Canada verdict (TL;DR)
Verified 2026-05-27Recorded Future and Mandiant lead Canadian Big 5 bank threat intelligence programs at RBC, TD, BMO, Scotiabank and CIBC alongside CrowdStrike Falcon Intelligence. BlackBerry (Waterloo) โ the Canadian flagship โ ships Cylance plus AtHoc Threat Intelligence into federal departments and critical infrastructure. CCCS (Canadian Centre for Cyber Security) maintains national threat feeds and Cyber Threat Bulletins that integrate with most platforms. Anomali, ThreatConnect and ThreatQuotient cover TIP-centric programs at telcos and energy companies. Flashpoint and DomainTools serve fraud and brand-abuse teams. Dragos dominates OT threat intelligence at Hydro One, Enbridge, TC Energy and Suncor. RCMP National Cybercrime Coordination Unit and CSIS context shape federal intelligence-sharing expectations.
Picks for Canada
- Big 5 bank or large Canadian enterprise threat intel program: recorded-future Recorded Future is the deployed standard at RBC, TD, BMO, Scotiabank, CIBC and most large Canadian enterprises. Strong Canadian-specific dark-web coverage, integration with CCCS Cyber Threat Bulletins and AWS Canada Central residency for sensitive collections.
- Incident response and adversary attribution at Canadian enterprise: mandiant Mandiant (Google Cloud) leads APT attribution and IR-driven intel at Canadian banks and federal customers. Strong telemetry post-Google acquisition and recurring engagement at SaskTel, Bell and major Canadian breach responses.
- Canadian customers already on CrowdStrike Falcon: crowdstrike-intel Falcon Intelligence ships native to CrowdStrike-led Big 5 bank and Telus, Bell, Rogers deployments. Strong eCrime tracking and Canadian-specific actor profiles, bundled pricing makes incremental cost low.
- Canadian SOC wanting TIP-led workflow with custom feeds: anomali Anomali ThreatStream is a Canadian SOC favourite for ingesting CCCS feeds, ISACs and commercial intel into a single TIP with SIEM enrichment. Common at provincial governments and large utilities.
- Canadian critical-infrastructure OT threat intelligence: dragos Dragos is the OT/ICS threat intelligence standard at Hydro One, Hydro-Quรฉbec, Enbridge, TC Energy, Suncor and major Canadian utilities. Aligns with CSA Z246.1 and CCCS critical-infrastructure guidance.
- Canadian fraud, brand and dark-web monitoring: flashpoint Flashpoint is widely deployed at Canadian banks, insurers and Shopify for dark-web, deep-web and physical-security intelligence. Particularly strong on Canadian-language and Quebec French underground forums.
- Canadian DNS, domain and brand-abuse investigations: domaintools DomainTools Iris is the standard investigation tool at Canadian SOCs, RCMP Cybercrime, CIRA (.ca registry) and brand-protection teams across Big 5 banks and Lululemon.
How the threat intelligence software market looks in Canada
Canadian threat-intelligence demand is shaped by the CCCS (Canadian Centre for Cyber Security) which maintains national threat feeds, Cyber Threat Bulletins, and the Cyber Threat Assessment that drives enterprise intel programs. OSFI Guideline B-13 (Technology and Cyber Risk Management) and Bill C-26 / CCSPA (Critical Cyber Systems Protection Act) increasingly require federally regulated financial institutions and designated critical-infrastructure operators to demonstrate active threat-intelligence ingestion and operationalisation. The 2024 Snowflake-related breaches affecting Canadian Tire customer data and recurring ransomware attacks on Indigo, LCBO and SickKids Hospital have elevated board-level investment.
The first cluster is Canadian financial services. RBC, TD, BMO, Scotiabank, CIBC, National Bank, Desjardins, Manulife, Sun Life and Great-West Lifeco all run multi-vendor intel stacks anchored by Recorded Future and Mandiant with CrowdStrike Falcon Intelligence layered in. FS-ISAC membership is universal, and CCCS Cyber Threat Bulletins flow into TIPs. Pricing in this segment routinely lands at C$500K-C$2.5M annually per platform.
The second cluster is Canadian critical infrastructure and federal government. Hydro-Quรฉbec, Hydro One, Enbridge, TC Energy, Suncor, Cenovus, CN Rail, CP Kansas City Southern, Air Canada, Nav Canada and major utilities run Dragos for OT plus Recorded Future or Anomali for IT intel. Federal departments and Crown corporations require CCCS PROTECTED B handling and integrate directly with CCCS Cyber Centre feeds. BlackBerry (Waterloo) โ Canadian flagship โ ships Cylance with AtHoc Threat Intelligence into federal and Department of National Defence customers.
The third cluster is Canadian SaaS, retail and telco. Shopify operates a sophisticated intel program combining Recorded Future, Flashpoint and in-house collection. Hootsuite, Lightspeed Commerce, Wealthsimple, Telus, Bell and Rogers maintain mid-tier programs. RCMP National Cybercrime Coordination Unit (NC3) and CSIS contextual briefings increasingly shape Canadian enterprise intel priorities, particularly around state-sponsored activity targeting energy, mining and government sectors.
Canadian threat intelligence platforms must support OSFI Guideline B-13 expectations on cyber threat intelligence ingestion, operationalisation and reporting at federally regulated financial institutions. Bill C-26 / CCSPA imposes obligations on designated critical-infrastructure operators in finance, telecom, energy and transportation including mandatory cyber-incident reporting to CCCS. PIPEDA and Quebec Law 25 apply where threat intel involves personal data including breach-credential monitoring, IOC enrichment and victim notification workflows. CCCS Top 10 IT Security Actions and ITSG-33 control families reference threat intelligence as a foundational program element. Federal procurement requires CCCS PROTECTED B handling โ Recorded Future, Mandiant, CrowdStrike, BlackBerry and Anomali have demonstrated PROTECTED B arrangements through SSC Cloud Brokering or sovereign deployment. CASL applies to any intelligence-derived outbound notifications that touch commercial messaging. Data residency on AWS Canada Central (Montreal), Azure Canada Central (Toronto) or sovereign on-prem deployment is increasingly mandated for sensitive collections. The Communications Security Establishment Act governs CSE collection and may apply to shared intel arrangements. Quebec Bill 96 imposes French-language obligations on customer-facing platforms used by Quebec employees.
Quick comparison, ranked for Canada
| Product | Best for | Starts at | 10-emp/mo* | Pricing | G2 | Geo |
|---|---|---|---|---|---|---|
| 1 Recorded Future | Mature CTI teams and enterprise SOCs | Quote | - | 4.6 | Global | |
| 2 Mandiant Threat Intelligence | Enterprise and government with mature CTI capacity | $0 | $0 | 4.5 | Global | |
| 4 CrowdStrike Falcon Intelligence | CrowdStrike Falcon EDR customers | Quote | - | 4.6 | Global | |
| 5 Anomali | CTI teams running multi-feed TIP workflows | Quote | - | 4.3 | Global | |
| 6 ThreatConnect | Government, defense, financial services CTI | Quote | - | 4.3 | Global with US government focus | |
| 3 Flashpoint | Financial services, brand protection, fraud teams | Quote | - | 4.4 | Global with multi-language collection | |
| 8 Dragos | Critical infrastructure operators with OT/ICS estate | Quote | - | 4.6 | North America, EMEA, APAC critical infrastructure | |
| 10 DomainTools Iris Investigate | CTI and IR teams needing DNS specialist layer | Quote | - | 4.5 | Global | |
| 7 ThreatQuotient ThreatQ | Mid-market CTI teams running lean TIP workflows | Quote | - | 4.4 | Global | |
| 9 Silobreaker | Strategic intel, financial services, defense, risk consultancies | Quote | - | 4.4 | Global with UK/EU strength |
*10-employee monthly cost = base fee + (per-employee ร 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.
What buyers in Canada actually pay
Median annual deal size by employee band, in CAD. Crowdsourced from anonymized buyer disclosures.
| Product | Employee band | Median annual (CAD) | Sample | Notes |
|---|---|---|---|---|
| Recorded Future | Big 5 bank or large Canadian enterprise | CA$685,000 | 12 | Recorded Future Intelligence Cloud full bundle, Canadian enterprise CAD |
| Mandiant Threat Intelligence | Canadian Big 5 bank or federal IR retainer | CA$495,000 | 10 | Mandiant Advantage Threat Intelligence + IR retainer CAD |
| CrowdStrike Falcon Intelligence | Canadian enterprise 5,000-25,000 employees | CA$145,000 | 18 | Falcon Intelligence Premium add-on to existing CrowdStrike CAD |
| Anomali | Canadian provincial gov or utility SOC | CA$210,000 | 8 | Anomali ThreatStream TIP, Canadian SOC tier CAD |
| Dragos | Canadian utility or energy operator OT | CA$385,000 | 9 | Dragos Platform + WorldView OT intel, Canadian critical infra CAD |
| Flashpoint | Canadian bank or large retailer | CA$165,000 | 11 | Flashpoint Ignite dark-web + fraud intel CAD |
| DomainTools Iris Investigate | Canadian SOC or fraud team | CA$58,000 | 22 | DomainTools Iris Investigate, Canadian enterprise CAD |
| ThreatConnect | Canadian mid-market SOC 200-2,000 employees | CA$92,000 | 7 | ThreatConnect TIP, Canadian mid-market CAD |
Canada-built or Canada-strong vendors worth knowing
Not yet ranked in our global top 10, but credible options for Canada buyers and worth a shortlist.
BlackBerry (Waterloo)
Visit โCanadian flagship cybersecurity vendor based in Waterloo, Ontario. Cylance EDR plus AtHoc Threat Intelligence is the federal-government standard at Department of National Defence, Public Safety Canada and many Crown corporations. CCCS PROTECTED B and ITSG-33 aligned.
CCCS (Canadian Centre for Cyber Security)
Visit โNational cyber security authority operating under CSE. Publishes Cyber Threat Bulletins, the National Cyber Threat Assessment and operational threat feeds that integrate with most TIPs. Mandatory reporting destination under Bill C-26.
Field Effect (Ottawa)
Visit โOttawa-based Canadian cybersecurity vendor offering Covalence MDR with embedded threat intelligence. Strong fit for Canadian SMB and mid-market, growing federal footprint.
eSentire (Waterloo)
Visit โWaterloo-based Canadian MDR with proprietary Threat Response Unit (TRU) intelligence. Heavy deployment at Canadian mid-market and US enterprise, used by Canadian law firms (Bay Street) and asset managers.
All 10, ranked for Canada
Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Canada market.
Recorded Future
Broadest commercial threat intelligence platform.
Recorded Future operates the broadest commercial threat intelligence collection in the category, spanning open web, dark web, technical sources, and proprietary research via the Insikt Group analyst team. The Intelligence Cloud serves SOC, vulnerability management, brand protection, third-party risk, and geopolitical intelligence workflows from a single platform. Mastercard announced acquisition in September 2024 for $2.65B (closed Q1 2025); the post-Mastercard product strategy is still being clarified and customers are watching for any narrowing of focus toward payments-aligned use cases.
Mature CTI teams (3+ dedicated analysts) and enterprise SOCs needing the broadest commercial intel coverage and strongest analyst tooling across multiple use cases.
Small security teams without dedicated CTI capacity, organizations needing transparent pricing, or buyers concerned about Mastercard-driven strategy shifts.
Strengths
- Broadest source coverage across open, dark, and technical web
- Insikt Group analyst team produces high-signal proprietary research
- Strong analyst workflow tooling with intelligence cards and pivots
- Mature integrations across SIEM, SOAR, EDR, vulnerability management
- Modular intelligence modules (SecOps, Brand, Identity, Geopolitical, Third-Party)
- Strong API for custom enrichment pipelines
- Recognized leader across analyst rankings for multiple years
Weaknesses
- Mastercard acquisition (closed Q1 2025) creates strategy uncertainty
- Pricing among the highest in category and largely opaque
- Module-based pricing means full-platform TCO escalates fast
- Multi-year contracts and price escalators are standard
- Volume of intel can overwhelm small CTI teams without tuning
- Some customers report post-acquisition reduction in roadmap transparency
Pricing tiers
opaque- Single ModuleIndustry estimate $50K-$120K annually per moduleQuote
- Multi-Module PlatformIndustry estimate $200K-$800K annually for enterpriseQuote
- Enterprise (Full Intelligence Cloud)Industry estimate $800K-$2.5M+ annuallyQuote
- ยท Each module priced separately
- ยท Implementation and analyst training services
- ยท API call overages on higher tiers
- ยท Multi-year contracts with annual escalators standard
Key features
- +Intelligence Cards (per-IOC, vuln, threat actor)
- +Insikt Group proprietary research
- +SecOps Intelligence module
- +Brand Intelligence (typosquats, phishing kits)
- +Identity Intelligence (credential exposure)
- +Vulnerability Intelligence with risk scoring
- +Geopolitical and Third-Party Risk modules
- +Threat Intelligence Graph
- +API and SDK
- +STIX/TAXII export
Mandiant Threat Intelligence
Deepest adversary research, now integrated into Google SecOps.
Mandiant carries the deepest incident-driven adversary research in the industry, the result of two decades of high-profile breach response engagements (Target, Sony, SolarWinds, Colonial Pipeline, MGM). Google Cloud acquired Mandiant in March 2022 for $5.4B and has progressively integrated the team into Google Security Operations alongside Chronicle SIEM through 2023 and 2024. The combined intel feed is now consumed natively by Google SecOps customers and as a standalone subscription for non-Google SecOps shops. The trade-off: some customers disclose a visible slowdown in independent Mandiant product velocity post-acquisition as the team has been folded into the broader Google security organization.
Enterprises and government agencies needing deep APT and nation-state adversary research, especially those running or considering Google SecOps for native integration.
Organizations needing dark-web and underground forum depth (Flashpoint wins), OT/ICS focus (Dragos wins), or buyers wanting fast independent Mandiant product evolution.
Strengths
- Deepest incident-driven adversary research in industry
- Mandiant Advantage portal with curated threat profiles
- Native integration with Google SecOps and Chronicle
- Strong APT and nation-state tracking
- Mandiant Hunt and Managed Defense services on the same intel base
- Strong reputation among Fortune 500 CISOs
- Frequent public threat reporting (M-Trends annual report)
Weaknesses
- Post-Google integration has visibly slowed independent product velocity
- Standalone Mandiant Advantage pricing remains opaque
- Best-fit narrowing toward Google SecOps customers
- Some former Mandiant analysts departed post-acquisition
- Less coverage of underground forums than Flashpoint
- Multi-year contracts standard
Pricing tiers
opaque- Mandiant Advantage FreeLimited free tier with basic threat intel access$0 /mo
- Threat IntelligenceIndustry estimate $60K-$200K annuallyQuote
- Threat Intelligence EnterpriseIndustry estimate $200K-$700K annually with full feeds and APIsQuote
- Google SecOps Enterprise+ (bundled)Bundled with Google SecOps enterprise tierQuote
- ยท Hunt and Managed Defense priced separately
- ยท API call limits on lower tiers
- ยท Multi-year contracts standard
Key features
- +Mandiant Advantage portal
- +Threat actor and campaign tracking
- +M-Trends annual research report
- +Native Google SecOps integration
- +Digital Threat Monitoring
- +Attack Surface Management (post-Intrigue)
- +Threat hunting via Hunt service
- +API and STIX/TAXII export
- +Mandiant Breach Analytics
- +Managed Defense MDR option
CrowdStrike Falcon Intelligence
Native intel for Falcon EDR customers.
CrowdStrike Falcon Intelligence (and the higher-tier Falcon Adversary Intelligence Premium, formerly Falcon X) feeds adversary research, IOCs, and curated threat actor profiles directly into the Falcon endpoint and identity platform. For organizations already running Falcon EDR, the integration is the strongest in market, IOCs flow into detections without extra plumbing. The July 19, 2024 global Falcon driver issue (which affected roughly 8.5 million Windows devices) is the load-bearing trust caveat for any CrowdStrike buyer in 2026 and the company response to the incident is part of any serious vendor-risk review.
Organizations already running Falcon EDR who want intel that flows natively into endpoint detections and identity protection without separate plumbing.
Non-Falcon shops (integration value evaporates), buyers needing dark-web depth (Flashpoint wins), or organizations with unresolved July 2024 outage concerns.
Strengths
- Native integration with Falcon EDR detections and workflows
- Strong adversary tracking (ECrime, Targeted Intrusion, State-Sponsored)
- Falcon Adversary Hunting service for advanced teams
- Curated threat actor profiles with attribution
- Sandbox malware analysis (formerly Falcon Sandbox)
- API for custom enrichment
Weaknesses
- July 2024 outage remains the load-bearing trust event
- Best-fit narrows hard to Falcon EDR customers
- Premium tier needed for full intel value
- Less broad open-source coverage than Recorded Future
- Pricing opaque outside core Falcon bundle
Pricing tiers
partial- Falcon Intelligence (Standard)Industry estimate $25-$45 per endpoint annuallyQuote
- Falcon Adversary Intelligence PremiumIndustry estimate $60-$120 per endpoint annuallyQuote
- Falcon Adversary Intelligence Elite (with Hunting)Custom enterprise quote with analyst serviceQuote
- ยท Requires Falcon platform license
- ยท Hunting service priced separately
- ยท Multi-year contracts standard
Key features
- +Native Falcon EDR integration
- +Threat actor profiles and attribution
- +IOC and indicator enrichment
- +Malware sandbox analysis
- +Falcon Adversary Hunting service
- +CrowdStrike Intelligence Reports
- +API and STIX/TAXII export
- +Identity threat intelligence
- +Cloud threat intelligence (post-Bionic acquisition)
- +Custom intelligence requests on Elite tier
Anomali
TIP heritage with feed aggregation and SIEM-anchored correlation.
Anomali combines a long-standing TIP (ThreatStream) with feed aggregation, correlation against historic log data (Match), and a security analytics layer added in 2022 and 2023. The platform fits organizations that want to ingest dozens of intel feeds (commercial, ISAC, open source), normalize them in STIX/TAXII, and push curated IOCs into SIEM/SOAR. Brand momentum has been quieter than Recorded Future in recent years, but the analyst workflow remains mature.
CTI teams aggregating multiple commercial, ISAC, and OSINT feeds into a normalized TIP and pushing curated IOCs into SIEM/SOAR.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), dark-web depth (Flashpoint wins), or modern UX.
Strengths
- Mature TIP (ThreatStream) for feed ingestion and curation
- Match correlates IOCs against historic SIEM log data
- Strong STIX/TAXII support and ISAC integrations
- Reasonable mid-market pricing relative to Recorded Future
- Lens browser extension for analyst pivots
- Customizable analyst workflow
Weaknesses
- Brand momentum has slowed against Recorded Future and ZeroFox
- Less proprietary intel than Recorded Future Insikt Group
- UI feels older than next-gen analyst platforms
- Pricing opaque on higher tiers
- Customer success quality reported as variable
Pricing tiers
opaque- ThreatStream StandardIndustry estimate $45K-$120K annuallyQuote
- ThreatStream + MatchIndustry estimate $120K-$300K annuallyQuote
- Enterprise (ThreatStream + Match + Lens + Premium feeds)Industry estimate $300K-$700K annuallyQuote
- ยท Premium feeds priced separately
- ยท Match storage tier add-ons
- ยท Multi-year contracts standard
Key features
- +ThreatStream TIP
- +Match historic IOC correlation
- +Lens browser extension
- +STIX/TAXII import and export
- +ISAC integrations (FS-ISAC, H-ISAC, A-ISAC)
- +Analyst workflow and case management
- +Threat bulletins and curated feeds
- +API for custom enrichment
- +Anomali Insights analyst portal
- +SOAR-friendly IOC publishing
ThreatConnect
TIP plus cyber-risk quantification in one platform.
ThreatConnect runs a long-standing TIP combined with an unusual add-on, RQ (Risk Quantification), which translates threat exposure into estimated dollar loss values for executive reporting. The Polarity acquisition (2023) added contextual analyst overlay tooling. ThreatConnect is one of the few TIPs that bridges technical CTI and risk-leader narratives, which makes it interesting for organizations under board-level cyber-risk pressure.
CTI teams under board-level cyber-risk pressure needing TIP plus dollar-quantified executive reporting, especially in government, defense, and financial services.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), modern UX, or single-module simplicity.
Strengths
- Mature TIP heritage (founded 2011)
- RQ Risk Quantification translates threat to dollar loss
- Polarity contextual overlay (post-2023 acquisition)
- Strong customizable analyst workflows
- Mature playbooks and SOAR-friendly automation
- Strong reputation among government and defense buyers
Weaknesses
- Pricing opaque, especially RQ add-on
- Less proprietary intel than Recorded Future or Mandiant
- UI dated compared to next-gen tools
- Smaller integration ecosystem than Anomali
- RQ requires data engineering to deliver value
Pricing tiers
opaque- ThreatConnect TIPIndustry estimate $50K-$140K annuallyQuote
- TIP + PolarityIndustry estimate $120K-$280K annuallyQuote
- TIP + RQ Risk QuantificationIndustry estimate $200K-$500K+ annuallyQuote
- ยท RQ requires data engineering services
- ยท Polarity priced separately
- ยท Multi-year contracts standard
Key features
- +ThreatConnect TIP
- +RQ Risk Quantification
- +Polarity contextual overlay
- +Playbooks (SOAR-friendly automation)
- +Analyst workflow and case management
- +STIX/TAXII import and export
- +Threat library curation
- +ISAC integrations
- +API for custom enrichment
- +Custom intelligence requirements (CIR) tracking
Flashpoint
Dark-web and underground forum intelligence specialist.
Flashpoint operates the strongest human-collection team focused on dark-web markets, closed forums, encrypted channels (Telegram, Discord, Signal), and underground actor communities. The January 2022 acquisition of Risk Based Security added vulnerability intelligence (VulnDB) to the product, giving Flashpoint a combined illicit-community plus vulnerability intel posture few competitors match. Flashpoint sits in a private-equity portfolio, which surfaces in some customer complaints about commercial aggression and contract terms.
Financial services, fraud teams, brand protection, and government agencies needing deep dark-web and closed-forum collection with vulnerability intel.
Buyers needing OT/ICS depth (Dragos wins), the broadest commercial coverage (Recorded Future wins), or transparent pricing.
Strengths
- Strongest human-collection team for closed forums and dark web
- Native coverage of Telegram, Discord, and encrypted channels
- VulnDB vulnerability intelligence post-Risk Based Security acquisition
- Strong fraud, brand-abuse, and account-takeover intelligence
- Dedicated analyst teams across geographies and languages
- Mature analyst workflow and case management
Weaknesses
- Pricing opaque and frequently flagged as high
- Private-equity ownership surfaces in contract aggression
- Less broad open-source coverage than Recorded Future
- Smaller integration ecosystem
- Customer success quality variable across regions
Pricing tiers
opaque- Flashpoint IgniteIndustry estimate $60K-$180K annuallyQuote
- Enterprise (Ignite + VulnDB)Industry estimate $180K-$500K+ annuallyQuote
- ยท VulnDB priced as separate module
- ยท Per-analyst seat fees
- ยท Multi-year contracts standard
Key features
- +Dark web and closed forum collection
- +Telegram, Discord, encrypted channel coverage
- +VulnDB vulnerability intelligence
- +Compromised credentials monitoring
- +Brand and executive protection
- +Fraud and account takeover intel
- +Analyst workflow and case management
- +API and STIX/TAXII export
- +Native multi-language analyst team
- +Managed intelligence services
Dragos
OT/ICS threat intelligence specialist.
Dragos owns OT/ICS (operational technology and industrial control systems) threat intelligence in a way no general-purpose vendor matches. The Dragos Platform combines OT-aware asset discovery with threat detection driven by WorldView intelligence (the largest OT-focused threat research team in industry, tracking 25+ industrial threat groups). Dragos closed a $200M Series D in October 2022 at a $1.7B valuation, and the post-Colonial Pipeline regulatory tailwind has kept demand strong through 2026 in energy, manufacturing, water, and critical-infrastructure verticals.
Energy, manufacturing, water, oil and gas, and critical-infrastructure operators with meaningful OT/ICS attack surface and regulatory exposure (NERC CIP, TSA pipeline directives).
Pure IT organizations with no OT/ICS footprint (no overlap), buyers wanting general-purpose threat intel, or organizations needing transparent pricing.
Strengths
- Only serious option for OT/ICS intel depth
- WorldView research team tracks 25+ industrial threat groups
- Native OT asset discovery and protocol decode
- Strong reputation among NERC CIP and ICS-CERT communities
- Mature incident response services for OT environments
- Post-Colonial Pipeline regulatory tailwind in critical infrastructure
Weaknesses
- Best-fit narrows hard to OT/ICS environments
- Pricing high and opaque
- IT-only buyers see no overlap with general threat intel
- Smaller integration ecosystem with traditional IT security tools
- Implementation requires OT engineering coordination
Pricing tiers
opaque- Dragos PlatformIndustry estimate $150K-$500K annually for mid-size OT estateQuote
- Platform + WorldView IntelligenceIndustry estimate $300K-$1M+ annuallyQuote
- Enterprise (Platform + WorldView + Services)Industry estimate $1M-$3M+ annually for large utilitiesQuote
- ยท Professional services routinely 0.5x-1x first-year subscription
- ยท WorldView priced separately from Platform
- ยท Multi-year contracts standard
Key features
- +Dragos Platform for OT visibility and detection
- +WorldView OT threat intelligence
- +OT asset discovery and protocol decode
- +OT-specific threat detection (CRASHOVERRIDE, INDUSTROYER, PIPEDREAM)
- +Industrial threat group tracking
- +Incident response services
- +NERC CIP and TSA compliance support
- +Neighborhood Keeper community detection sharing
- +API and STIX/TAXII export
- +OT tabletop exercise services
DomainTools Iris Investigate
DNS and domain-anchored intelligence investigation.
DomainTools Iris Investigate is the category leader for domain, DNS, WHOIS, passive DNS, and infrastructure pivot investigations. Where a general TIP gives an IOC indicator, DomainTools gives full historical infrastructure context: registrant history, name-server pivots, SSL fingerprints, hosting relationships. The Farsight Security acquisition (2021) brought DNSDB passive DNS depth in-house. Best-fit as a specialist tool layered into a broader intel stack rather than a primary TIP.
CTI and incident-response teams needing deep domain, DNS, WHOIS, and infrastructure pivot capability as a specialist layer in a broader intel stack.
Buyers wanting a primary TIP (Recorded Future, Anomali, ThreatConnect win), dark-web depth (Flashpoint wins), or organizations without enrichment plumbing.
Strengths
- Best-in-class for domain, DNS, WHOIS, and passive DNS
- Farsight DNSDB passive DNS depth (post-2021 acquisition)
- Iris Investigate pivot graph is genuinely differentiated
- Strong API and bulk enrichment for SOAR pipelines
- Mature reputation among DNS researchers and law enforcement
- Reasonable pricing relative to TIPs
Weaknesses
- Not a primary TIP; layered tool only
- Narrow scope outside DNS and infrastructure
- Less curated adversary research than Mandiant or Recorded Future
- Smaller integration ecosystem than mainstream TIPs
- Best value requires SOAR enrichment plumbing
Pricing tiers
partial- Iris Investigate (Analyst)Industry estimate $20K-$60K annually per small teamQuote
- Iris Enrich + DNSDB APIIndustry estimate $60K-$180K annually with bulk APIQuote
- Enterprise (Iris + DNSDB + Detect)Industry estimate $180K-$400K+ annuallyQuote
- ยท API call overage pricing
- ยท DNSDB priced separately on lower tiers
- ยท Multi-year contracts standard
Key features
- +Iris Investigate pivot graph
- +WHOIS history and registrant intelligence
- +Farsight DNSDB passive DNS
- +SSL certificate intelligence
- +Hosting and infrastructure relationships
- +Domain risk scoring
- +Bulk API for SOAR enrichment
- +Iris Detect newly-observed domain monitoring
- +STIX/TAXII export
- +Phishing kit and brand-abuse monitoring
ThreatQuotient ThreatQ
Lean TIP focused on threat library curation and customization.
ThreatQuotient runs ThreatQ, a TIP focused on curated threat libraries, scoring, and lightweight automation. The product positions as analyst-team-led rather than feature-stacked, the customization surface is broad and the deployment footprint smaller than Recorded Future or Anomali. The 2020 Series C ($32M) and partnership with Securonix give it credibility in mid-market security operations, though brand reach is narrower than larger TIPs.
Mid-market CTI teams (1-5 analysts) wanting a lean, customizable TIP focused on threat library curation rather than maximum feature stack.
Buyers wanting deepest proprietary research (Recorded Future or Mandiant win), broadest integration ecosystem, or modern UX.
Strengths
- Lean TIP with strong customization surface
- Threat library scoring and prioritization
- ThreatQ Investigations for analyst workflow
- Securonix integration partnership
- Reasonable pricing relative to Recorded Future
- Strong API and automation hooks
Weaknesses
- Brand reach narrower than larger TIPs
- Less proprietary intel than Recorded Future or Mandiant
- Smaller integration ecosystem
- UI dated relative to next-gen tools
- Multi-year contracts standard
Pricing tiers
opaque- ThreatQ StandardIndustry estimate $35K-$90K annuallyQuote
- ThreatQ + InvestigationsIndustry estimate $90K-$220K annuallyQuote
- ยท Premium feed costs separate
- ยท Investigations module priced separately
- ยท Multi-year contracts standard
Key features
- +ThreatQ TIP
- +Threat library scoring and prioritization
- +ThreatQ Investigations
- +Custom enrichment and automation
- +STIX/TAXII import and export
- +ISAC integrations
- +Securonix integration
- +Open-source feed ingestion
- +API and SDK
- +Analyst workflow customization
Silobreaker
OSINT-heavy intelligence platform with geopolitical depth.
Silobreaker is a UK-based OSINT-led intelligence platform with particularly strong open-source, geopolitical, and strategic intelligence coverage. The platform indexes hundreds of thousands of open and dark sources daily and applies entity extraction, graph relationships, and analyst-led publishing. Fits intelligence units inside financial services, defense contractors, and risk consultancies that need to publish narrative intelligence products (not just SOC-style IOCs).
Strategic intelligence units, geopolitical risk teams, financial services research, and defense contractors needing OSINT-heavy intelligence with narrative publishing.
SOC-focused IOC enrichment (Recorded Future or Anomali win), dark-web depth (Flashpoint wins), or organizations needing tight SIEM/SOAR integration.
Strengths
- Strong OSINT and geopolitical intel coverage
- Entity extraction and graph relationships across sources
- Analyst publishing workflow for narrative intel products
- UK and EU data residency native
- Mature media monitoring posture
- Reasonable mid-market pricing
Weaknesses
- Less SOC-focused than Recorded Future or Anomali
- Smaller integration ecosystem with SIEM/SOAR
- Brand reach smaller in North America
- IOC enrichment less mature than commercial TIPs
- Customer success quality variable
Pricing tiers
partial- Silobreaker StandardIndustry estimate $40K-$110K annuallyQuote
- Silobreaker EnterpriseIndustry estimate $110K-$300K annuallyQuote
- ยท Premium source modules priced separately
- ยท Multi-year contracts standard
Key features
- +OSINT and open-source intelligence
- +Entity extraction and graph relationships
- +Geopolitical and strategic intel coverage
- +Analyst publishing workflow
- +Media monitoring at scale
- +Threat actor tracking
- +Custom intelligence requirements (CIRs)
- +API and STIX/TAXII export
- +UK and EU data residency
- +Multi-language source coverage
Frequently asked questions
The questions buyers actually ask before they sign.
How do Canadian threat intel platforms integrate with CCCS feeds?
Which threat intel platforms support CCCS PROTECTED B handling?
Should Quebec-based teams require French-language intel coverage?
Do Canadian cyber insurers require threat intelligence programs?
What is the difference between a threat intelligence platform (TIP) and a threat intel feed?
How is ISAC intelligence different from a commercial TIP?
Who owns OT and ICS threat intelligence?
How should I evaluate dark-web monitoring vendors?
What does the Mastercard acquisition of Recorded Future mean for customers?
How seriously should attribution claims be taken?
What false-positive rates should I expect on commercial intel feeds?
How much should I budget for threat intelligence?
Can threat intelligence replace EDR or SIEM?
How do I evaluate a TIP free trial or proof of value?
Final word
Looking at a different market? See the global Threat Intelligence Software ranking, or pick another country at the top of this page.
Last updated 2026-05-27. Local pricing reverified quarterly. Found something inaccurate? Tell us.