Category Report: Threat Intelligence

Why It Matters

Threat intelligence helps organizations proactively identify, assess, and mitigate risks by providing insights into cyber adversaries' tactics, techniques, and procedures.

Problem Statement

• The digital landscape continuously changes, and cyber threats are becoming increasingly sophisticated.

• Security teams struggle to make informed decisions regarding threat mitigation due to a lack of accurate and actionable insights.

• The absence of prioritized and contextual threat data leads to inefficient and less effective security incident responses.

Market Solution

Enter the Threat Intelligence product market space.

• Threat intelligence solutions aim to provide organizations with contextualized, actionable, and timely information about cyber threats.

• These solutions help security teams to identify, assess, and respond to threats more effectively.

• Threat intelligence platforms aggregate and analyze data from multiple sources, allowing organizations to understand the threat landscape more comprehensively.

Terms You Might Hear

• Cyber Threat Intelligence (CTI)

• Indicator of Compromise (IoC)

• Threat Actor

• Threat Landscape

• Threat Vector

• TTP (Tactics, Techniques, and Procedures)

Other Related Terms

• Automated Indicator Sharing (AIS)

• Cyber Kill Chain

• Intelligence Cycle

• Intelligence-Driven Security

• Open Source Intelligence (OSINT)

• Security Operations Center (SOC)

• Structured Threat Information eXpression (STIX)

• Trusted Automated eXchange of Indicator Information (TAXII)

• Threat Feeds

• Threat Hunting (sometimes called “Thrunting” 😂 )

• Threat Intelligence Platform (TIP)

Related Product Categories

• Endpoint Detection and Response (EDR)

• Extended Detection and Response (XDR)

• Extended Information and Event Management (XIEM)

• Security Information and Event Management (SIEM)

• Extended Orchestration, Automation, and Response (XOAR)

• Security Orchestration, Automation, and Response (SOAR)

• Network Traffic Analysis (NTA)

• User and Entity Behavior Analytics (UEBA)

Types of Threat Intelligence

• Strategic Threat Intelligence - High-level insights on the global threat landscape, trends, and emerging threats.

• Tactical Threat Intelligence - Specific information about tactics, techniques, and procedures (TTPs) threat actors use.

• Operational Threat Intelligence - Detailed information on specific threats, threat actors, and their capabilities.

• Technical Threat Intelligence - Indicators of compromise (IoCs), vulnerabilities, dark web monitoring alerts, and other data, including IPs, domains, file hashes, and other data artifacts.

Sidebar: If you want to stay up-to-date on the evolving world of Detection Engineering, I highly recommend you check out the Detection Engineering Weekly newsletter from Zack Allen:

Threat Intelligence Ecosystem

The Threat Intelligence Ecosystem can be divided into several sub-categories:

1. Open-Source Intelligence (OSINT) - Information gathered from publicly available sources.

2. Closed-Source Intelligence - Intelligence collected from private or proprietary sources, often requiring a subscription or special access.

3. Indicators of Compromise (IoCs) - Data points that suggest a potential security breach.

4. Threat Hunting - The practice of proactively searching for threats within a network.

5. Industry-specific Threat Intelligence - Tailored threat intelligence for specific industries, like financial services and critical infrastructure (FS-ISAC, ICS-CERT, etc.).

Market Analysis and Competitive Landscape

A challenge with identifying the competitive landscape in Threat Intelligence is that the category can take many shapes, including:

• A standalone product, or

• A feature of another product, or

• A service

Examples:

• See any EDR, XDR, SIEM, or next-gen SIEM (XIEM) platform

• See any threat detection and response (TDR) platform

• See the platform heavyweights like Palo Alto, who cover the endpoint to the cloud and everything in between

• See any MSSP

Players

A few of the players in this space include:

• CrowdSec

• Intel 471

• Lumu

• Recorded Future

• SpyCloud

• Vectra

• ZeroFox

This isn’t an exhaustive list, and it’s just meant to cover Threat Intelligence players only. It’s worth noting that there are a ton of other players who also provide threat intel in addition to their core platforms.

Notable Funding Events

Here are a few higher-profile funding events that I consider to be in the Threat Intelligence category

• 2019 - Vectra raised a $100.0M Series E from TCV

• 2020 - ZeroFox raised a $74.0M Series D from Intel Capital

• 2021 - Vectra raised a $130.0M Series F from Accel

• 2022 - Deep Instinct raised a $62.0M Venture Round from BlackRock and Chrysalis

• 2023 - SpyCloud raised a $110.0M Series D from Riverwood Capital

In the past 12 months, at the time of writing this post, there has been $341.4M raised across 22 companies in the Threat Intelligence category.

Notable Acquisitions

• 2022 - Digital Shadows was acquired by ReliaQuest for $160.0M

• 2022 - Mandiant was acquired by Google for $5.4B (some categorize Mandiant as a threat intelligence company, so including it here)

• 2023 - Dragonfly was acquired by FiscalNote for $32.8M.

• Plus, numerous other acquisitions where financial details were not disclosed or where a company might be in the threat intelligence space indirectly

ROI and Cost-Benefit Analysis:

Organizations should carefully weigh the cost-benefit of investing in threat intelligence solutions. Some factors to consider include:

1. Time savings: By automating the collection and analysis of threat data, threat intelligence platforms can save security teams considerable time, allowing them to focus on proactive defense measures and incident response.

2. Improved incident response: Threat intelligence can enhance incident response by providing context and prioritization, enabling security teams to respond more effectively and efficiently.

3. Risk reduction: By providing insights into emerging threats and vulnerabilities, threat intelligence can help organizations proactively address risks, potentially preventing costly breaches and downtime.

Predictions

• Threat Intelligence as we know it will ultimately change with generative AI systems. The days of only humans analyzing data will soon be gone, and AI systems will have to summarize and contextualize data to a human counterpart. More practitioners are moving to use ChatGPT or LLMs to support incident response and threat intelligence efforts. AI as a feature (as opposed to a separate product) will go more mainstream as it is built directly into security products to create better workflows.

• The Operational Technology (OT) and Industrial Controls Systems (ICS) space is ripe for threat intelligence consolidation but will require much more government involvement and component standardization to be helpful. Too much in this world comes built insecurely from the assembly line.

• Threat Intelligence as a standalone product category will cease to exist. It's not enough anymore in today's world to give me data bespoke from the detection and response systems. If for no other reasons than time and cost savings.

Opportunities

• Security has a data engineering problem. This is very apparent in the Threat Intelligence space, with overwhelming data volume. Large and small organizations need an easier way to filter through vast amounts of data to find actionable insights quicker without being data engineers. Threat Intelligence is on a collision course with the SIEM, which is on a collision course with Data Lakes, data engineering, and the like.

• Pivoting. If you are a threat intelligence business today, shifting to a different type of business could be your next best move. GreyNoise is already making the change:

• Threat Intelligence data is too narrow. This is one that GenAI can actually help with. With the rise of LLMs being widely accessible, unstructured data, social media content, and other signals can now be more easily used to create a more robust threat intelligence picture. Solving this could breathe new life into your Threat intelligence program.

• Detection Intelligence > Threat Intelligence. Threat Intelligence without detection is useless, and most organizations don’t have the time, money, or talent to craft a robust detection engineering program from their threat intelligence data. Evolving this discipline into a service model that provides ready-made detections into [insert your SIEM or data lake platform here] could elevate more security teams. Panther and Anvilogic, while not direct threat intelligence players, are getting ahead of this changing game and doing something like this.

Counterpoints

As with any technology investment, your mileage may vary. How, when, and with what support a company deploys technology can have vastly different outcomes on the quality and success of the goals it is supposed to support.

1. High Costs: Threat intelligence solutions can be expensive, particularly for small and medium-sized businesses (SMBs) with limited budgets. The costs of acquiring, maintaining, and staffing a threat intelligence platform may outweigh the benefits for organizations with limited resources.

2. Limited Relevance: Not all threat intelligence data is relevant to every organization. Many threats are industry-specific or target-specific types of infrastructure. Smaller organizations may find that the majority of intelligence they receive does not apply to their specific environment, making it challenging to prioritize and act on the information.

3. False Positives: Threat intelligence platforms can sometimes produce false positives, leading organizations to spend time and resources investigating and mitigating threats that do not exist. This can be particularly problematic for smaller organizations with limited resources, as it may divert attention from genuine threats.

4. Overreliance on External Data: Threat intelligence focuses primarily on external sources of information, potentially causing organizations to overlook internal threats and vulnerabilities. Solely relying on threat intelligence may lead to a false sense of security and neglect of internal security measures, such as employee training and network hardening.

Thanks for reading this far! This post is not meant to be an endorsement for any player or company in this product category but is instead intended to be an industry-level primer. If I missed something (or am just wrong), let me know!

At the time of writing this post, I have no active investments in any of the companies mentioned above.

If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.