The bedrock of a solid enterprise security program begins with the choice of an appropriate threat intelligence platform (TIP) and how to use this to design the rest of your program. Without the TIP most security departments have no way to integrate the various component tools and develop the appropriate tactics and processes to defend their networks, servers, applications and endpoints.
Introduction to threat intelligence platform
TIPs are essential tools especially as the average exploit happens more quickly and its effects are obscured thanks to AI-driven malware. This happens at the same time as threat actors seem to work with a higher level of coordination. Organizations can no longer afford to wait to respond.
The Cybersecurity and Infrastructure Security Agency (CISA) found that since 2023 the majority of exploits were zero days, meaning exploiting heretofore unknown methods. And according to the latest Verizon Data Breach Investigations report (DBIR), the percentage of AI-assisted malicious emails doubled to 10% of the totals they observed over the past two years, making staying on top of threats harder.
But what is notable is that the threat universe has gotten a lot more complex and focused. For example, the Verizon DBIR found that threats aimed at VPN and edge devices have surged to more than eight times what was reported in 2024.
“Cybersecurity leaders today are navigating a perfect storm of AI disruption, regulatory complexity, and sophisticated threat actors,” said CIOSO’s founding partner Greg Sullivan. “We’re not just managing risk — we’re redefining what digital trust looks like in a world where deepfakes, third-party vulnerabilities, and fragmented privacy laws are the new normal.”
One way to fight is by continuously monitoring various threat vectors such as email, network traffic and edge devices. This is, however, a labor-intensive process that requires a significant number of analysts who can then help improve the organization’s security posture.
In our previous article, we provided several tips on how to productively and effectively use a TIP. Here, we offer some advice on how to purchase the right TIP, including some recommended vendors, what elements to look for and how much you should pay for it.
What to look for in a threat intelligence platform
The early TIPs were very unsophisticated products, often just cobbled together intelligence feeds of the latest exploits, with little or no details. Today’s TIP has richer information, including underlying complexities and specifics about how the threat operates. The modern TIP has several functional areas and goals in common:
The ability to aggregate, correlate and normalize threat data in both structured (typically a SQL database) and unstructured formats. These functions include removing duplicate entries and filtering out errors (such as false positives) and inappropriate data. The goal here is to reduce alert fatigue and make the data more actionable, such as uncovering hidden patterns or bringing to light potential new threat vectors. This implies the TIP draws on a variety of threat feeds and malware sources and can ingest them accordingly. But it isn’t just the quantity of feeds but their quality and how much metadata and information can be used to create insights and threat responses that matter.
Automate actions such as threat response and mitigation, producing after-incident playbooks, and other activitieswherever possible. Ideally, the automation should enable fast-acting workflows with minimal manual intervention. This goal is to enable the fastest possible response to reduce malware dwell times and minimize potential harm to computing systems. To automate and orchestrate these tasks means using various standards such as Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) across the entire threat management tool chain, so that different products can effectively communicate with each other. The less manual effort involved in these tasks (including updating custom spreadsheets for example) the better. Examples include things such as enrichment of alerts, real-time sharing of indicators, or producing on-demand reports.
Create a central place for all threat management tasks, covering the entire lifecycle from discovery to mitigation and further system hardening to prevent subsequent attacks. This means being able to integrate with existing security toolsets, such as SOARs, SIEMs and CNAPPs, and avoid duplicating their efforts. “Modern TIPs enable multi-source ingestion, intelligent prioritization, automated workflows, and seamless integration with existing security tools,” according to Cyware.
Should you focus on cloud or on premises TIPs?
The early TIPs were typically based on premises, but over the years have expanded their coverage and relocated to cloud-based services, in some cases set up by managed service providers. Today’s TIP should cover both use cases and a wide variety of cloud sources, including other cloud providers besides Amazon, Google and Microsoft, Kubernetes clusters, and virtual servers.
How much to pay for a threat intelligence platform
Most of the TIP vendors are coy about their pricing, and we have indicated specifics for those that were willing to provide the details, including free trials, in the section below. There is a wide range in pricing but expect to pay in the low six figures annually to defend the larger and more complex infrastructure.
Leading threat intelligence platform vendors
There have been many changes to the vendor landscape during 2024: Bitisght acquired Cybersixgill, ZeroFox acquired Haveli Investments, and MasterCard acquired Recorded Future. Each of these acquisitions help to enrich the underlying TIP with additional data and signals intelligence. Let’s examine some of the leading vendors, recognizing that there are many others that could be included in this category — Gartner, for example, lists more than 150 vendors in its TIP compendium.
Bitsight Cyber Risk Intelligence provides real-time intelligence from a wide variety of sources, including the dark web analytics from its Cybersixgill acquisition. They curate more than seven million items and a billion compromised credentials daily and claim they can provide alerts within a minute of their collection which are customized for each recipient.
Cyware Threat Intelligence Platform covers a wide range of structured and unstructured threat sources with real-time actions and powerful automation features that can enrich threat data and be used by cross-functional security teams.
Greynoise uses a collection of more than 300 edge device-based honeypots to collect its threat intelligence and provide near-real-time analysis. It features a wide collection of tool integrations into SIEM, SOAR, Hunters XDR and Sophos network firewall products. These integrations help correlate threats with vulnerabilities and incident response into a coherent and actionable course.
Kela Threat Intelligence has a collection of tools that are part of its TIP. It can automate playbooks for defenders to help monitor and prioritize mitigation actions and can integrate into a variety of existing third-party security products. It uses data collected by its research group, such as in tracking billions of compromised credentials in the past year. There is a free trial account available to qualified potential buyers.
OpenText Threat Intelligence (BrightCloud) has a global sensor network to detect emerging threats and has real-time web classification, anti-phishing detection and IP and file-based reputation monitoring. It also provides details on cloud-based threats and has the ability to identify and isolate polymorphic malware.
Palo Alto Networks’ Cortex XSIAM is an AI-driven SOC platform that ingests, correlates, and acts on massive amounts of security data, including threat intelligence. It uses generative AI to perform continuous analytics across endpoints, networks, clouds and identity providers and can aggregate threat data across both commercial and open-source providers and integrates more than 250 third-party tools to create actionable rules, playbooks, and mitigations.
Recorded Future Threat Intelligence has been considered a leader in TIP by numerous analysts, and being part of Mastercard has cemented that position. They have their own in-house threat hunting group (Insikt) that provides research reports, the data of which is encapsulated in their TIP. They also share their payment fraud data with their new owners. They have been using deterministic AI for a decade and have used that experience to build generative AI front ends to drive analysis and workflows and to help suggest queries and insights. A new malware intelligence module correlates observed behavior with more than 15 years of historical threat data.
Seemplicity uses its own AI engine called RemOps to build customized remediation plans based on contextual information found in code repositories, from IT service managers and from ticketing systems. It can direct recommended remediations to the most appropriate analyst. It is priced on the number of data sources and automations covered, starting at an annual fee of $60,000. It can collect and integrate data from existing security tools such as data, cloud and application posture managers, endpoint detection and response, and others.
SilentPush has a variety of features, including brand and DNS protection and real-time protection. It has integrations with various SOAR and SIEM tools along with Crowdstrike and Cyware platforms. It has a free community version that doesn’t include any threat feeds but does monitor infrastructure changes. The more complete enterprise version starts at $120,000 per year for the basics, but the cost can quickly climb to $500,000 or more.
SOCRadar Cyber Threat Intelligence is just one of three elements of their product line, the other two being the dark web monitoring and extended threat intelligence. The latter includes attack surface management, brand protection and supply chain analytics. It encapsulates numerous threat feeds including monitoring more than 1,500 Telegram-base threat channels, and has a simple natural language query tool. It also offers numerous integrations with log management, SOAR and SIEM systems. They have a very transparent pricing page. There is a free forever plan, and an essential plan that starts at $11,350 per year. Dark web and extended intelligence will cost extra.
Finally, heed these words of wisdom: “Effective threat intelligence is not just about technology – it’s also about people,” wrote ThreatQuotient. “To truly get the most out of your TIP, you need to foster collaboration between your security team and other parts of your organization. This could include your IT department, your executive team, and even your customers and partners. By creating a culture of collaboration and information sharing, you can ensure that everyone in your organization is working together to stay ahead of the threat landscape.”
No Responses