Threat Intelligence Software

Broadest commercial threat intelligence platform.

Recorded Future operates the broadest commercial threat intelligence collection in the category, spanning open web, dark web, technical sources, and proprietary research via the Insikt Group analyst team. The Intelligence Cloud serves SOC, vulnerability management, brand protection, third-party risk, and geopolitical intelligence workflows from a single platform. Mastercard announced acquisition in September 2024 for $2.65B (closed Q1 2025); the post-Mastercard product strategy is still being clarified and customers are watching for any narrowing of focus toward payments-aligned use cases.

Deepest adversary research, now integrated into Google SecOps.

Mandiant carries the deepest incident-driven adversary research in the industry, the result of two decades of high-profile breach response engagements (Target, Sony, SolarWinds, Colonial Pipeline, MGM). Google Cloud acquired Mandiant in March 2022 for $5.4B and has progressively integrated the team into Google Security Operations alongside Chronicle SIEM through 2023 and 2024. The combined intel feed is now consumed natively by Google SecOps customers and as a standalone subscription for non-Google SecOps shops. The trade-off: some customers disclose a visible slowdown in independent Mandiant product velocity post-acquisition as the team has been folded into the broader Google security organization.

Dark-web and underground forum intelligence specialist.

Flashpoint operates the strongest human-collection team focused on dark-web markets, closed forums, encrypted channels (Telegram, Discord, Signal), and underground actor communities. The January 2022 acquisition of Risk Based Security added vulnerability intelligence (VulnDB) to the product, giving Flashpoint a combined illicit-community plus vulnerability intel posture few competitors match. Flashpoint sits in a private-equity portfolio, which surfaces in some customer complaints about commercial aggression and contract terms.

Native intel for Falcon EDR customers.

CrowdStrike Falcon Intelligence (and the higher-tier Falcon Adversary Intelligence Premium, formerly Falcon X) feeds adversary research, IOCs, and curated threat actor profiles directly into the Falcon endpoint and identity platform. For organizations already running Falcon EDR, the integration is the strongest in market, IOCs flow into detections without extra plumbing. The July 19, 2024 global Falcon driver issue (which affected roughly 8.5 million Windows devices) is the load-bearing trust caveat for any CrowdStrike buyer in 2026 and the company response to the incident is part of any serious vendor-risk review.

TIP heritage with feed aggregation and SIEM-anchored correlation.

Anomali combines a long-standing TIP (ThreatStream) with feed aggregation, correlation against historic log data (Match), and a security analytics layer added in 2022 and 2023. The platform fits organizations that want to ingest dozens of intel feeds (commercial, ISAC, open source), normalize them in STIX/TAXII, and push curated IOCs into SIEM/SOAR. Brand momentum has been quieter than Recorded Future in recent years, but the analyst workflow remains mature.

TIP plus cyber-risk quantification in one platform.

ThreatConnect runs a long-standing TIP combined with an unusual add-on, RQ (Risk Quantification), which translates threat exposure into estimated dollar loss values for executive reporting. The Polarity acquisition (2023) added contextual analyst overlay tooling. ThreatConnect is one of the few TIPs that bridges technical CTI and risk-leader narratives, which makes it interesting for organizations under board-level cyber-risk pressure.

Lean TIP focused on threat library curation and customization.

ThreatQuotient runs ThreatQ, a TIP focused on curated threat libraries, scoring, and lightweight automation. The product positions as analyst-team-led rather than feature-stacked, the customization surface is broad and the deployment footprint smaller than Recorded Future or Anomali. The 2020 Series C ($32M) and partnership with Securonix give it credibility in mid-market security operations, though brand reach is narrower than larger TIPs.

OT/ICS threat intelligence specialist.

Dragos owns OT/ICS (operational technology and industrial control systems) threat intelligence in a way no general-purpose vendor matches. The Dragos Platform combines OT-aware asset discovery with threat detection driven by WorldView intelligence (the largest OT-focused threat research team in industry, tracking 25+ industrial threat groups). Dragos closed a $200M Series D in October 2022 at a $1.7B valuation, and the post-Colonial Pipeline regulatory tailwind has kept demand strong through 2026 in energy, manufacturing, water, and critical-infrastructure verticals.

OSINT-heavy intelligence platform with geopolitical depth.

Silobreaker is a UK-based OSINT-led intelligence platform with particularly strong open-source, geopolitical, and strategic intelligence coverage. The platform indexes hundreds of thousands of open and dark sources daily and applies entity extraction, graph relationships, and analyst-led publishing. Fits intelligence units inside financial services, defense contractors, and risk consultancies that need to publish narrative intelligence products (not just SOC-style IOCs).

DNS and domain-anchored intelligence investigation.

DomainTools Iris Investigate is the category leader for domain, DNS, WHOIS, passive DNS, and infrastructure pivot investigations. Where a general TIP gives an IOC indicator, DomainTools gives full historical infrastructure context: registrant history, name-server pivots, SSL fingerprints, hosting relationships. The Farsight Security acquisition (2021) brought DNSDB passive DNS depth in-house. Best-fit as a specialist tool layered into a broader intel stack rather than a primary TIP.