Independent reference. Not affiliated with any vendor named on this site. Some links may be affiliate links. Expand full disclaimer.

This site is an independent technical reference. It is not affiliated with or endorsed by Recorded Future, Mandiant, Google Cloud, CrowdStrike, Microsoft, Anomali, ThreatConnect, EclecticIQ, Intel 471, Flashpoint, Palo Alto Networks, Unit 42, Cisco, Fortinet, SentinelOne, IBM, Dropzone AI, Prophet Security, Torq, Cyware, Radiant Security, Tenable, Qualys, Rapid7, DomainTools, SOCRadar, or any other vendor, project, or framework named on this site. MISP, OpenCTI, TheHive, and YARA are trademarks of their respective maintainers. All other trademarks belong to their respective owners. Pricing, feature, and platform-capability information was verified in April 2026 and may have changed since publication.

Some outbound links on this site may be affiliate links. Affiliate relationships do not influence ranking, verdicts, pricing data, or editorial positions. Where a verdict or comparison could be paid-placement-adjacent we mark it explicitly; otherwise assume zero vendor input.

Methodology

How pricing is sourced, how capability claims are verified, and how vendor data is triangulated for the comparison and review pages on this site.

Last verified: May 2026

Sourcing protocol

CTI vendor pricing is opaque by design. Recorded Future, Mandiant Advantage, Flashpoint, Intel 471, Anomali, ThreatConnect, and EclecticIQ all decline to publish list pricing. The legitimate sources for buyer-side pricing data are bounded and small. We use a four-stream triangulation protocol for every quoted pricing range on this site.

  • Stream 1 - Vendr. vendr.com publishes buyer-side procurement data on dozens of CTI vendors, including median contract size, range, and renewal-uplift patterns. Vendr's coverage is strongest for North American mid-market and enterprise buyers in the $25k to $500k contract band. We treat Vendr's published median as the centre-point for triangulation, not as a single source of truth.
  • Stream 2 - Gartner Peer Insights. Gartner Peer Insights reviewer comments routinely reference specific contract sizes when a reviewer is comparing renewal against the original quote. We extract those references where they appear, filtered for recency (2024 onwards) and analyst-seat-count context.
  • Stream 3 - AWS Marketplace. AWS Marketplace private-offer history occasionally surfaces published per-seat or per-tier listings for vendors that participate in the Marketplace draw-down model. Recorded Future, Mandiant, CrowdStrike, and Microsoft Sentinel-adjacent products all have AWS Marketplace listings.
  • Stream 4 - Gov.UK G-Cloud. Crown Commercial Service G-Cloud framework listings include published service-pricing PDFs from any vendor on the framework. Recorded Future, Mandiant, Microsoft, CrowdStrike, Anomali, and several MSSPs publish per-day or per-user G-Cloud rates. These are UK public-sector framework rates and are not representative of US-enterprise pricing, but they anchor the lower-bound of "what is a defensible rate."

We do not publish a pricing range unless we can corroborate to at least two of these streams. Where only one stream has data, the page flags it explicitly as a single-source estimate rather than a triangulated range.

Tier-band positioning, not per-vendor quoting

Because individual contract pricing varies significantly by sector, analyst seat count, geography, module selection, and negotiation skill, we present pricing as tier bands rather than vendor-specific point estimates. The standard bands are:

  • Mid-market entry: roughly $40k to $80k per year. Typical of single-module CTI for a security team with 5 to 10 analysts.
  • Mid-market full: roughly $80k to $200k per year. Multi-module subscriptions with managed-service overlays.
  • Enterprise premium: $200k to $400k+ per year. Includes proactive threat hunting, IR retainer, or sector-specialist intelligence (financial, government, healthcare).
  • Fortune-500 / sector-specialist: $400k+ per year. Custom contracts, named-analyst overlays, and bespoke intelligence-collection requirements.

Vendors that publish per-device or per-seat list pricing (CrowdStrike Falcon, Microsoft Sentinel) are quoted at list. Where a vendor charges by module bundle, we present the bundle range with the module decomposition explained in the body of the comparison page.

Capability verification

Threat intelligence vendors describe capability aspirationally. Marketing copy routinely claims "agentic" or "autonomous" capabilities that translate, in production, into a partial implementation of one or two of the four agent layers (triage, enrichment, hunting, response). We verify capability claims against the following types of public artefact:

  • Manufacturer product documentation and release notes (vendor.com/docs paths)
  • Vendor blog posts announcing GA versus beta versus early-access capability
  • RSAC / Black Hat / Gartner Security Summit presentation slides and recordings
  • Independent security-research write-ups from SiliconANGLE, The Register, and DarkReading
  • Reviewer comments on Gartner Peer Insights and G2 that reference specific in-product features
  • The Google Cloud / Mandiant blog for Mandiant-specific announcements
  • The CrowdStrike blog for Charlotte AI and Falcon capability claims

Where a capability claim cannot be corroborated against a public artefact, we flag it as "vendor-claimed" rather than "verified." We do not accept vendor briefings or NDA-gated material as a sourcing input because the resulting content would be unverifiable by readers.

Industry reference data

Several industry datasets appear repeatedly across the workflow and buildout pages. The provenance of each:

  • M-Trends (Mandiant's annual incident-response report). The current edition is the source for dwell-time, ransomware-incident, and nation-state-targeting statistics. Available at cloud.google.com/blog/topics/threat-intelligence/m-trends-2026.
  • ISACA "State of Cybersecurity" survey. The April 2026 edition's "89% of CISOs accelerating agentic security adoption" finding is sourced from isaca.org.
  • MITRE ATT&CK. The reference framework for adversary techniques. Sourced from attack.mitre.org. Used throughout the workflow pages for technique mapping examples.
  • CISA Known Exploited Vulnerabilities catalogue. The authoritative list of CVEs confirmed exploited in the wild, with federal-agency remediation deadlines. Pulled from cisa.gov. Referenced on the vulnerability prioritisation page.
  • EPSS (Exploit Prediction Scoring System). FIRST.org's probability-of-exploitation score. Available at first.org/epss.
  • STIX 2.1 / TAXII 2.1 specifications. The OASIS standard for structured threat information. Reference at oasis-open.github.io/cti-documentation.

Open-source stack verification

The open-source CTI stack reference page (/open-source-tools) names six primary projects: MISP, OpenCTI, TheHive, Cortex, YARA, and Sigma. Each project's capability claims and infrastructure-cost estimates are verified against the project's own documentation and against deployment patterns published by the project maintainers:

Infrastructure cost estimates for self-hosted deployments are anchored to Hetzner dedicated server published pricing for the AX41 and EX44 tiers, which are the realistic minimum-viable boxes for MISP and OpenCTI respectively.

Refresh cadence

The site is refreshed on a monthly cadence. The "Last verified" stamp on every page is sourced from a single constant in the site's schema library so the freshness signal moves in one place. Out-of-cycle refreshes happen when:

  • A vendor announces a rebrand, repackaging, or material price move
  • A new GA release shifts a capability claim from "announced" to "shipped"
  • An incumbent product is acquired or sunset
  • A primary source (Vendr, Gartner, AWS Marketplace, G-Cloud) publishes a material data update
  • A reader correction is received and verified

Limitations

Triangulated pricing ranges are not a substitute for a competitive vendor RFP. Real contract pricing varies by sector, geography, analyst seat count, module selection, deal timing, and negotiation skill. The bands on this site are calibration anchors for procurement reality, not endpoint quotes. Use them as a sanity-check against vendor first-quotes, not as a target for procurement to match.

The ROI calculator produces estimates based on the documented stack-archetype assumptions. It cannot model deal-specific terms, multi-year commitment discounts, or sector-specific add-ons.

Capability verdicts ("buy / evaluate / skip" cards) are calibrated to the verified date. CTI tooling evolves quickly. A verdict published one quarter may be outdated the next. Always verify current capabilities directly with the vendor before a procurement decision.

Corrections process

For corrections, data disputes, or vendor commentary on coverage, email editorial@threatintelagents.com. We aim to acknowledge corrections within five business days and update pages with a dated correction note where the error is verified.

Last updated: May 2026.

Updated 2026-05-11