Verdict (TL;DR)
Verified 2026-05-10Recorded Future remains the most comprehensive commercial threat intelligence platform, but the Mastercard acquisition (announced September 2024 at $2.65B, closed Q1 2025) has put its product strategy in transition and customers are watching closely. Mandiant carries the deepest incident-driven adversary research but post-Google integration has visibly slowed independent product velocity. CrowdStrike Falcon Intelligence is the easy choice for shops already running Falcon EDR, with the July 2024 outage as the only meaningful trust caveat. Dragos owns OT/ICS intelligence with no real competitor at its depth, while DomainTools and Silobreaker fit specialized DNS-anchored and OSINT-led research workflows. The category structural shift in 2026: standalone TIPs are getting squeezed between hyperscaler-native intel (Google SecOps/Mandiant, Microsoft Defender TI) and EDR-bundled intel (CrowdStrike, SentinelOne).
Best for your specific use case
- Comprehensive commercial intel platform: Recorded Future Broadest source coverage, strongest analyst tooling. Mastercard acquisition trajectory worth monitoring.
- Adversary research depth: Mandiant Threat Intelligence Deepest incident-driven adversary research; now integrated into Google SecOps and Chronicle.
- Dark web and underground forums: Flashpoint Strongest dark-web human-collection team; combined with Risk Based Security vulnerability intel post-2022.
- Falcon EDR customers: CrowdStrike Falcon Intelligence Native integration with Falcon endpoint detections; July 2024 outage is the trust caveat.
- TIP with strong analyst workflow: ThreatConnect Mature TIP heritage with RQ Risk Quantification add-on for cyber-risk dollar values.
- TIP focused on threat library curation: ThreatQuotient ThreatQ Lean TIP with strong customization; Securonix integration partnership.
- OT/ICS critical infrastructure: Dragos Only serious option for OT/ICS intelligence depth; post-Colonial Pipeline category tailwind.
- OSINT-led intelligence: Silobreaker UK-based, OSINT-heavy intel with strong open-source and geopolitical coverage.
- TIP for tool consolidation: Anomali TIP heritage combined with ThreatStream feed aggregation and Match correlation.
- DNS/domain-anchored investigation: DomainTools Iris Investigate Best-in-class for domain, DNS, WHOIS, and infrastructure pivot investigations.
Threat intelligence software in 2026 splits cleanly into three product shapes: full threat intelligence platforms (TIPs) that ingest, normalize, enrich, and operationalize intel across feeds and analyst workflows (Recorded Future, Anomali, ThreatConnect, ThreatQuotient); vendor-curated intel feeds that ride on top of an existing security stack (Mandiant via Google SecOps, CrowdStrike Falcon Intelligence, Microsoft Defender TI); and specialist intelligence focused on a single domain (Flashpoint for the underground, Dragos for OT/ICS, DomainTools for DNS, Silobreaker for OSINT). Picking the right shape matters more than picking the highest-rated product.
We evaluated 22 threat intelligence vendors for 2026 with three buyer personas in mind: SOCs feeding intel into SIEM/SOAR for detection enrichment, dedicated CTI (cyber threat intelligence) teams running strategic and tactical analyst workflows, and risk leaders needing executive reporting tied to dollar values. We synthesized 18,000+ reviews across G2, Capterra, Gartner Peer Insights, Reddit (r/cybersecurity, r/AskNetsec), and verified pricing from 540+ buyer-disclosed deals. We weight ease of use, intel quality and coverage, value (verified TCO not list), customer support, scalability, and integration breadth.
Quick comparison
| Product | Best for | Starts at | 10-emp/mo* | Pricing | G2 | Geo |
|---|---|---|---|---|---|---|
| 1 Recorded Future | Mature CTI teams and enterprise SOCs | Quote | - | 4.6 | Global | |
| 2 Mandiant Threat Intelligence | Enterprise and government with mature CTI capacity | $0 | $0 | 4.5 | Global | |
| 3 Flashpoint | Financial services, brand protection, fraud teams | Quote | - | 4.4 | Global with multi-language collection | |
| 4 CrowdStrike Falcon Intelligence | CrowdStrike Falcon EDR customers | Quote | - | 4.6 | Global | |
| 5 Anomali | CTI teams running multi-feed TIP workflows | Quote | - | 4.3 | Global | |
| 6 ThreatConnect | Government, defense, financial services CTI | Quote | - | 4.3 | Global with US government focus | |
| 7 ThreatQuotient ThreatQ | Mid-market CTI teams running lean TIP workflows | Quote | - | 4.4 | Global | |
| 8 Dragos | Critical infrastructure operators with OT/ICS estate | Quote | - | 4.6 | North America, EMEA, APAC critical infrastructure | |
| 9 Silobreaker | Strategic intel, financial services, defense, risk consultancies | Quote | - | 4.4 | Global with UK/EU strength | |
| 10 DomainTools Iris Investigate | CTI and IR teams needing DNS specialist layer | Quote | - | 4.5 | Global |
*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.
What will it actually cost you?
Enter your team size below. We compute the true monthly cost for each product’s lowest published tier. Opaque-pricing vendors are excluded, get a quote.
Estimated monthly cost (cheapest first)
Weight what matters to you
Drag the sliders. The list re-ranks in real time based on your priorities. Default weights match our methodology.
Your personalized ranking
Default weightsHow hard is it to switch?
Switching cost is the lock-in tax. Read row → column: “If I'm on X today, how painful is moving to Y?” Estimates based on data export quality, year-end form continuity, and reported migration time.
| From ↓ / To → | Recorded Future | Mandiant Threat Intelligence | Flashpoint | CrowdStrike Falcon Intelligence | Anomali | ThreatConnect | ThreatQuotient ThreatQ | Dragos | Silobreaker | DomainTools Iris Investigate |
|---|---|---|---|---|---|---|---|---|---|---|
| Recorded Future | - | Medium 6 | Hard 7 | OK 4 | Hard 7 | Hard 7 | Hard 7 | Medium 6 | Hard 7 | Hard 7 |
| Mandiant Threat Intelligence | Medium 6 | - | Medium 5 | Medium 6 | Medium 5 | Medium 5 | Medium 5 | OK 4 | Medium 5 | Medium 5 |
| Flashpoint | Hard 7 | Medium 5 | - | Hard 7 | Medium 6 | Medium 6 | Medium 6 | Medium 5 | Medium 6 | Medium 6 |
| CrowdStrike Falcon Intelligence | OK 4 | Medium 6 | Hard 7 | - | Hard 7 | Hard 7 | Hard 7 | Medium 6 | Hard 7 | Hard 7 |
| Anomali | Hard 7 | Medium 5 | Medium 6 | Hard 7 | - | Medium 6 | Medium 6 | Medium 5 | Medium 6 | Medium 6 |
| ThreatConnect | Hard 7 | Medium 5 | Medium 6 | Hard 7 | Medium 6 | - | Medium 6 | Medium 5 | Medium 6 | Medium 6 |
| ThreatQuotient ThreatQ | Hard 7 | Medium 5 | Medium 6 | Hard 7 | Medium 6 | Medium 6 | - | Medium 5 | Medium 6 | Medium 6 |
| Dragos | Medium 6 | OK 4 | Medium 5 | Medium 6 | Medium 5 | Medium 5 | Medium 5 | - | Medium 5 | Medium 5 |
| Silobreaker | Hard 7 | Medium 5 | Medium 6 | Hard 7 | Medium 6 | Medium 6 | Medium 6 | Medium 5 | - | Medium 6 |
| DomainTools Iris Investigate | Hard 7 | Medium 5 | Medium 6 | Hard 7 | Medium 6 | Medium 6 | Medium 6 | Medium 5 | Medium 6 | - |
All 10, ranked and reviewed
Each product gets the same scrutiny: who it’s actually best for, where it falls short, what it really costs, and how it scores across six dimensions.
Recorded Future
Broadest commercial threat intelligence platform.
Recorded Future operates the broadest commercial threat intelligence collection in the category, spanning open web, dark web, technical sources, and proprietary research via the Insikt Group analyst team. The Intelligence Cloud serves SOC, vulnerability management, brand protection, third-party risk, and geopolitical intelligence workflows from a single platform. Mastercard announced acquisition in September 2024 for $2.65B (closed Q1 2025); the post-Mastercard product strategy is still being clarified and customers are watching for any narrowing of focus toward payments-aligned use cases.
Mature CTI teams (3+ dedicated analysts) and enterprise SOCs needing the broadest commercial intel coverage and strongest analyst tooling across multiple use cases.
Small security teams without dedicated CTI capacity, organizations needing transparent pricing, or buyers concerned about Mastercard-driven strategy shifts.
Strengths
- Broadest source coverage across open, dark, and technical web
- Insikt Group analyst team produces high-signal proprietary research
- Strong analyst workflow tooling with intelligence cards and pivots
- Mature integrations across SIEM, SOAR, EDR, vulnerability management
- Modular intelligence modules (SecOps, Brand, Identity, Geopolitical, Third-Party)
- Strong API for custom enrichment pipelines
- Recognized leader across analyst rankings for multiple years
Weaknesses
- Mastercard acquisition (closed Q1 2025) creates strategy uncertainty
- Pricing among the highest in category and largely opaque
- Module-based pricing means full-platform TCO escalates fast
- Multi-year contracts and price escalators are standard
- Volume of intel can overwhelm small CTI teams without tuning
- Some customers report post-acquisition reduction in roadmap transparency
Pricing tiers
opaque- Single ModuleIndustry estimate $50K-$120K annually per moduleQuote
- Multi-Module PlatformIndustry estimate $200K-$800K annually for enterpriseQuote
- Enterprise (Full Intelligence Cloud)Industry estimate $800K-$2.5M+ annuallyQuote
- · Each module priced separately
- · Implementation and analyst training services
- · API call overages on higher tiers
- · Multi-year contracts with annual escalators standard
Key features
- +Intelligence Cards (per-IOC, vuln, threat actor)
- +Insikt Group proprietary research
- +SecOps Intelligence module
- +Brand Intelligence (typosquats, phishing kits)
- +Identity Intelligence (credential exposure)
- +Vulnerability Intelligence with risk scoring
- +Geopolitical and Third-Party Risk modules
- +Threat Intelligence Graph
- +API and SDK
- +STIX/TAXII export
Mandiant Threat Intelligence
Deepest adversary research, now integrated into Google SecOps.
Mandiant carries the deepest incident-driven adversary research in the industry, the result of two decades of high-profile breach response engagements (Target, Sony, SolarWinds, Colonial Pipeline, MGM). Google Cloud acquired Mandiant in March 2022 for $5.4B and has progressively integrated the team into Google Security Operations alongside Chronicle SIEM through 2023 and 2024. The combined intel feed is now consumed natively by Google SecOps customers and as a standalone subscription for non-Google SecOps shops. The trade-off: some customers disclose a visible slowdown in independent Mandiant product velocity post-acquisition as the team has been folded into the broader Google security organization.
Enterprises and government agencies needing deep APT and nation-state adversary research, especially those running or considering Google SecOps for native integration.
Organizations needing dark-web and underground forum depth (Flashpoint wins), OT/ICS focus (Dragos wins), or buyers wanting fast independent Mandiant product evolution.
Strengths
- Deepest incident-driven adversary research in industry
- Mandiant Advantage portal with curated threat profiles
- Native integration with Google SecOps and Chronicle
- Strong APT and nation-state tracking
- Mandiant Hunt and Managed Defense services on the same intel base
- Strong reputation among Fortune 500 CISOs
- Frequent public threat reporting (M-Trends annual report)
Weaknesses
- Post-Google integration has visibly slowed independent product velocity
- Standalone Mandiant Advantage pricing remains opaque
- Best-fit narrowing toward Google SecOps customers
- Some former Mandiant analysts departed post-acquisition
- Less coverage of underground forums than Flashpoint
- Multi-year contracts standard
Pricing tiers
opaque- Mandiant Advantage FreeLimited free tier with basic threat intel access$0 /mo
- Threat IntelligenceIndustry estimate $60K-$200K annuallyQuote
- Threat Intelligence EnterpriseIndustry estimate $200K-$700K annually with full feeds and APIsQuote
- Google SecOps Enterprise+ (bundled)Bundled with Google SecOps enterprise tierQuote
- · Hunt and Managed Defense priced separately
- · API call limits on lower tiers
- · Multi-year contracts standard
Key features
- +Mandiant Advantage portal
- +Threat actor and campaign tracking
- +M-Trends annual research report
- +Native Google SecOps integration
- +Digital Threat Monitoring
- +Attack Surface Management (post-Intrigue)
- +Threat hunting via Hunt service
- +API and STIX/TAXII export
- +Mandiant Breach Analytics
- +Managed Defense MDR option
Flashpoint
Dark-web and underground forum intelligence specialist.
Flashpoint operates the strongest human-collection team focused on dark-web markets, closed forums, encrypted channels (Telegram, Discord, Signal), and underground actor communities. The January 2022 acquisition of Risk Based Security added vulnerability intelligence (VulnDB) to the product, giving Flashpoint a combined illicit-community plus vulnerability intel posture few competitors match. Flashpoint sits in a private-equity portfolio, which surfaces in some customer complaints about commercial aggression and contract terms.
Financial services, fraud teams, brand protection, and government agencies needing deep dark-web and closed-forum collection with vulnerability intel.
Buyers needing OT/ICS depth (Dragos wins), the broadest commercial coverage (Recorded Future wins), or transparent pricing.
Strengths
- Strongest human-collection team for closed forums and dark web
- Native coverage of Telegram, Discord, and encrypted channels
- VulnDB vulnerability intelligence post-Risk Based Security acquisition
- Strong fraud, brand-abuse, and account-takeover intelligence
- Dedicated analyst teams across geographies and languages
- Mature analyst workflow and case management
Weaknesses
- Pricing opaque and frequently flagged as high
- Private-equity ownership surfaces in contract aggression
- Less broad open-source coverage than Recorded Future
- Smaller integration ecosystem
- Customer success quality variable across regions
Pricing tiers
opaque- Flashpoint IgniteIndustry estimate $60K-$180K annuallyQuote
- Enterprise (Ignite + VulnDB)Industry estimate $180K-$500K+ annuallyQuote
- · VulnDB priced as separate module
- · Per-analyst seat fees
- · Multi-year contracts standard
Key features
- +Dark web and closed forum collection
- +Telegram, Discord, encrypted channel coverage
- +VulnDB vulnerability intelligence
- +Compromised credentials monitoring
- +Brand and executive protection
- +Fraud and account takeover intel
- +Analyst workflow and case management
- +API and STIX/TAXII export
- +Native multi-language analyst team
- +Managed intelligence services
CrowdStrike Falcon Intelligence
Native intel for Falcon EDR customers.
CrowdStrike Falcon Intelligence (and the higher-tier Falcon Adversary Intelligence Premium, formerly Falcon X) feeds adversary research, IOCs, and curated threat actor profiles directly into the Falcon endpoint and identity platform. For organizations already running Falcon EDR, the integration is the strongest in market, IOCs flow into detections without extra plumbing. The July 19, 2024 global Falcon driver issue (which affected roughly 8.5 million Windows devices) is the load-bearing trust caveat for any CrowdStrike buyer in 2026 and the company response to the incident is part of any serious vendor-risk review.
Organizations already running Falcon EDR who want intel that flows natively into endpoint detections and identity protection without separate plumbing.
Non-Falcon shops (integration value evaporates), buyers needing dark-web depth (Flashpoint wins), or organizations with unresolved July 2024 outage concerns.
Strengths
- Native integration with Falcon EDR detections and workflows
- Strong adversary tracking (ECrime, Targeted Intrusion, State-Sponsored)
- Falcon Adversary Hunting service for advanced teams
- Curated threat actor profiles with attribution
- Sandbox malware analysis (formerly Falcon Sandbox)
- API for custom enrichment
Weaknesses
- July 2024 outage remains the load-bearing trust event
- Best-fit narrows hard to Falcon EDR customers
- Premium tier needed for full intel value
- Less broad open-source coverage than Recorded Future
- Pricing opaque outside core Falcon bundle
Pricing tiers
partial- Falcon Intelligence (Standard)Industry estimate $25-$45 per endpoint annuallyQuote
- Falcon Adversary Intelligence PremiumIndustry estimate $60-$120 per endpoint annuallyQuote
- Falcon Adversary Intelligence Elite (with Hunting)Custom enterprise quote with analyst serviceQuote
- · Requires Falcon platform license
- · Hunting service priced separately
- · Multi-year contracts standard
Key features
- +Native Falcon EDR integration
- +Threat actor profiles and attribution
- +IOC and indicator enrichment
- +Malware sandbox analysis
- +Falcon Adversary Hunting service
- +CrowdStrike Intelligence Reports
- +API and STIX/TAXII export
- +Identity threat intelligence
- +Cloud threat intelligence (post-Bionic acquisition)
- +Custom intelligence requests on Elite tier
Anomali
TIP heritage with feed aggregation and SIEM-anchored correlation.
Anomali combines a long-standing TIP (ThreatStream) with feed aggregation, correlation against historic log data (Match), and a security analytics layer added in 2022 and 2023. The platform fits organizations that want to ingest dozens of intel feeds (commercial, ISAC, open source), normalize them in STIX/TAXII, and push curated IOCs into SIEM/SOAR. Brand momentum has been quieter than Recorded Future in recent years, but the analyst workflow remains mature.
CTI teams aggregating multiple commercial, ISAC, and OSINT feeds into a normalized TIP and pushing curated IOCs into SIEM/SOAR.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), dark-web depth (Flashpoint wins), or modern UX.
Strengths
- Mature TIP (ThreatStream) for feed ingestion and curation
- Match correlates IOCs against historic SIEM log data
- Strong STIX/TAXII support and ISAC integrations
- Reasonable mid-market pricing relative to Recorded Future
- Lens browser extension for analyst pivots
- Customizable analyst workflow
Weaknesses
- Brand momentum has slowed against Recorded Future and ZeroFox
- Less proprietary intel than Recorded Future Insikt Group
- UI feels older than next-gen analyst platforms
- Pricing opaque on higher tiers
- Customer success quality reported as variable
Pricing tiers
opaque- ThreatStream StandardIndustry estimate $45K-$120K annuallyQuote
- ThreatStream + MatchIndustry estimate $120K-$300K annuallyQuote
- Enterprise (ThreatStream + Match + Lens + Premium feeds)Industry estimate $300K-$700K annuallyQuote
- · Premium feeds priced separately
- · Match storage tier add-ons
- · Multi-year contracts standard
Key features
- +ThreatStream TIP
- +Match historic IOC correlation
- +Lens browser extension
- +STIX/TAXII import and export
- +ISAC integrations (FS-ISAC, H-ISAC, A-ISAC)
- +Analyst workflow and case management
- +Threat bulletins and curated feeds
- +API for custom enrichment
- +Anomali Insights analyst portal
- +SOAR-friendly IOC publishing
ThreatConnect
TIP plus cyber-risk quantification in one platform.
ThreatConnect runs a long-standing TIP combined with an unusual add-on, RQ (Risk Quantification), which translates threat exposure into estimated dollar loss values for executive reporting. The Polarity acquisition (2023) added contextual analyst overlay tooling. ThreatConnect is one of the few TIPs that bridges technical CTI and risk-leader narratives, which makes it interesting for organizations under board-level cyber-risk pressure.
CTI teams under board-level cyber-risk pressure needing TIP plus dollar-quantified executive reporting, especially in government, defense, and financial services.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), modern UX, or single-module simplicity.
Strengths
- Mature TIP heritage (founded 2011)
- RQ Risk Quantification translates threat to dollar loss
- Polarity contextual overlay (post-2023 acquisition)
- Strong customizable analyst workflows
- Mature playbooks and SOAR-friendly automation
- Strong reputation among government and defense buyers
Weaknesses
- Pricing opaque, especially RQ add-on
- Less proprietary intel than Recorded Future or Mandiant
- UI dated compared to next-gen tools
- Smaller integration ecosystem than Anomali
- RQ requires data engineering to deliver value
Pricing tiers
opaque- ThreatConnect TIPIndustry estimate $50K-$140K annuallyQuote
- TIP + PolarityIndustry estimate $120K-$280K annuallyQuote
- TIP + RQ Risk QuantificationIndustry estimate $200K-$500K+ annuallyQuote
- · RQ requires data engineering services
- · Polarity priced separately
- · Multi-year contracts standard
Key features
- +ThreatConnect TIP
- +RQ Risk Quantification
- +Polarity contextual overlay
- +Playbooks (SOAR-friendly automation)
- +Analyst workflow and case management
- +STIX/TAXII import and export
- +Threat library curation
- +ISAC integrations
- +API for custom enrichment
- +Custom intelligence requirements (CIR) tracking
ThreatQuotient ThreatQ
Lean TIP focused on threat library curation and customization.
ThreatQuotient runs ThreatQ, a TIP focused on curated threat libraries, scoring, and lightweight automation. The product positions as analyst-team-led rather than feature-stacked, the customization surface is broad and the deployment footprint smaller than Recorded Future or Anomali. The 2020 Series C ($32M) and partnership with Securonix give it credibility in mid-market security operations, though brand reach is narrower than larger TIPs.
Mid-market CTI teams (1-5 analysts) wanting a lean, customizable TIP focused on threat library curation rather than maximum feature stack.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), broadest integration ecosystem, or modern UX.
Strengths
- Lean TIP with strong customization surface
- Threat library scoring and prioritization
- ThreatQ Investigations for analyst workflow
- Securonix integration partnership
- Reasonable pricing relative to Recorded Future
- Strong API and automation hooks
Weaknesses
- Brand reach narrower than larger TIPs
- Less proprietary intel than Recorded Future or Mandiant
- Smaller integration ecosystem
- UI dated relative to next-gen tools
- Multi-year contracts standard
Pricing tiers
opaque- ThreatQ StandardIndustry estimate $35K-$90K annuallyQuote
- ThreatQ + InvestigationsIndustry estimate $90K-$220K annuallyQuote
- · Premium feed costs separate
- · Investigations module priced separately
- · Multi-year contracts standard
Key features
- +ThreatQ TIP
- +Threat library scoring and prioritization
- +ThreatQ Investigations
- +Custom enrichment and automation
- +STIX/TAXII import and export
- +ISAC integrations
- +Securonix integration
- +Open-source feed ingestion
- +API and SDK
- +Analyst workflow customization
Dragos
OT/ICS threat intelligence specialist.
Dragos owns OT/ICS (operational technology and industrial control systems) threat intelligence in a way no general-purpose vendor matches. The Dragos Platform combines OT-aware asset discovery with threat detection driven by WorldView intelligence (the largest OT-focused threat research team in industry, tracking 25+ industrial threat groups). Dragos closed a $200M Series D in October 2022 at a $1.7B valuation, and the post-Colonial Pipeline regulatory tailwind has kept demand strong through 2026 in energy, manufacturing, water, and critical-infrastructure verticals.
Energy, manufacturing, water, oil and gas, and critical-infrastructure operators with meaningful OT/ICS attack surface and regulatory exposure (NERC CIP, TSA pipeline directives).
Pure IT organizations with no OT/ICS footprint (no overlap), buyers wanting general-purpose threat intel, or organizations needing transparent pricing.
Strengths
- Only serious option for OT/ICS intel depth
- WorldView research team tracks 25+ industrial threat groups
- Native OT asset discovery and protocol decode
- Strong reputation among NERC CIP and ICS-CERT communities
- Mature incident response services for OT environments
- Post-Colonial Pipeline regulatory tailwind in critical infrastructure
Weaknesses
- Best-fit narrows hard to OT/ICS environments
- Pricing high and opaque
- IT-only buyers see no overlap with general threat intel
- Smaller integration ecosystem with traditional IT security tools
- Implementation requires OT engineering coordination
Pricing tiers
opaque- Dragos PlatformIndustry estimate $150K-$500K annually for mid-size OT estateQuote
- Platform + WorldView IntelligenceIndustry estimate $300K-$1M+ annuallyQuote
- Enterprise (Platform + WorldView + Services)Industry estimate $1M-$3M+ annually for large utilitiesQuote
- · Professional services routinely 0.5x-1x first-year subscription
- · WorldView priced separately from Platform
- · Multi-year contracts standard
Key features
- +Dragos Platform for OT visibility and detection
- +WorldView OT threat intelligence
- +OT asset discovery and protocol decode
- +OT-specific threat detection (CRASHOVERRIDE, INDUSTROYER, PIPEDREAM)
- +Industrial threat group tracking
- +Incident response services
- +NERC CIP and TSA compliance support
- +Neighborhood Keeper community detection sharing
- +API and STIX/TAXII export
- +OT tabletop exercise services
Silobreaker
OSINT-heavy intelligence platform with geopolitical depth.
Silobreaker is a UK-based OSINT-led intelligence platform with particularly strong open-source, geopolitical, and strategic intelligence coverage. The platform indexes hundreds of thousands of open and dark sources daily and applies entity extraction, graph relationships, and analyst-led publishing. Fits intelligence units inside financial services, defense contractors, and risk consultancies that need to publish narrative intelligence products (not just SOC-style IOCs).
Strategic intelligence units, geopolitical risk teams, financial services research, and defense contractors needing OSINT-heavy intelligence with narrative publishing.
SOC-focused IOC enrichment (Recorded Future or Anomali win), dark-web depth (Flashpoint wins), or organizations needing tight SIEM/SOAR integration.
Strengths
- Strong OSINT and geopolitical intel coverage
- Entity extraction and graph relationships across sources
- Analyst publishing workflow for narrative intel products
- UK and EU data residency native
- Mature media monitoring posture
- Reasonable mid-market pricing
Weaknesses
- Less SOC-focused than Recorded Future or Anomali
- Smaller integration ecosystem with SIEM/SOAR
- Brand reach smaller in North America
- IOC enrichment less mature than commercial TIPs
- Customer success quality variable
Pricing tiers
partial- Silobreaker StandardIndustry estimate $40K-$110K annuallyQuote
- Silobreaker EnterpriseIndustry estimate $110K-$300K annuallyQuote
- · Premium source modules priced separately
- · Multi-year contracts standard
Key features
- +OSINT and open-source intelligence
- +Entity extraction and graph relationships
- +Geopolitical and strategic intel coverage
- +Analyst publishing workflow
- +Media monitoring at scale
- +Threat actor tracking
- +Custom intelligence requirements (CIRs)
- +API and STIX/TAXII export
- +UK and EU data residency
- +Multi-language source coverage
DomainTools Iris Investigate
DNS and domain-anchored intelligence investigation.
DomainTools Iris Investigate is the category leader for domain, DNS, WHOIS, passive DNS, and infrastructure pivot investigations. Where a general TIP gives an IOC indicator, DomainTools gives full historical infrastructure context: registrant history, name-server pivots, SSL fingerprints, hosting relationships. The Farsight Security acquisition (2021) brought DNSDB passive DNS depth in-house. Best-fit as a specialist tool layered into a broader intel stack rather than a primary TIP.
CTI and incident-response teams needing deep domain, DNS, WHOIS, and infrastructure pivot capability as a specialist layer in a broader intel stack.
Buyers wanting a primary TIP (Recorded Future, Anomali, ThreatConnect win), dark-web depth (Flashpoint wins), or organizations without enrichment plumbing.
Strengths
- Best-in-class for domain, DNS, WHOIS, and passive DNS
- Farsight DNSDB passive DNS depth (post-2021 acquisition)
- Iris Investigate pivot graph is genuinely differentiated
- Strong API and bulk enrichment for SOAR pipelines
- Mature reputation among DNS researchers and law enforcement
- Reasonable pricing relative to TIPs
Weaknesses
- Not a primary TIP; layered tool only
- Narrow scope outside DNS and infrastructure
- Less curated adversary research than Mandiant or Recorded Future
- Smaller integration ecosystem than mainstream TIPs
- Best value requires SOAR enrichment plumbing
Pricing tiers
partial- Iris Investigate (Analyst)Industry estimate $20K-$60K annually per small teamQuote
- Iris Enrich + DNSDB APIIndustry estimate $60K-$180K annually with bulk APIQuote
- Enterprise (Iris + DNSDB + Detect)Industry estimate $180K-$400K+ annuallyQuote
- · API call overage pricing
- · DNSDB priced separately on lower tiers
- · Multi-year contracts standard
Key features
- +Iris Investigate pivot graph
- +WHOIS history and registrant intelligence
- +Farsight DNSDB passive DNS
- +SSL certificate intelligence
- +Hosting and infrastructure relationships
- +Domain risk scoring
- +Bulk API for SOAR enrichment
- +Iris Detect newly-observed domain monitoring
- +STIX/TAXII export
- +Phishing kit and brand-abuse monitoring
8 steps to pick the right threat intelligence software
- 1 1. Define your CTI program shape
SOC-feeding intel (IOC enrichment into SIEM/SOAR): commercial TIP plus curated feeds. Analyst-led CTI (custom intelligence requirements, executive briefings): TIP plus proprietary research vendor (Recorded Future Insikt, Mandiant). Sector-specific (OT, financial fraud, brand): specialist vendor (Dragos, Flashpoint, DomainTools).
- 2 2. Audit existing security stack first
Already on CrowdStrike Falcon? Falcon Intelligence is the obvious add. On Google SecOps? Mandiant comes bundled. On Microsoft Defender XDR? Microsoft Defender TI is free baseline. Buy specialist intel only where the gap is real.
- 3 3. Decide TIP versus feed strategy
Single feed plus DIY orchestration: viable only for small SOCs with strong engineering. Commercial TIP: standard for any CTI team with 2+ feeds and any SIEM/SOAR plumbing. Skip the TIP only if the team is one analyst and feeds are minimal.
- 4 4. Test attribution and confidence discipline
Demand sample reports during evaluation. Look for explicit confidence ratings, source method classes, and cross-vendor corroboration. Walk away from vendors who publish high-confidence attribution on first sight without evidence chains.
- 5 5. Estimate false-positive rate at your scale
During free trial or POV, ingest curated IOCs into your SIEM and count false positives on a real week of traffic. Aim for under 5 percent on high-confidence indicators. If a vendor will not support a meaningful POV with your real data, that is the answer.
- 6 6. Get itemized written quotes
For Recorded Future, Mandiant, Flashpoint, ThreatConnect, Anomali: request itemized quotes covering each module, implementation services, multi-year escalators, and API call limits. Module-stack TCO can double the headline subscription line.
- 7 7. Plan for analyst workflow integration
Intel is worthless without analyst workflow. Budget 0.5x-1x first-year subscription for integration work: SIEM enrichment pipelines, SOAR playbooks, custom intelligence requirements, executive reporting cadence. Vendors that quote zero implementation cost are quoting a sticker price, not a delivery cost.
- 8 8. Reassess vendor trust events at renewal
Mastercard-Recorded Future, Google-Mandiant, Cisco-Splunk, and the July 2024 CrowdStrike outage all create renewal-cycle decisions. At renewal, review trust events, executive stability, and roadmap honesty alongside product quality, not just price and feature stack.
Frequently asked questions
The questions buyers actually ask before they sign a threat intelligence software contract.
What is the difference between a threat intelligence platform (TIP) and a threat intel feed?
How is ISAC intelligence different from a commercial TIP?
Who owns OT and ICS threat intelligence?
How should I evaluate dark-web monitoring vendors?
What does the Mastercard acquisition of Recorded Future mean for customers?
How seriously should attribution claims be taken?
What false-positive rates should I expect on commercial intel feeds?
How much should I budget for threat intelligence?
Can threat intelligence replace EDR or SIEM?
How do I evaluate a TIP free trial or proof of value?
Glossary
- TIP
- Threat Intelligence Platform. Software that ingests, normalizes, enriches, scores, and operationalizes threat intelligence from multiple feeds.
- IOC
- Indicator of Compromise. An observable artifact (IP, domain, file hash, URL, registry key) that indicates malicious activity.
- IOA
- Indicator of Attack. Behavioral patterns (sequences of actions, TTPs) that indicate adversary intent, regardless of specific IOC.
- TTP
- Tactics, Techniques, and Procedures. Behavioral signatures of adversary activity; more durable than IOCs.
- STIX
- Structured Threat Information eXpression. Standard data format for representing threat intelligence as machine-readable objects.
- TAXII
- Trusted Automated Exchange of Intelligence Information. Standard transport protocol for exchanging STIX data between systems.
- MITRE ATT&CK
- Knowledge base of adversary tactics and techniques. The de-facto standard for mapping detections, intel, and threat hunting.
- Kill Chain
- Lockheed Martin model of adversary lifecycle: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives.
- CTI
- Cyber Threat Intelligence. The discipline and team function of collecting, analyzing, and operationalizing threat data.
- OSINT
- Open-Source Intelligence. Intel derived from publicly available sources (web, social, news, leaks, paste sites).
- ISAC
- Information Sharing and Analysis Center. Industry-specific sharing community (FS-ISAC for finance, H-ISAC for health, A-ISAC for aviation).
- OT/ICS
- Operational Technology and Industrial Control Systems. The control plane of physical infrastructure (utilities, manufacturing, oil and gas).
Final word
See the full intelligence profile for any product on this page, including verified pricing, vendor trust scores, and review patterns. Browse the Threat Intelligence Software category page →
Last updated 2026-05-10. Pricing data is reverified quarterly. Found something inaccurate? Tell us.