumes of alerts; adjustments are possible, but time-consuming
- Multiple licenses are required to obtain a fully functional TIP
- Emails alerts and reports can be voluminous and show content only tangentially related to the threat
Recorded Future licenses their solution in modules that deliver real-time intelligence for the specific module. Recorded Future does not provide pricing on their website, but the AWS marketplace displays 12-month license fees ranging between $10,000 and $50,000 depending upon the SaaS module. Modules include:
- Attack Surface Intelligence: Discover, monitor, and defend attack surface
- Brand Intelligence: protect brands from external threats
- Card Fraud Intelligence: Identify and mitigate compromised card accounts (credit, debit)
- Geopolitical Intelligence: monitor global physical threats
- Identity Intelligence: Monitor identities and prevent fraud
- SecOps Intelligence: accelerate threat detection and analysis
- Third-party Intelligence: monitor business partners, vendors, customers, etc.
- Threat Intelligence: research potential external threats
- Vulnerability Intelligence: monitor and prioritize discovered vulnerabilities
SolarWinds Security Event Manager
SolarWinds Security Event Manager (SEM), formerly known as Log & Event Manager (LEM), combines event tracking with a threat intelligence feed. It can identify both potential and active threats, and can also automatically deploy responses to remediate them. SEM is able to identify and respond to threats in on-premises data centers as well as in cloud environments.
SolarWinds SEM was designed with a clear, centralized dashboard and command interface that makes it easy to keep track of identified threats and quickly take action to resolve security issues. This dashboard can also be used to create intelligence reports.
The SolarWinds SEM threat feed is limited, so it is best for organizations that want to put an emphasis on internal threat detection and log analysis.
- Centralized management: Interface, log event collection, tracking, correlation, and analysis
- SIEM and USB capabilities are available with license upgrades
- Reporting: Provides effective on-demand and automated reports for compliance
- Automated threat detection and response capabilities
- Installs locally for maximum control
- Priced for smaller budgets
- Integrates well with other SolarWinds tools
- Built-in file integrity monitoring
- Built-in connection to a long list of third-party tools and software (firewalls, OS, routers, antivirus, etc.)
- Very limited threat feed of known malicious IP addresses
- Does not cover tools, tactics, and other indicators of compromise
- Threat feed option cannot be expanded to include other threat feeds
- SEM requires manual updates
SolarWinds SEM pricing can be estimated from a quote generator on their website. Subscription licenses start at $2,877 per year for a subscription and $5,607 for a perpetual license for the software with one year of support. SolarWinds offers options to purchase yearly ongoing maintenance and support.
The cost of the license depends on the number of nodes (server, network device, desktop, laptop, etc.) sending log and event information to the software. Tiered pricing is available for bulk-use discounts or multiple software license discounts. Licenses include log management, agents, connectors, file integrity monitoring, USB Defender, external threat feeds, and all SIEM components.
For more see our in-depth look at SolarWinds Security Event Manager.
ThreatConnect’s platform enables automated data collection to present threats in the context of actual activity. Security teams can analyze information manually or with automation assistance to obtain meaningful connections between logs and threats.
Security teams can enable automated and proactive tasks using low-code automation. Specific triggers, such as the detection of a new IP address on the network, will set-off the programmed reaction, such as blocking unknown IP addresses until cybersecurity teams can take a closer look.
- Low-code automation for proactive and automatic security reactions
- Consolidation of data feeds
- Tool and app integrations marketplace
- Threat report export capabilities
- Crowdsourced analytics show threat prevalence
- Reduces manual tasks for security teams
- Uses historical data to elevate or deescalate alerts
- Enables accelerated threat hunting
- Large number of technology partners supported for integration
- Options for Risk Quantifier and Security Operations tools
- Aimed at enterprise customers so organizations should expect prices that reflect the resources of larger companies
ThreatConnect does not publish pricing or licensing terms. Organizations should request a demo to obtain pricing information.
What are Threat Intelligence Platforms?
New and continually evolving threats and vulnerabilities surface every day. Security analysts know the key to staying ahead of these threats is to analyze data on them, but with so many different sources of information teams struggle to efficiently parse high volumes of data and derive actionable insights.
Tools such as antivirus, firewalls, and gateways often incorporate proprietary threat feeds from the vendor; however, customers often experience a delay between the discovery of a threat indicator (malware signature, malicious URL, etc.) and the incorporation of that information into the official vendor threat feed. Threat intelligence platforms supplement official vendor feeds with a variety of threat feeds to shorten delays.
Threat Intelligence solutions and security information and event management (SIEM) tools both seek to aid security teams to analyze log events; however, their focus is distinct. SIEM tools focus on consolidating, prioritizing, and storing internal event logs while intelligence feeds focus on external alerts and may not store data for future investigation.
What Are Threat Intelligence Buying Considerations?
Threat Intelligence Platforms (TIP) act as threat consolidators and the first level of analysis for a security team and must incorporate external threat intelligence feeds. The best TIP tools enable at least four of the following five capabilities:
- Connect to external threat intelligence feeds that reflect the latest information on malware, threat actors, and vulnerabilities; this data can come in the form of malicious IP addresses, domains, file hashes, etc.
- Connect to internal systems such as endpoint detection and response (EDR) tools, firewalls, and network monitoring tools to track internal information on malicious or anomalous activity
- Matches feed data between internal alerts and externally identified indicators of compromise
- Enable quick rapid assessments with prioritized risk assessments, alerts, analysis tools, or smart data visualization
- Enable other security tools such as next generation firewalls (NGFW), secure gateways, or intrusion detection and prevention systems (IDPS) that use the information from threat feeds to detect and block malicious activity and traffic
This combination of capabilities makes threat intelligence platforms integral to stopping zero-day threats by saving security teams precious time to identify and resolve the issues. Some security teams will perform analysis directly in a TIP, but others will feed TIP data into other security tools or services such as a SIEM, a security operations center (SOC), a managed detection and response (MDR) team, or a managed IT security service provider (MSSP).
When considering the purchase of a TIP, organizations must consider both the number of features as well as the quality. For example, some tools will have more limited feeds or more limited integrations with security tools to automatically send feed information. If those limitations constrain the security goals of the organization, other tools may be a better fit for the organization.
Why Does Threat Intelligence Solution Progression Matter?
Threat intelligence solutions have grown and expanded over time and as threats increased. Organizations will adopt these various tools as their needs evolve from simple external threat feeds to fully integrated security tools that enable response.
It is not uncommon for organizations to adopt tools in the following order:
Threat Intelligence Feeds: Gather information on various threats: malicious sites (URLs, IP addresses, domains), malicious actors, malware (signatures, indicators of compromise, etc.), and trends.
Threat Intelligence Platforms (TIPs): As needs become more sophisticated, TIPs add features to integrate internal feeds and rank threats, provide context for threats and indicators of compromise in the context of the organization. TIPs also can consolidate threat feeds to an organization’s security teams and tools to enable rapid updates.
Threat Intelligence Management / Security Operations Automation and Response (SOAR): SOAR tools add additional capabilities to directly respond to threats with automation, connections, and workflows.
eXtended Detection and Response (XDR): XDR tools add network and endpoint monitoring and response capabilities to enable direct response to potential attacks. Although quite similar in results to SOAR, the implementation tends to be significantly different so the categories are currently distinct.
How Threat Intelligence Trends Change the Market
Threat intelligence will always be needed, but TIP, as with User Behavior Analytics (UEBA), may move from being a distinct category of tools to merely the feature of more complex SOAR and XDR tools. Several of the tools that might have been covered in past articles illustrate this point:
- Palo Alto Networks evolved their solution to be a collection of tools for threat feeds (Autofocus) and SOAR (Cortex XSoar)
- LogRhythm Threat LifeCycle evolved into a SOAR
- FireEye iSight became a SOAR product for Trellix, the new company formed from the FireEye spinoff that merged with McAfee. The other half of the split company was renamed Mandiant and was acquired by Google. Their product, Mandiant Threat Intelligence, evolved into an XDR.
- RSA NetWitness Platform became an XDR tool.
- AT&T Cybersecurity offers a threat intelligence feed for its Unified Security Management tool.
- CenturyLink Adaptive Threat Intelligence became Lumen’s Analytics and Threat Management which is equivalent to a SOAR or XDR tool.
Threat intelligence feeds and management remains a key function of the evolved product, but the addition of many other features causes the product to compete in different categories.
How the List of Top Threat Intelligence Platforms was Determined
First, market research was performed on the category sector to determine popular solutions based upon product reviews, industry discussions, and industry rankings. Then, an analysis of capabilities was performed to determine if the product fit into the Threat Intelligence Platform category.
Often popular solutions did not make the final list because they have evolved to become tools that fit a different category. Some stripped features to become threat intelligence feeds, and others added features to compete in other categories.
Other Threat Intelligence Platform Market Leaders
The Threat Intelligence Platform market continues to evolve at a rapid pace. While our top tools list represents the top tools at this moment, added features or competition may cause this list to change. Other vendors organizations might want to consider are listed below.
Imperva ThreatRadar combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and crowdsourced live data. However, this specialized threat intelligence platform primarily focuses on applications and web application firewalls and is not designed to work with traditional IT infrastructure.
MISP Project provides a platform for open-source sharing of threat intelligence. While a low-cost and important option, users should be careful about uploading proprietary information by accident to the public platform.
Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity. The feeds connect with other tools to place threats in the context of brand, organization assets, as well as IP and domain reputation.
Threat Intelligence Platform provides APIs to integrate threat feeds into other tools and applications and help with threat intelligence analysis. The tool offers consumption-based pricing based upon the type of request made through the API.
SonicWall Capture Cloud Platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data across the SonicWall ecosystem. The cloud-based platform integrates with on-prem customer equipment to provide threat feeds as well as to collect indicators of compromise for alerting and analytics.
Closed System Threat Intelligence Platforms
Some high-quality threat intelligence platforms may only be of use to customers already using other products by that company. The product does not generally integrate with competitor’s tools, software or services.
These tools were excluded from our top TIP list because of these limitations, but the tools can still provide tremendous value. Potential buyers will need to also consider switching to the entire ecosystem if they are not already a customer.
Accenture iDefense provides security intelligence to Accenture customers through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.
Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks for all products in the Check Point ecosystem.
Cisco Threat Intelligence Director (TID) is a feature in Cisco’s Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence for firewalls managed through Cisco tools. TID serves Cisco’s Next-Generation Firewall (NGFW) and related networking products.
Crowdstrike Falcon X provides powerful features and capabilities for analyzing threats. However, if customers do not already subscribe to other Crowdstrike products, it is unclear if they will gain the same benefits if it does not integrate with other endpoint or network security products.
Kaspersky’s Threat Intelligence Portal provides threat analysis access to the industry-leading Kaspersky malware analytics team, multiple threat feeds, and analysis tools. URL sandbox tools and a private submission mode enable testing suspicious files confidentially. However, it is unclear if this tool will connect with non-Kaspersky endpoint protection and other internal security feeds.
Symantec DeepSight Intelligence provides threat visibility derived from the Symantec Global Intelligence Network, the largest civilian threat collection network, and tracks over 700,000 global adversaries. This TIP enables current Symantec customers to expand their endpoint protection to include threat analysis and research.
Bottom Line: Threat Intelligence Solutions Enhance the Security Stack
Not every organization benefits directly from threat intelligence feeds and solutions. Organizations with small security teams often ignore external threat feeds, but benefit indirectly from the proprietary threat feeds incorporated into their products (firewalls, Microsoft Defender, etc.) or used by their service providers (MSP, MSSP, MDR, etc.).
Once organizations begin to grow in size and directly monitor their own security, they begin to need solutions to put activity captured by logs into context. These organizations may also deploy many different tools (firewalls, gateways, DNS servers, etc.) that also need more rapidly updated threat feeds to block threats related to specific files, URLs, and domains.
Threat Intelligence Solutions do not replace any tools in an existing security stack, but instead accelerate the delivery of threat information. This improved information enhances the performance of existing tools and improves the response time and analytic capabilities of security analysts and incident response teams.
Devin Partida contributed research and writing to this report originally written by Kyle Guercio on October 9, 2020.