Threat intelligence platforms (TIPs) process external threat feeds and internal log files to create a prioritized and contextualized feed of alerts for a security team. TIPs also enhance other business security tools with consolidated and improved threat feeds. To help you select the right platform for your business, I analyzed industry-leading threat intelligence products and their capabilities, pricing availability, and important features.
Here are the top seven threat intelligence platforms for businesses:
- ThreatConnect: Best overall for a mix of features and integrations
- Rapid7 Threat Command: Best for intensive security needs
- Anomali ThreatStream: Best for hybrid deployments
- Mandiant Advantage: Best free threat intelligence platform
- Recorded Future: Best for small-team requirements
- Palo Alto Networks Cortex XSOAR: Best for enterprise threat intelligence
- SolarWinds Security Event Manager: Best for log management
Table of Contents
Top Threat Intelligence Platforms Comparison
This table briefly covers my top seven vendors and the availability of a few of their features, as well as free trials.
| Alert Management | Threat Scoring | Sandbox Integration or Add-On | MITRE Mapping | 30-Day Free Trial* | |
|---|---|---|---|---|---|
| ThreatConnect | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Rapid7 Threat Command | ✔️ | ✔️ | Plug-in | ✔️ | ❌ |
| Anomali ThreatStream | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| Mandiant Advantage | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
| Recorded Future | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| Palo Alto Cortex XSOAR | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| SolarWinds Security Event Manager | ❌ | ❌ | ❌ | ❌ | ✔️ |
* Trial is specifically for integrations with Splunk and Microsoft Sentinel SIEM products
While all of my top seven picks are strong business choices, I found that ThreatConnect scored the highest overall and had the best selection of features. Continue reading to learn more about the top threat intelligence platforms and their features and pricing availability, or scroll down to read how I evaluated them.
Note: All per-user prices are based on a one-year commitment unless otherwise noted.
ThreatConnect – Best Overall for a Mix of Features & Integrations
Overall Rating: 4.2/5
- Core features: 5/5
- Integrations: 4.8/5
- Implementation and administration: 4.3/5
- Advanced features: 3.4/5
- Pricing: 2.3/5
- Customer support: 3.3/5
ThreatConnect is a threat intelligence platform (TIP) that can be deployed on-premises, air-gapped, or in an AWS private cloud instance. Its deployment flexibility, strong array of threat intelligence features, and multiple third-party integrations make it a standout platform for enterprises. Advanced features include threat graphing and MITRE framework mapping. ThreatConnect is ideal for businesses that need plenty of features and security integrations.
Pros
Cons
- Contact for quote: Custom pricing available
- Free trial: None available
- Free demo: Contact to schedule
- Technology partnerships: Palo Alto, Splunk, LogRhythm, and CrowdStrike are just a few options.
- Alert triage: Automation allows security operations center (SOC) teams to prioritize threats that the platform surfaces.
- MITRE mapping: ThreatConnect connects each threat object to the corresponding information in the MITRE ATT&CK database.
- Threat graphing: ThreatConnect visualizes relationships between threat indicators and cases so you can more easily view a threat’s whole picture.
ThreatConnect is a top-notch threat intelligence product, but its customer support options are a bit limited, with unclear team hours and no phone or live chat. If you’re looking for rapid support options, consider Rapid7, which offers phone calls and 24/7 support for Severity 1 issues.
Rapid7 Threat Command – Best for Intensive Security Needs
Overall Rating: 3.8/5
- Core features: 4.8/5
- Integrations: 2.8/5
- Implementation and administration: 3.6/5
- Advanced features: 3.4/5
- Pricing: 2.9/5
- Customer support: 5/5
Rapid7 Threat Command is a threat intelligence solution that incorporates features of IntSights, a TIP that Rapid7 acquired in 2021. Its key features include IOC prioritization, threat scoring, and integrations with open-source intelligence feeds. Threat Command also integrates with InsightIDR, Rapid7’s combined SIEM, EDR, and incident response platform. If your business is considering multiple enterprise products from Rapid7, Threat Command is a great choice.
Pros
Cons
- Contact for quote: Custom pricing available; some reseller pricing information
- Free trial: None available
- Free demo: Contact to schedule
- Alert management: Threat Command provides alert data such as a description and an alert header, as well as the option to remediate if possible.
- Threat Command dashboard: A nicely laid out interface shows clear web and dark web threat stats, as well as a system risk meter and graphs of severity types.
- Threat scoring: Threat Command automatically calculates an IOC’s threat severity score based on multiple IOC parameters.
- Reporting: Threat Command’s report module offers multiple types of reports, including network types, alert types, executive summaries, and leaked credentials.
Rapid7 Threat Command has a fantastic lineup of core threat intelligence features, but it’s missing some security integrations, especially EDR and SOAR. Check out ThreatConnect if you want more clearly laid out integration options.
Anomali ThreatStream – Best for Hybrid Deployments
Overall Rating: 3.5/5
- Core features: 3.7/5
- Integrations: 4.5/5
- Implementation and administration: 3.2/5
- Advanced features: 2.4/5
- Pricing: 2.9/5
- Customer support: 4/5
Anomali ThreatStream is a threat intelligence platform that aggregates indicators to identify new attacks, discover existing breaches, and help security teams understand and contain threats. Anomali has over 100 open-source feeds included with ThreatStream. It’s a particularly good choice for teams that want their threat intelligence on premises. You can deploy ThreatStream as software-as-a-service, on premises, or in an air-gapped environment.
Pros
Cons
- Contact for quote: Custom pricing available; limited reseller pricing information
- Free trial: None available
- Free demo: Contact to schedule
- Threat scoring: Anomali ThreatStream uses machine learning to rank threats based on severity.
- Incident response integrations: ThreatStream connects to multiple EDR, SIEM, and firewall products, which automates attack blocking.
- Threat feed integrations: ThreatStream offers multiple options, including Anomali’s own feeds, many open-source feeds, and premium feeds.
- Sandboxing: ThreatStream’s integrated sandbox tool allows teams to investigate potential threats in greater detail.
Anomali has multiple deployment options, but it lacks some advanced threat intelligence capabilities, like alert management and detection rules. Consider Rapid7 if you’re looking for those features or internal integrations that include them.
Read more about Anomali in our in-depth review of ThreatStream.
Mandiant Advantage – Best Free Threat Intelligence Platform
Overall Rating: 3.5/5
- Core features: 4.2/5
- Integrations: 4/5
- Implementation and administration: 2.9/5
- Advanced features: 1.9/5
- Pricing: 3.2/5
- Customer support: 3.9/5
Mandiant Advantage, a cybersecurity platform owned by Google Cloud, offers threat intelligence along with attack surface management and managed defense. It has a free version with limited features, including a dashboard, threat actor and vulnerability data, and OSINT indicators. While Mandiant is a suitable choice for enterprises, it’ll be particularly appealing to SMBs that want to implement basic threat intelligence capabilities without paying for a major platform.
Pros
Cons
- Contact for quote: Custom pricing available; limited reseller pricing information
- Free trial: None available
- Free demo: Very brief demo available via YouTube
- Global dashboards: Both threat intelligence and attack surface management widgets can populate data based on filters like location and industry.
- Reports: Options include finished intelligence (FINTEL) reports, which cover strategic analysis of threats, and vulnerability reports.
- MITRE mapping: Mandiant’s threat intelligence security operations subscription allows teams to view actor and malware pivots with MITRE ATT&CK mapping.
- Threat scores: Advantage contains known vulnerability descriptions with CVSS ratings based on criticality.
Mandiant Advantage is a great threat intelligence platform for smaller teams and basic threat intel features, but it’s missing a few advanced features, like detection rules and sandbox integrations. If you’re looking for more advanced capabilities or integrations, consider ThreatConnect.
Recorded Future – Best for Small-Team Requirements
Overall Rating: 3.3/5
- Core features: 3.7/5
- Integrations: 3.5/5
- Implementation and administration: 2.8/5
- Advanced features: 2.7/5
- Pricing: 3.1/5
- Customer support: 4/5
Recorded Future’s Threat Intelligence Cloud Platform collects and structures threat data for security teams to analyze through its Intelligence Graph. Other platform capabilities include threat scoring and MITRE ATT&CK mapping. Recorded Future is a good choice for businesses on a budget because it offers a free browser extension with some features. But for teams that want to pay for implementation assistance, it also offers a dedicated technical account manager.
Pros
Cons
- Contact for quote: Custom pricing available; limited reseller pricing information available
- Free trial: Available for exploring platform integrations
- Free demo: Contact to schedule
- Detection Rule API: Recorded Future’s API for rules allows users to download Snort, Sigma, and YARA detection rules.
- Risk lists: These contain multiple risks with scores for each and help correlate security events.
- Alerts: Recorded Future’s Threat Monitor product provides real-time email alerts gathered from data on sources like social media and the dark web.
- Correlation dashboards: By connecting security events with associated risk lists, Recorded Future’s dashboards show recently triggered rules.
Recorded Future has a great free browser extension option, but if you’re looking for more rapid support channels, I recommend checking out Rapid7, which offers phone and email support as well as 24/7 support availability for Severity 1 issues.
Palo Alto Cortex XSOAR – Best for Enterprise Threat Intelligence
Overall Rating: 3.3/5
- Core features: 4.3/5
- Integrations: 2.7/5
- Implementation and administration: 3.3/5
- Advanced features: 2.3/5
- Pricing: 3.4/5
- Customer support: 3/5
Palo Alto Cortex is a broad security platform that offers SOAR, XDR, and threat intelligence, depending on which products and modules your business needs. The threat intelligence management product falls under XSOAR, but the entire Cortex platform has some level of overlap. Palo Alto topped the MITRE evaluation charts in 2023 with perfect detection and protection scores, so it’s a great choice for enterprises that process highly sensitive data.
Pros
Cons
- Contact for quote: Custom pricing available; limited reseller pricing information
- Free trial: 30 days
- Free demo: Contact to schedule
- Reports: XSOAR TIM supports out-of-the-box reports, including customizable ones, or you can create your own type of report.
- Automated response to indicators: XSOAR ingests alerts from email accounts, which then trigger the appropriate playbooks and perform the associated actions.
- MITRE mapping: XSOAR uses pre-established MITRE maps to correlate alerts and their appropriate remediation steps.
- Threat scoring: Using playbooks, XSOAR manages threat indicator lifecycles, including scoring the indicators.
Palo Alto is a great choice for existing Cortex customers and other enterprises that want a strong security solution. However, its information on third-party integrations is limited, and it’s unclear how many Palo Alto actually offers. I recommend looking at ThreatConnect if you want a lot of third-party integration options.
SolarWinds Security Event Manager – Best for Log Management
Overall Rating: 3.1/5
- Core features: 2.5/5
- Integrations: 2.4/5
- Implementation and administration: 4/5
- Advanced features: 2.3/5
- Pricing: 4/5
- Customer support: 5/5
SolarWinds Security Event Manager is a security event log solution that includes threat detection and response features. Highlights include configurable rules, responses to security events, and integrations with multiple firewall appliances. SolarWinds SEM is an ideal choice for teams that want some basic threat intelligence capabilities but are focused on overall log and event management.
Pros
Cons
- Subscription: Starts at $2,992
- Perpetual: Starts at $6,168; customers can use indefinitely
- Free trial: 30 days
- Free demo: Contact to schedule
- Reporting: SEM has out-of-the-box and customizable report options for visualizing threat data.
- Incident response: SEM response actions help mitigate suspicious activity on your business’ information systems.
- SEM rules: Admins can configure specific fixes to occur based on specific security events.
- Firewall integrations: SolarWinds SEM integrates with multiple firewall hardware products from vendors like Check Point and Fortinet.
While SolarWinds offers plenty of strong security management tools, it’s not the most comprehensive threat intelligence platform. I recommend ThreatConnect if you’re looking for a traditional enterprise-grade threat intelligence management solution, particularly one with a lot of advanced features and integrations.
Read eSecurity Planet’s in-depth SolarWinds SEM product review if you’re interested in learning more about its features.
5 Key Features of Threat Intelligence Platforms
Threat intelligence platforms offer a variety of core features that help security teams gather and manage threat intel, including data aggregation, threat and IOC scores, alert management, dashboards, and integrations with other security products.
Data Collection
Aggregating information from a variety of feeds is one of a threat intelligence platform’s most important tools. The more feeds you can incorporate, the more data you can use for threat information — as long as the feeds are reputable and process data well. Look for open-source feeds as well; these are helpful because they find and compile publicly available data for free.
Threat Scoring
Threat intelligence platforms should have some methodology for ranking the severity of business threats. Scores allow security operations teams to better determine which threats should be tackled first. Some platforms may have built-in Common Vulnerability Scoring System (CVSS) for known threats, while others may simply use their own rating system to let teams know which issues they should prioritize.
Alert Management
Threat intelligence solutions collect an astounding number of alerts from business networks and systems, which can easily overwhelm security administrators if not triaged and prioritized properly. You’ll likely need some sort of automation to sort through alerts and determine which are most important (and which are false positives). Threat intelligence products should offer alert management features to help security personnel triage issues more quickly.
Dashboards
Dashboards can help security teams prioritize the alerts they’re constantly receiving by organizing data into charts so it’s easier to understand. They provide a broad view of your threat intelligence ecosystem, improving data visualization, and also give security teams a resource to report overall progress to executives and other company stakeholders.
Security Integrations
TIPs that integrate with other security products in your tech stack allow your teams to collect more comprehensive threat and vulnerability data from multiple sources. By feeding SIEM, EDR, and firewall information into a single solution, you eliminate some of the data silos inherent in IT infrastructures.
If a threat intelligence vendor isn’t clear about the exact way their security integrations or partnerships work, ask them for a demonstration of the direct integration between the platforms and how data syncs and populates within them.
To learn more about the threats that affect your business networks, read our guide to different types of network security solutions.
How I Evaluated the Best Threat Intelligence Platforms
To evaluate business-facing threat intelligence products, I created a product scoring rubric that grouped threat intelligence features and characteristics into six major criteria that buyers consider. Each of the six categories received a specific weight and contained multiple subcriteria, which also each had their own weighting. How well the evaluated products met each of the criteria determined their final scores. I also used the rubric to help determine product use cases.
Evaluation Criteria
I first considered core features, which make up the major functionality of threat intelligence platforms. Next, I assessed integrations with other security products, administrative capabilities like documentation, and advanced and add-on features such as incident response and sandboxing. Finally, I evaluated the threat intelligence platforms’ pricing availability, including free trials, and customer support channels, demos, and team hours.
- Core features (30%): This category included major threat intelligence capabilities, such as alert management, reporting, and identifying indicators of compromise.
- Criterion winner: ThreatConnect
- Integrations (20%): I looked at threat intelligence platforms’ integrations with multiple security products, including EDR, SIEM, and next-gen firewalls.
- Criterion winner: ThreatConnect
- Implementation and administration (15%): I considered factors that contribute to ease of use and implementation, like a technical account manager and product documentation.
- Criterion winner: ThreatConnect
- Advanced features (15%): These were less common threat intelligence capabilities, such as MITRE mapping, dark web monitoring, and TIP add-ons like sandboxing.
- Criterion winner: Multiple winners
- Pricing (10%): I evaluated availability of pricing information, free trials, and licensing options like annual and monthly billing.
- Criterion winner: SolarWinds SEM
- Customer support (10%): I analyzed support channels like email, phone, and live chat, as well as support team hours and availability of product demos.
- Criterion winner: Multiple winners
Frequently Asked Questions (FAQs)
What Is the Difference Between SIEM & a Threat Intelligence Platform?
Security information and event management (SIEM) solutions centralize business-wide security data. Threat intelligence platforms specifically focus on aggregating both internal and external data regarding business threats. These products’ capabilities can overlap, depending on the product or platform.
What Is the NIST Threat Intelligence Lifecycle?
The National Institute of Standards and Technology (NIST) has developed a five-step process for managing threat intelligence. The five steps include:
- Direction and planning
- Collecting
- Processing
- Analysis and production
- Dissemination and feedback
Following detailed, organized steps can help your business take charge of your threat intelligence management lifecycle.
What Is Cloud Threat Intelligence?
Cloud threat intelligence platforms focus on threats based in the cloud or most likely to affect cloud-stored data. Such threats include misconfigurations and strange behavior from privileged accounts. Note that a cloud-based threat intelligence platform could also refer to the deployment method of the TIP.
Bottom Line: Threat Intelligence Platforms Need Context & Careful Management
Threat intelligence platforms are incredibly useful tools for enterprises as they work to understand their threat landscape. But they need to be used and managed by administrators who know how to evaluate threats in their appropriate context. TIPs also need to process threat feed data accurately so teams know which issues are a priority and when to remediate them. Plan to devote the time necessary to develop a TIP to your organization’s specific needs.
If your business is considering other threat management products, check out our list of the best unified threat management solutions next.
Chad Kime, Devin Partida, and Kyle Guercio contributed to this article.
