Threat Intelligence’s Top Players Tackle Evolving Cyber Risk

The two largest threat intelligence players have each been scooped up in 10-figure deals, with Google leveraging VirusTotal, its vast data infrastructure, and its $5.4 billion purchase of Mandiant in September 2022 to enhance threat detection and response. And Mastercard last month closed its $2.65 billion buy of Recorded Future to strengthen its expertise in fraud detection within financial ecosystems.

“The nature of the market is such now that no longer is it primarily driven by startups or standalone players,” Gartner Senior Director and Analyst Ruggero Contu told Information Security Media Group. “You have the presence of many larger, established vendors that are effectively integrating, ingesting threat intelligence but also offering some premium services competing with those standalone players.”

The three largest vendors in the $1.9 billion threat intelligence space are each part of broader platforms, with Recorded Future, Google and CrowdStrike hitting market share of 14%, 13% and 6%, respectively, IDC found. All three grew faster than the market as a whole in 2023, with Google – due to the Mandiant deal – CrowdStrike and Recorded Future recording intel growth of 245%, 197% and 29%, respectively (see: CrowdStrike, Google, Recorded Future Lead Threat Intel Wave).

“Despite the size of a company like Recorded Future, CrowdStrike or Google, when I talk to end users, if they have multiple threat intelligence services, there may be only like a 10% to 15% overlap of the things these companies will see,” said IDC Security and Trust Research Vice President Chris Kissel. “For all these companies that claim to see the internet in a very specific way, they all tend to see something a little bit different.”

How Will Recorded Future Fare After Mastercard’s $2.65B Buy?

Although these deals highlight the strategic importance of threat intelligence, they also raise questions about focus and neutrality, with Kissel saying the company’s broader threat intelligence capabilities may become secondary to Mastercard’s core business objectives in areas such as threat detection. Standalone products continue to focus on specialized needs in areas such as insider threats and geopolitical intelligence.

“Recorded Future is a balanced field. They’re strong across the board. We don’t anticipate that changing,” Kissel told ISMG. “We just think eventually, they may be tailoring their platform more for use cases like fraud detection.”

Recorded Future will operate as an independent entity under Mastercard, which Vice President of Product Jamie Zajac said will support the company’s existing growth strategy while aligning fraud intelligence with broader security objectives. She said Recorded Future remains committed to serving organizations outside the financial services industry (see: How Mastercard Benefits From the $2.65B Recorded Future Deal).

“We are not changing our product to only focus on financial services in any way, shape or form,” Zajac told ISMG. “Having all of these different types of intelligence – whether it’s what vulnerabilities to prioritize, identifying your attack surface or understanding the more complex geopolitical landscape – really can help. We believe they’re all still equally important to serve the market at large.”

Combining Recorded Future’s insights from the dark web with Mastercard’s fraudulent transaction data will create a much stronger product to help fight fraud proactively, Zajac said. Organizations attempting to determine what’s actually fraudulent can get a little more predictive by bringing different sources of intelligence together, which Zajac said will provide greater confidence that the data is truly actionable.

“Mastercard saw the opportunity with Recorded Future, that it was a fast-growing market, unique product,” Zajac said. “And the fact that Recorded Future has an unbiased intelligence perspective, that we collect from many different sources, many different areas globally. And bringing that together gives us a unique view on the market in terms of leveraging additional data sets and things like that.”

Benefits of Threat Intelligence Platforms, Standalone Tools

Google, meanwhile, said it has successfully combined Mandiant’s frontline intelligence with VirusTotal’s extensive malware database, creating an all-encompassing platform where intelligence flows seamlessly across the company’s ecosystem, said Vice President of Threat Intelligence Sandra Joyce. The company also integrates AI for summarization via Gemini, enabling analysts to process and act on data faster.

“If you want to do more than just look at specific inputs like malware or IOCs and if you want to learn about a threat actor, you have that capability as well,” Joyce told ISMG. “You can pivot in the system between your IOC, your threat actor and any relevant open-source reporting that you would like to see. You can filter, if you want to look at just one industry. So it really is this incredible capability.”

Integrated providers such as Google and CrowdStrike focus on embedding threat intelligence into broader ecosystems to ensure seamless workflows and reduce operational complexity for customers, but these platforms risk vendor lock-in and perceptions of bias. Organizations appreciate the efficiency of integrated systems for rapid operationalization, according to industry analysts (see: Scaling Threat Intel, Consulting: Mandiant’s Way With Google).

“There are not a lot of vendors who have intelligence professionals that can augment your security team, that can be assigned to you, that can sit in your spaces, that can even provide that extra white-glove touch,” Joyce said. “We have multiple paths to entry. It really depends on what the customer needs.”

Consolidation in the threat intelligence space might deprioritize capabilities outside of the acquiring company’s immediate interest, said Flashpoint Co-Founder and CEO Josh Lefkowitz. He said standalone providers can offer more specialized and unbiased threat intelligence that caters to diverse domains from physical security to cybercrime monitoring. Flashpoint has a 5% share and grew by 22.8% in 2023.

“We feel strongly that having an exclusive and dedicated focus to live and breathe threat intelligence as the only thing that the company is focused on as its North Star is a requirement,” Lefkowitz told ISMG. “It’s a competitive differentiator. And if I were in the seat as a buyer, I wouldn’t trust those high stakes and those crown jewels to somebody that does this as a part-time focus of their company.”

Lefkowitz sees Flashpoint as a critical player that has thrived by focusing on specialized intelligence needs, such as fraud detection and insider threats, and said the company has maintained relevance despite consolidation among larger vendors. Lefkowitz advocates for the depth and specialization of standalone platforms, arguing that mission-critical intelligence requires dedicated focus.

“Threat intelligence, at its core, is mission-critical,” Lefkowitz said. “Flashpoint is helping to protect billions and billions of dollars of assets, as well as critical people in critical locations. In the threat landscape that we all see unfolding in 2025, I see more and more organizations that are not willing to take a risk around a check-the-box solution and want to go all in with the best-in-class solution.”

What Large Enterprises, SMBs Want From Threat Intel Vendors

Large enterprises require tailored threat intelligence solutions with advanced analytics, integrations with existing SIEM and SOAR workflows, advanced forensic and attribution capabilities, and deep insights into geopolitical threats, Contu said. These firms often require bespoke solutions to support compliance requirements, manage their complex threat landscape and protect their global operations, Contu said.

“The more sophisticated, mature security practices tend to go on a best-of-breed approach, particularly when it comes to threat intelligence,” Contu said. “They may appreciate some degree of specialization on deep and dark web monitoring, or geophysical monitoring, or attribution. Enterprises with well-established and resourced security practices are likely to be driving interest into specialized vendors.”

Conversely, SMBs prioritize turnkey solutions that protect against common threats such as ransomware without requiring complex integration or extensive internal resources. Vendors including CrowdStrike address this by embedding threat intelligence into EDR technology and bundling threat intelligence, hunting and remediation in an accessible package, according to Senior Vice President of Counter Adversary Operations Adam Meyers (see: Are Pure-Play Threat Intel Vendors a Vanishing Breed?).

“If you’re a small, mid-sized HVAC company in the Midwest, then you’re probably not going to be a high-profile target for China, Russia or Iran, but you do have this big concern around ransomware,” Meyers told ISMG. “You do have this big concern around data extortion. That’s where you start to see that they just want to buy a turnkey solution that lets them set it and forget it.”

Operationalizing threat intelligence remains a key challenge for organizations as customers struggle with data overload, identifying relevant insights and integrating intelligence into existing workflows. Vendors are addressing these issues through automation, personalized onboarding and tailored dashboards, with CrowdStrike pre-configuring dashboards based on a customer’s industry and geographic profile.

“The issue in the past was being able to query it and minimize false positives to make it reliable and then being able to have an infrastructure in place so that intelligence could be integrated into different security controls or leveraged by security analysts without being bombarded by too much information and difficult to decide what’s more relevant than not,” Contu said.

How Generative AI Is Reshaping Threat Intelligence Products

Organizations are grappling with the rise of targeted attacks by nation-state and cybercriminal groups. The migration of threats across industries – enabled by shared techniques and tools – demands flexible and adaptive intelligence platforms. Kissel said vendors are increasingly focused on delivering tools such as attack surface management, fraud detection and digital risk protection to counter these challenges.

“Businesses build a perimeter around their intellectual property with defense in depth and perimeter tools,” Kissel said. “But threat intelligence tells you how high that fence should be because they really know what the incoming threats are. Threat intelligence traditionally has been adversarial tactics, and it’s come to include digital risk protection. It’s come to include IP and DNS address charting.”

Vendors increasingly employ AI to automate tasks such as malware analysis, data synthesis and threat triage, enabling faster detection and response to threats with fewer resources. AI is also enabling predictive modeling, proactive mitigation and tailored recommendations to address the challenge of processing and analyzing vast amounts of threat intelligence, Joyce said.

“AI is going to fundamentally shift the way we think about how threat intelligence is consumed, collected and used,” Joyce said. “We’re doing some very exciting R&D and using it in our day-to-day practice. Now, we have AI helping us to reverse malware. We have AI helping our productivity. We are doing a lot more of our initial research and synthesizing of data with AI, a lot of our triaging of threats.”

Meyers, meanwhile, said CrowdStrike employs generative AI to allow customers to query more than 14 years of intelligence for relevant insights, making the vast database more accessible and usable. The company has also embedded AI into its Falcon Adversary OverWatch threat-hunting product to reduce manual workloads for customers and enable faster and more accurate decision-making, Meyers said (see: CrowdStrike’s Michael Sentonas on Identity, Cloud and XDR).

“Having that stuff feeding into an LLM so that you can ask questions of that intel, rather than having to read it all, becomes a huge time saver and really lowers the barrier to entry and the technical capability that a consumer needs to have,” Meyers said. “You could ask very specific questions of the entire corpus of 14 years of finished intelligence products, and that is a game changer.”