01 / THREAT INTELLIGENCE REFERENCE
CTI, re-wired for 2026.
Where AI agents actually help threat intel analysts, where they do not, and what the full stack looks like in April 2026 - incumbents, startups, and the open-source alternative.
-- commercial / -- open source
02 / WHAT IS IN THIS REFERENCE
Comparisons
Recorded Future, Mandiant, and CrowdStrike with verified April 2026 pricing and honest verdicts.
Workflow
IoC enrichment, SIEM correlation, dark-web monitoring, and phishing-infra tracking with LLM integration patterns.
Buildout
The four agentic SOC layers, a vendor capability matrix, and a reference architecture for teams at every budget.
Open Source
MISP, OpenCTI, TheHive, YARA, Sigma, and an LLM orchestrator as a complete zero-cost CTI stack.
03 / THE 2026 THREAT-INTEL VENDOR LANDSCAPE
10 incumbents, one table
Columns: Platform / Agentic features as shipped in April 2026 / Pricing shape / Data depth / Best fit. No vendor input.
| Vendor | Platform | Agentic features | Pricing | Data depth | Best fit |
|---|---|---|---|---|---|
| Recorded Future | Intelligence Cloud (Core / Professional / Elite) | Pathfinder AI assistant, report synthesis, actor-profile drafting | $50k-$400k+/yr (Vendr, Apr 2026) | Broadest commercial feed coverage | Always-on feed ops, SIEM integration |
| Google / Mandiant | Mandiant Advantage + Gemini in Threat Intelligence | Gemini NL query, APT report summarisation, Docs-style actor profiling | Custom only, ~$40k-$200k+/yr (Vendr) | DFIR research depth, M-Trends annual report | DFIR-heavy workflows, Google Cloud shops |
| CrowdStrike | Falcon Adversary Intelligence Premium + Charlotte AI | Charlotte AI NL queries, triage summarisation, IBM ATOM integration | Enterprise $184.99/device/yr; Premium custom | Endpoint-integrated telemetry, adversary attribution | Falcon-centric shops, endpoint-first posture |
| Microsoft | Defender Threat Intelligence + Security Copilot | Security Copilot multi-agent orchestration, agentic SOC manifesto (Apr 2026) | Bundled in E5; Security Copilot $4/SCU/hr | Broad Microsoft telemetry, MDTI graph | Microsoft-centric shops with E5 licensing |
| Anomali | ThreatStream + Anomali Lens | Lens browser extension for contextual enrichment | Custom enterprise (~$50k-$200k/yr) | STIX-native platform, strong ISAC integrations | ISAC-participating orgs, STIX-heavy workflows |
| ThreatConnect | ThreatConnect Platform + Polarity | Polarity overlay, NL querying on TI graph | Custom enterprise mid-market | SOAR-heavy integration, mid-market sweet spot | Mid-market with existing SOAR investment |
| EclecticIQ | EclecticIQ Intelligence Center | Agentic workflow connectors (2026 roadmap) | Custom enterprise | European regulated-sector strength, STIX-native | European buyers, regulated industries |
| Intel 471 | TITAN + Research | AI-assisted forum translation, actor correlation | $80k-$300k+/yr premium | Criminal-underground forum depth | Dark-web threat actor tracking |
| Flashpoint | Flashpoint Ignite | NL search, AI-assisted actor attribution | $80k-$250k+/yr | Physical security + underground coverage | Broad underground + physical threat coverage |
| Palo Alto / Unit 42 | Unit 42 Intelligence + Cortex XSIAM | XSIAM agentic triage, Unit 42 research feed | Custom enterprise (XSIAM typically $200k+) | Unit 42 IR research, endpoint-SIEM convergence | Cortex XSIAM shops, large enterprise |
Sources: Vendr (Apr 2026), Gartner Peer Insights, AWS Marketplace, manufacturer pricing pages. Last verified April 2026.
04 / AI IN CTI: WHAT WORKS, WHAT IS MARKETING
The honest grid
Works in production
- +LLM-driven IoC enrichment with human review on attribution
- +LLM-generated Sigma detection rule drafts (human refines, CI validates)
- +LLM summarisation of 200+ page threat reports to analyst briefs
- +Phishing-infrastructure pivoting via automated OSS toolkit orchestration
- +Cross-feed IoC deduplication and confidence reconciliation
- +STIX-to-natural-language translation for briefing non-technical stakeholders
- +Alert grouping and incident formation from SIEM noise
Still marketing in April 2026
- xFully autonomous incident response without human-in-the-loop on high-impact actions
- xHallucination-free YARA rule generation - requires human review before deploy
- xDark-web monitoring AI that claims more than keyword search and forum scraping
- xAgentic SOC that handles the full kill chain without supervised approval gates
- xLLM attribution of threat actors without cited sourcing (confident but wrong)
- xZero-false-positive alert triage - does not exist in production at scale
- xAI-generated DFIR reports that replace an IR analyst
05 / THE EMERGING AGENTIC SOC PATTERN
Four layers. Honest scope.
The agentic SOC has a specific architecture that most vendor marketing blurs. There are four distinct agent layers, each with different autonomy levels and human-in-the-loop requirements.
Triage agents
First-pass alert filtering. False-positive reduction. Incident grouping from SIEM noise. Fully autonomous; humans confirm escalations.
Enrichment agents
Add IoC context, MITRE ATT&CK mapping, actor attribution. Autonomous on enrichment; human approves attribution above Medium confidence.
Hunting agents
Hypothesis generation from threat-intel feeds. Proactive SIEM searches. Human-led with agent-assisted search execution.
Response agents
SOAR playbook execution. IoC blocking, endpoint isolation. Human-in-the-loop on high-impact actions; autonomous on reversible low-impact.
OSS alternative
If your budget is zero, here is the stack: MISP for IoC sharing, OpenCTI for the knowledge graph, TheHive for case management, Cortex for analyser orchestration, YARA and Sigma for detection, Claude or equivalent as the orchestration agent.
Self-hosted on commodity hardware, this stack costs $300-$1,500 per month in infrastructure plus LLM API spend. The data depth gap vs commercial is real. The capability gap for enrichment and correlation is smaller than most vendors claim.
Full OSS stack walkthrough →06 / LATEST PRICING, APRIL 2026
What the three majors actually cost
| Vendor | Tier | Typical contract range | Source | Detail |
|---|---|---|---|---|
| Recorded Future | Core | ~$50k - $120k / yr | Vendr, Apr 2026; mfr PDF | Full breakdown |
| Professional | ~$120k - $250k / yr | Vendr, Gartner PI | Full breakdown | |
| Elite | $250k - $400k+ / yr | Gov.UK G-Cloud, Fortune 500 | Full breakdown | |
| Mandiant | All tiers | Custom only; ~$40k-$200k+ | Vendr, TrustRadius | Full breakdown |
| CrowdStrike Falcon | Go | $59.99 / device / yr | Manufacturer, Apr 2026 | Full breakdown |
| Pro | $99.99 / device / yr | Manufacturer, Apr 2026 | Full breakdown | |
| Enterprise | $184.99 / device / yr | Manufacturer, Apr 2026 | Full breakdown | |
| Adversary Intel Premium | Custom | Cycognito, Vendr | Full breakdown |
Use the ROI calculator to model TCO across commercial vs OSS stacks for your team size.
07 / FREQUENTLY ASKED
CTI and agentic SOC FAQ
What is an AI threat intel agent?
An AI threat intel agent is an autonomous or semi-autonomous software component that ingests raw threat data, performs enrichment and correlation, and produces analyst-ready output without requiring a human to execute each step. In 2026, most implementations are semi-autonomous: fully autonomous on enrichment and triage, but human-in-the-loop on attribution decisions above Medium confidence. The term differs from AI-augmented threat intelligence, where humans retain control over every workflow step.
Is Recorded Future worth the cost?
Recorded Future delivers genuine value when security teams integrate it into daily workflows: SIEM feed piping, Brand Intelligence for brand-protect teams, and Pathfinder for long-report synthesis. It often goes unread when purchased as a compliance checkbox without analyst bandwidth to operationalise it. For teams with budgets under $50k per year, the MISP + OpenCTI + LLM orchestrator OSS stack covers the core use cases at a fraction of the cost. For teams between $50k and $120k, Recorded Future Core is the right comparison point, not Elite.
What is agentic SOC?
Agentic SOC describes the pattern where AI agents, rather than humans, perform first-pass alert triage, IoC enrichment, and sometimes automated response, with humans supervising outcomes rather than executing each step. Microsoft popularised the term in April 2026 with a dedicated manifesto. Dropzone AI, Prophet Security, Torq HyperSOC, and Radiant Security all ship production variants. The key distinction from SOAR: agents reason over unstructured data and generate novel response steps; SOAR executes pre-written playbooks.
Can AI replace SOC analysts?
No, not in 2026. AI shifts Tier 1 analysts from triage execution to triage supervision, which is a meaningful productivity gain, not a replacement. False-positive rates on autonomous actions remain too high for most regulated environments. Tier 2 threat hunting and Tier 3 incident response remain human-led. Partial Tier 1 automation by 2028 is plausible at shops running Dropzone AI or equivalent; full analyst replacement is not on the 5-year roadmap for complex enterprise environments.
What is the best free alternative to commercial CTI platforms?
The OSS CTI stack in 2026 is: MISP for IoC sharing (primary), OpenCTI for the knowledge graph, TheHive for case management, Cortex for analyser orchestration, YARA and Sigma for detection rules, and Claude or a comparable LLM as the orchestration agent. Self-hosted on Hetzner or DigitalOcean, this stack costs approximately $300 to $1,500 per month in infrastructure plus LLM API spend. It covers the core enrichment, correlation, and detection workflow that commercial platforms deliver. The gap is analyst-curation depth: commercial feeds include Insikt Group research and actor profiles that the OSS stack cannot replicate.
Last verified: April 2026. Glossary covers all CTI terms used on this site.