Eight Top Threat Intelligence Platforms


comparing AT&T AlienVault USM and LogRhythm NextGen SIEM based on reviews, features, and more!

Threat intelligence is a critical security tool that uses global security intelligence to detect malicious activity inside your network.

These solutions can take a number of different forms. Threat intelligence feeds take security data from vendors, analysts and other sources about threats and unusual activity happening all around the world. Malicious IP addresses, domains, file hashes and other data stream in constantly from external parties. This can help companies understand behaviors that might be affecting their own networks.

Threat intelligence platforms (TIPs) take this a step further. They incorporate one or many data feeds and subject the data to detailed analysis. Advanced analytics are used to isolate unusual patterns in systems and mine other valuable data.

At a minimum, a threat intelligence platform should have actionable indicators that can be used to identify potential threats to an organization (such as known bad IP addresses and URLs, and malware hashes), and support collaboration and investigation workflow for the security analyst and broader community.

Here are eight of the top threat intelligence platforms – some offer a free version for lower-volume users – and we also include a chart comparing the products' features at the bottom of this page. The vendors covered in this guide are those that most closely meet the criteria for threat intelligence platforms as laid out by Forrester Research in Rules Of Engagement: A Call To Action To Automate Breach Response and Vendor Landscape: External Threat Intelligence, 2017. Key features include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools.

Jump ahead:

IBM X-Force Exchange

IBM X-Force Exchange is a collaborative threat intelligence platform that helps security analysts research threat indicators to help speed time to action – and is free up to 5,000 records a month. It boasts unlimited scalability and queries, and offers intelligence on IP and URL reputation, web applications, malware, vulnerabilities and spam.

See our in-depth look at .

Anomali ThreatStream

Anomali ThreatStream aggregates millions of threat indicators to identify new attacks, discover existing breaches, and enable security teams to quickly understand and contain threats. Features include: de-duplication of data, removal of false positives; integration with other security tools and extracting data from suspected phishing emails for immediate blocking. The company also offers a couple of free threat intelligence tools.

See our in-depth look at .

Palo Alto Networks AutoFocus

Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to organizations of all sizes. This hosted security service arms security operations professionals with the intelligence, correlation, context and automated prevention workflows needed to identify and respond to events in real time.

See our in-depth look at .

RSA NetWitness Suite

RSA NetWitness Suite is a threat detection and response platform that allows security teams to rapidly detect and understand the scope of a compromise by leveraging logs, packets, NetFlow, endpoints and threat intelligence. By aligning business context with security risks, it can analyze, prioritize and investigate threats. The threat intelligence product has no scalability limits.

See our in-depth look at .

LogRhythm Threat Lifecycle Management (TLM) Platform

LogRhythm Threat Lifecycle Management (TLM) Platform delivers a coordinated collection of data analysis and incident response capabilities to enable organizations around the globe to rapidly detect, neutralize and recover from security incidents. It can process 26 billion messages a day.

See our in-depth look at .
See .

FireEye iSIGHT Threat Intelligence

FireEye iSIGHT Threat Intelligence adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches. FireEye has more than 1,000 experts responding to incidents and researching attacks.

See our in-depth look at .

LookingGlass Cyber Solutions

LookingGlass Cyber Solutions is an open source-based threat intelligence platform that delivers unified threat protection against sophisticated cyberattacks to global enterprises and government agencies by operationalizing threat intelligence. Augmenting it is a worldwide team of security analysts who enrich the data feeds.

See our in-depth look at .

AlienVault Unified Security Management (USM)

AlienVault Unified Security Management (USM) receives threat intelligence from AlienVault Labs and its massive Open Threat Exchange (OTX) crowd-sourced collaborative threat exchange. It provides centralized threat detection, incident response and compliance management for cloud and on-premises environments. It scales from very small to large companies.

See our in-depth look at .
See .

Honorable Mentions

SolarWinds Threat Monitor offers threat intelligence, SIEM, log correlation and analysis, network intrusion and host intrusion detection systems.

Cisco Threat Intelligence Director (TID) is a feature in Cisco's Firepower Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID serves Cisco's Next Generation Firewall (NGFW) product.

SonicWall Network Security services platform includes real-time threat intelligence from the aggregation, normalization, and contextualization of security data.

Crowdstrike Falcon integrates threat intelligence into endpoint protection, automating incident investigations and speeding breach response. It is supported by the CrowdStrike Falcon Intelligence team.

ThreatConnect provides intelligence, automation, analytics, and workflows in one platform.

Symantec DeepSight Intelligence consists of visibility provided by the Symantec Global Intelligence Network, the largest civilian threat collection network and tracks over 700,000 global adversaries.

LookingGlass Strategic Intelligence Subscription Service offers a digital library of actionable and relevant finished intelligence reports, augmented by analysts who enrich the data feeds and provide timely insights.

Accenture iDefense provides security intelligence through the IntelGraph platform that provides context, visualizations, advanced searching and alerting.

Proofpoint Emerging Threat (ET) Intelligence provides threat intelligence feeds to identify suspicious or malicious activity.

McAfee Advanced Threat Defense includes threat intelligence sharing to locate hidden threats.

CenturyLink Analytics and Threat Management gives uses access to actionable, prioritized threat data that is correlated to customer IP addresses.

Imperva Threat Intelligence combines threat research from Imperva security researchers, threat intelligence from a variety of partners, and live data crowdsourced.

Check Point ThreatCloud combines threat prevention technology with threat analysis to prevent attacks.

Product Features

VendorUse CasesMetricsIntelligenceDeliveryPricing
IBMRetailers, financial services, enterpriseUnlimited queries per month, and up to 5,000 records per monthMachine learning and IBM Watson analyticsVia web browser or through an API interface to interface with existing security solutionsThe API is free for 5,000 records/month; the commercial API starts at $2,000 per user/month
AnomaliFinancial services, enterpriseCan process millions of Indicators of Compromise (IOCs)Machine learning and integration with other security platformsSaas, on-premises, or hybridPricing varies based on customer environment
Palo Alto NetworksLarge enterprisesReceives hundreds of millions of samples per month, and over a trillion artifacts across petabytes of dataStatistical analytics, correlation and machine learningSaas-based security servicesLicensed as a per-user annual subscription or enterprise-wide
RSAFinancial institutions, governments and oil/gas/energy/telcosCan ingest 30,000 EPS per system and up to 100k endpoints per systemAutomated segmentation and enforcementOn premises, in private clouds,on virtual machines, or public cloudTiered throughput or subscription licensing
LogRhythmFinancial services, retail, manufacturing, and government26 billion messages per day and over 10K gigabytes per dayPattern matching and advanced correlation to machine learning and statistical ana lysisSoftware and hardwarePricing begins at $27,000
FireEyeFinancial services, government and ITMore than 1,000 experts responding to incidents and researching attacksAutomation enables it to go from alert to fix in secondsVia API integration, intelligence portal, and email deliverySubscriptions range from $100,000 to $500,000
LookingGlass Cyber SolutionsEnterprise and third­ party risk monitoringOver 140 sources of threat data gatheredMachine-readable threat intelligenceHosted or on-premiseOpen-source business model
AlienVaultCompanies with smaller IT security teamsReceives 10 million indicators of compromise every dayAutomation and machine learningCloud, virtual or hardware applianceMonthly subscription; Tiers start at $1,575/month for a 250 GB data volume