SSubrupt
Skip to content

Best Threat Intelligence Platforms of 2026

Updated · 7 picks · live pricing · affiliate disclosure

MIT-licensed CIRCL-maintained sharing platform; used by NATO, EU institutions, and national CERTs worldwide.

BEST OVERALL7.6/10

MISP

MIT-licensed CIRCL-maintained sharing platform; used by NATO, EU institutions, and national CERTs worldwide.

Free self-host forever; CIRCL consulting available
Try MISPSee full review

How it stacks up

  • Free self-host forever

    vs AlienVault OTX free

  • NATO + EU CERT users

    vs Recorded Future SaaS

  • CIRCL maintained

    Only open-source self-host pick

#2
CrowdStrike Falcon Intelligence6.4/10

From $14.99/mo

View
#3
AlienVault OTX (LevelBlue)6.3/10

Free

View

All picks at a glance

#PickBest forStartingFreeScore
1MISPBest open-source self-hostable threat intelligence, MIT-licensed CIRCL platformFree7.6/10
2CrowdStrike Falcon IntelligenceBest endpoint-integrated threat intelligence, intel built into Falcon EDR$14.99/mo6.4/10
3AlienVault OTX (LevelBlue)Best free community threat intelligence, 180k-plus participants sharing IOCsFree6.3/10
4Mandiant AdvantageBest Google-backed threat intelligence, M-Trends frontline pedigree$2,500.00/mo5.3/10
5PulsediveBest SMB-affordable threat intelligence, the only realistically-priced paid pick$29.00/mo5.3/10
6Recorded FutureBest overall threat intelligence, the brand reference for finished intelligence$4,167.00/mo4.0/10
7GreyNoiseBest internet-scanner intel, the "is this scan worth alerting on" wedge$500.00/mo3.7/10

Quick pick by use case

If you only have thirty seconds, find your situation below and skip to that pick.

If I want the brand reference incumbent and have enterprise budgetRecorded FutureFoundation at around $50k a year scaling to Advanced at $150k. Insikt Group analysts behind feeds. Around half of the Fortune 500.If I already run CrowdStrike Falcon for endpoint protectionCrowdStrike Falcon IntelligenceFalcon Pro at $14.99 per endpoint includes IOC search; Enterprise at $19.99 adds Adversary OverWatch threat hunting. Adversary Intelligence is custom-quoted.If I want frontline incident-responder pedigree and a free evaluation tierMandiant AdvantageMandiant Advantage Free includes IOC search and the M-Trends report; paid Subscription adds priority feeds. Google acquired Sept 2022 for $5.4B.If I am a small SOC of 1 to 3 analysts and cannot expense enterprise TI pricingPulsedivePulsedive Pro at $29 a month is the only realistically-priced paid pick. Bootstrapped 2017. 45-plus OSINT feeds with 1M-plus IOCs queryable.If I am drowning in scan-related alerts and need to suppress background noiseGreyNoiseGreyNoise Community free for spot checks; Block at around $500 a month for SMB SOCs with bulk feeds and Splunk plus Sentinel apps.If I am a European public-sector or regulated-industry SOC requiring sovereigntyMISPMISP self-host MIT-licensed and free; used by NATO, EU institutions, and national CERTs. Install via Docker, AWS Marketplace, or Ubuntu.

Compare all 7 picks

Free tierTop spec
#1MISP7.6/10FreeFree self-host forever
#2CrowdStrike Falcon Intelligence6.4/10$14.99/mo$99.99/yrSave $168.12/yrFalcon Pro $14.99/endpoint
#3AlienVault OTX (LevelBlue)6.3/10FreeFree forever
#4Mandiant Advantage5.3/10$8,333.00/mo$100,000.00/yr$99,648/yr moreFree tier + Subscription paid
#5Pulsedive5.3/10$29.00/mo$290.00/yrPro $29 a month
#6Recorded Future4.0/10$12,500.00/mo$150,000.00/yr$149,652/yr moreFoundation $50k/yr
#7GreyNoise3.7/10$3,000.00/mo$36,000.00/yr$35,652/yr moreCommunity Free + Block
#1

MISP

7.6/10

Best open-source self-hostable threat intelligence, MIT-licensed CIRCL platform

Try MISPSee MISP alternatives

MIT-licensed CIRCL-maintained sharing platform; used by NATO, EU institutions, and national CERTs worldwide.

PlanMonthlyWhat you get
Self-hostedFreeMIT-licensed open-source threat intelligence sharing platform; install via Docker, AWS Marketplace, or Ubuntu package; pay infrastructure only

MISP is the open-source self-hostable pick, MIT-licensed and maintained by CIRCL (Computer Incident Response Center Luxembourg) since 2011. NATO, EU institutions, and national CERTs around the world run MISP instances for inter-agency threat sharing, which is a credibility signal commercial vendors cannot match for European public-sector buyers.

There is one tier: self-hosted, free forever. Install via Docker, the AWS Marketplace AMI, or native Ubuntu and CentOS packages. The platform covers IOC management, threat actor profiles, automatic correlation between attributes, sharing communities (private or public), STIX 1 and 2 export, OpenIOC, Snort and Suricata signature export, and a comprehensive REST API documented as OpenAPI.

MISP 2.5 shipped in 2025 with a major UI and UX overhaul plus modernized background processing. The trade-off versus SaaS is that the customer manages updates, scaling, retention policy, and sharing-community membership. There is no commercial support included; CIRCL offers paid consulting, and several vendors (CSIS, NViso, others) offer managed MISP. For European public-sector and regulated-industry SOCs that cannot ship intelligence data to US-based vendors, MISP is the default.

Pros

  • MIT-licensed open source, free forever; no vendor lock-in
  • Used by NATO, EU institutions, and national CERTs for inter-agency threat sharing
  • Single-package self-host via Docker, AWS Marketplace, or Ubuntu and CentOS
  • STIX 1 and 2 + OpenIOC + Snort and Suricata exports; comprehensive REST API
  • MISP 2.5 (2025) UI and UX overhaul plus modernized background processing

Cons

  • No commercial support included; CIRCL consulting and third-party managed MISP available
  • Customer manages updates, scaling, retention policy, and sharing-community membership
Free self-host foreverNATO + EU CERT usersCIRCL maintainedFree self-host forever; CIRCL consulting available

Best for: European public-sector and regulated-industry SOCs that cannot ship intelligence data to US-based vendors. CERTs and ISACs needing inter-agency sharing.

Coverage
10
Freshness
7
Workflow
6
Value
10
Support
6
Try MISP
#2

CrowdStrike Falcon Intelligence

6.4/10Save $168.12/yr

Best endpoint-integrated threat intelligence, intel built into Falcon EDR

Try CrowdStrike Falcon IntelligenceSee CrowdStrike Falcon Intelligence alternatives

Adversary Intelligence tied to Falcon endpoint detections; the only intel pick with public per-endpoint pricing.

PlanMonthlyAnnualWhat you get
Falcon Pro$14.99/mo$99.99/yrFalcon NGAV plus baseline threat intelligence and IOC management; the per-endpoint entry that bundles intel into endpoint protection
Falcon Enterprise$19.99/mo$184.99/yrAdds Falcon Insight XDR plus Adversary OverWatch managed threat hunting tied to the endpoint detection stream
Falcon Adversary Intelligence (add-on)$2,500.00/mo$30,000.00/yrStandalone Adversary Intelligence module with finished reports, dedicated analyst RFI, and Falcon X Premium feed access

CrowdStrike Falcon Intelligence is the threat-intel pick for organizations already on Falcon endpoint protection, where actor profiles tie directly to the EDR detection stream rather than living in a separate analyst tool. ~$3.4B ARR FY2025; one of the few public-pricing players in the category.

Falcon Pro is $14.99 per endpoint per month and includes baseline IOC search and Threat Graph queries. Falcon Enterprise at the upgrade tier adds full Insight XDR plus Adversary OverWatch managed threat hunting. The standalone Adversary Intelligence module is custom-quoted at around $30k a year and adds Falcon X Premium feed access, finished reports, sandbox malware analysis, and dedicated analyst RFI work.

The per-endpoint pricing model is unique here and load-bearing. A 500-endpoint mid-market shop pays around $7,500 a month for Falcon Pro with bundled intel, where the same shop on Recorded Future Foundation pays around $4,167 a month for finished intel without endpoint coverage. Falcon wins when the buyer wants endpoint plus intel from one vendor; standalone TIPs win when the org runs heterogeneous endpoint stacks.

Pros

  • Adversary Intelligence ties actor profiles directly to Falcon EDR detections at the endpoint
  • Per-endpoint pricing is publicly listed, rare in this category of custom-quoted enterprise platforms
  • Falcon Pro entry includes baseline IOC search plus Threat Graph queries
  • Falcon Enterprise adds Adversary OverWatch managed threat hunting
  • Adversary Intelligence module adds finished reports, sandbox analysis, and analyst RFI work

Cons

  • Per-endpoint pricing scales with org size; a 500-endpoint shop is around $7,500 a month
  • Locks intel value to the Falcon endpoint stack; not portable to other EDR platforms
Falcon Pro $14.99/endpointAdversary Intelligence add-on~$3.4B ARR FY202515-day Falcon Go free trial; cancel anytime

Best for: Organizations already on CrowdStrike Falcon for endpoint protection that want bundled threat intelligence tied to EDR detections rather than a standalone TIP.

Coverage
8
Freshness
9
Workflow
8
Value
7
Support
9
Try CrowdStrike Falcon Intelligence
#3

AlienVault OTX (LevelBlue)

6.3/10

Best free community threat intelligence, 180k-plus participants sharing IOCs

Try AlienVault OTX (LevelBlue)See AlienVault OTX (LevelBlue) alternatives

The largest free collaborative exchange; 180,000-plus contributors sharing 19M-plus daily indicators.

PlanMonthlyWhat you get
Open Threat ExchangeFreeThe largest free threat intelligence community with 180k-plus participants and 19M-plus daily indicators; no paid tier exists

AlienVault Open Threat Exchange is the largest free collaborative threat intelligence platform, with around 180,000 contributors across 140 countries sharing more than 19 million indicators every day. Founded 2012, acquired by AT&T 2018, rebranded AT&T Cybersecurity 2019, and spun out as LevelBlue May 2024 (joint venture with WillJam Ventures); OTX itself stayed free throughout every transition.

There is no paid tier. The Open Threat Exchange covers IOC search, Pulses (curated bundles of related indicators around a campaign or actor), private community discussion groups, the OTX DirectConnect API for SIEM ingestion, STIX export, and the OTX Endpoint Security free threat-scanning service.

The load-bearing community-feed wedge serves analysts evaluating IOCs in real-time: you can search any indicator against the global community contribution stream. The catch is that community-contributed intelligence is not finished intelligence. Pulses vary widely in quality; high-fidelity contributors mix with low-quality automated submitters. Most mature SOCs use OTX as one feed among many rather than the primary intelligence source. For a small team building an IOC pipeline from scratch, it is the highest-value free starting point in the category.

Pros

  • 180,000-plus contributors across 140 countries; the largest free collaborative exchange
  • Free forever: no paid tier exists; LevelBlue keeps OTX free as community asset
  • 19M-plus daily indicators; Pulses bundle related IOCs around campaigns and actors
  • DirectConnect API for SIEM ingestion + STIX export + Maltego transform hub
  • OTX Endpoint Security adds free threat-scanning across critical endpoints

Cons

  • Community contributions vary widely in quality; needs filtering before SIEM ingestion
  • No finished intelligence, named-actor attribution, or analyst RFI service
Free forever180k+ contributorsLevelBlue 2024 spinFree forever; create account to contribute

Best for: Small SOCs and analyst teams building an IOC pipeline from scratch who want the largest free community-contributed feed as a starting point.

Coverage
7
Freshness
8
Workflow
7
Value
10
Support
6
Try AlienVault OTX (LevelBlue)
#4

Mandiant Advantage

5.3/10$99,648/yr more

Best Google-backed threat intelligence, M-Trends frontline pedigree

Try Mandiant AdvantageSee Mandiant Advantage alternatives

M-Trends report annual incident-response telemetry; folded into Google Threat Intelligence at RSA 2024.

PlanMonthlyAnnualWhat you get
FreeFreeFree community tier with basic IOC search, public actor profiles, and the M-Trends annual report; the analyst sandbox
Threat Intelligence Subscription$2,500.00/mo$30,000.00/yrMandiant frontline reporting with priority IOC feed, actor briefings, and Google Threat Intelligence integration
Premium$8,333.00/mo$100,000.00/yrAdds Digital Threat Monitoring, Attack Surface Management, dedicated CSM, and incident-response priority access

Mandiant Advantage is the Google-acquired option for buyers who want frontline incident-responder pedigree behind the threat intelligence rather than analyst-desk research. The M-Trends annual report draws on actual breach engagements and is the load-bearing brand asset for the category.

The Free tier is genuinely useful: basic IOC search, public actor profiles, the M-Trends report, and community feed access at no cost. Threat Intelligence Subscription at the realistic paid entry adds Mandiant frontline reporting, priority IOC feed, actor and malware briefings, and a custom RFI quota. Premium adds Digital Threat Monitoring and Attack Surface Management for the larger SOC.

Google acquired Mandiant Sept 2022 for $5.4B and integrated it with VirusTotal and Google Threat Intelligence Group at RSA 2024. The combined platform is now sold as Google Threat Intelligence with the Mandiant brand persisting on intelligence reports. Page score lands on Premium because it is the only tier whose name matches our heuristic; the realistic entry is Subscription, a 233 percent overshoot from what most buyers actually pay.

Pros

  • Free tier with basic IOC search, public actor profiles, M-Trends report, community feed
  • M-Trends annual report draws on real breach engagements, the load-bearing brand asset
  • Google-acquired Sept 2022 for $5.4B; folded into Google Threat Intelligence at RSA 2024
  • Threat Intelligence Subscription paid entry adds priority feeds and custom RFI quota
  • Premium tier adds Digital Threat Monitoring and Attack Surface Management

Cons

  • Page score uses Premium as typical, while Subscription is the realistic entry (233 percent gap)
  • Google ownership raises long-term roadmap-direction questions for Workspace-skeptical buyers
Free tier + Subscription paidM-Trends annual reportGoogle acquired 2022Free Mandiant Advantage tier forever; cancel anytime

Best for: Mid-market and enterprise SOCs that want incident-response-rooted threat intelligence and are comfortable with Google as the long-term platform owner.

Coverage
9
Freshness
9
Workflow
7
Value
7
Support
9
Try Mandiant Advantage
#5

Pulsedive

5.3/10

Best SMB-affordable threat intelligence, the only realistically-priced paid pick

Try PulsediveSee Pulsedive alternatives

Pro at $29 is the only realistically-priced paid pick here; 1-3 analyst SMBs can actually expense it.

PlanMonthlyAnnualWhat you get
FreeFreeCommunity search across 45-plus OSINT feeds with 1M-plus IPs, domains, and URLs; the analyst sandbox most readers start with
Pro$29.00/mo$290.00/yrHigher API quotas, private feeds, custom watchlists, and analyst dashboard; the only realistically-priced paid pick in the lineup
Enterprise$1,500.00/mo$18,000.00/yrMulti-user TIP with private feed ingestion, dedicated support, and on-premise deployment options for regulated buyers

Pulsedive is the only realistically-priced paid pick in this category. Founded 2017 in Arlington VA by Grace Chi and Daniyal Hannan and bootstrapped indie with no VC, Pulsedive built an analyst-centric TIP for SMBs that cannot expense a $50k a year Recorded Future Foundation contract.

Free gives any analyst search across 45-plus aggregated OSINT feeds covering more than 1M IPs, domains, and URLs. Pro at the per-analyst monthly entry adds higher API rate limits, private feeds, custom watchlists, saved searches, and STIX or TAXII export. Enterprise at the custom-quoted tier adds multi-user analyst seats, RBAC, private feed ingestion without community sharing, and on-premise deployment.

The trade-off versus the enterprise picks is meaningful. Pulsedive does not provide finished intelligence reports, named actor attribution, or analyst RFI service; the platform aggregates and enriches, it does not produce original intelligence. For a 1-3 analyst small SOC that wants to operationalize OSINT without writing custom STIX or TAXII pipelines, Pulsedive Pro at the entry monthly rate is roughly two orders of magnitude cheaper than Recorded Future Foundation.

Pros

  • Pro is the only realistically-priced paid pick in this lineup, by an order of magnitude
  • Free tier covers 45-plus aggregated OSINT feeds with 1M-plus IPs, domains, URLs
  • Bootstrapped indie since 2017; no VC dilution risk; long-term roadmap stability
  • Pro adds private feeds, custom watchlists, and STIX or TAXII export at the per-analyst rate
  • Browser extension lets analysts pivot from any IP or domain on the open web

Cons

  • No finished intelligence reports, named actor attribution, or analyst RFI service
  • Smaller catalog of native SIEM and SOAR integrations than enterprise picks here
Pro $29 a month45+ OSINT feedsBootstrapped 2017Free tier forever; cancel anytime

Best for: Small SOCs of 1 to 3 analysts that want to operationalize OSINT without paying enterprise TIP pricing. Bootstrapped startup security teams.

Coverage
7
Freshness
7
Workflow
9
Value
10
Support
6
Try Pulsedive
#6

Recorded Future

4.0/10$149,652/yr more

Best overall threat intelligence, the brand reference for finished intelligence

Try Recorded FutureSee Recorded Future alternatives

Insikt Group analysts behind half of the Fortune 500; the brand reference for finished threat intelligence.

PlanMonthlyAnnualWhat you get
Foundation$4,167.00/mo$50,000.00/yrIntelligence Cloud baseline with threat feeds, brand alerts, and one analyst module; the realistic entry tier most readers buy
Advanced$12,500.00/mo$150,000.00/yrMulti-module subscription with Recorded Future AI assistant, custom watchlists, and SIEM and SOAR integrations
Enterprise$25,000.00/mo$300,000.00/yrFull Intelligence Cloud across all modules with dedicated Insikt Group analyst access, SSO, and a CSM

Recorded Future is the default finished-intelligence platform for Fortune 500 SOCs and the brand reference Gartner and Forrester anchor every TI Magic Quadrant on, with around 1,800 customers including roughly half of the Fortune 500.

Foundation is the realistic entry at around $50k a year, bundling Intelligence Cloud baseline with one analyst module (Brand, Vulnerability, or SecOps). Advanced at the $150k tier adds the Recorded Future AI assistant, custom watchlists, and native Splunk plus Sentinel plus QRadar plus XSOAR integrations. Enterprise at the $300k tier opens dedicated Insikt Group analyst access for custom RFI work.

Our scoring picks Advanced as the typical because tier names Foundation, Advanced, and Enterprise do not match our heuristic and we fall back to the second-cheapest paid tier, a 200 percent overshoot from realistic Foundation. The cons block acknowledges this. The Mastercard acquisition closed May 2024 for $2.65B, which signals long-term enterprise stability but raises questions about Mastercard-customer cross-sell shaping the roadmap. Mid-market readers should plan for Foundation, not Advanced.

Pros

  • Around 1,800 customers including roughly half of the Fortune 500; the brand reference
  • Insikt Group analysts produce finished intelligence, not just feeds
  • Foundation entry covers Intelligence Cloud plus one analyst module (Brand, Vuln, or SecOps)
  • Mastercard acquired May 2024 for $2.65B signals long-term enterprise stability
  • Native Splunk, Sentinel, QRadar, and Cortex XSOAR integrations on Advanced

Cons

  • Page score uses Advanced as typical, while Foundation is the realistic entry (a 200 percent gap)
  • No free or trial tier; sales conversation required to evaluate the platform
Foundation $50k/yr~1,800 enterprise buyersMastercard 2024No free or trial tier; demo on request

Best for: Mid-market and enterprise SOCs that want finished intelligence with named-analyst credibility behind the IOC and actor feeds. Plan for Foundation, not Advanced.

Coverage
9
Freshness
9
Workflow
7
Value
6
Support
9
Try Recorded Future
#7

GreyNoise

3.7/10$35,652/yr more

Best internet-scanner intel, the "is this scan worth alerting on" wedge

Try GreyNoiseSee GreyNoise alternatives

Scanner-noise classification for SOC alert tuning; tells you which IPs scan everyone and which target only you.

PlanMonthlyAnnualWhat you get
CommunityFreeFree IP lookups against the GreyNoise scanner-noise dataset; the analyst sandbox for the "is this scan worth alerting on" question
Block$500.00/mo$6,000.00/yrGreyNoise Block subscription for SMB SOCs with bulk IP feeds, IP timeline access, and SIEM integrations
Platform$3,000.00/mo$36,000.00/yrEnterprise tier with the full Platform API, RIOT (benign service) feed, and dedicated support for mature SOC teams

GreyNoise solves a unique SOC problem: every public-facing asset gets scanned constantly by Shodan, Censys, university researchers, security companies, and opportunistic attackers. Most of those scans are background noise that should not page anyone, but distinguishing them from targeted reconnaissance requires telemetry no individual SOC has on its own.

Community Free covers single-IP lookups via the web visualizer and a low-volume Community API; useful for analyst spot-checks. Block at the SMB entry adds bulk IP feeds, IP Timeline, tag enrichment, and Splunk plus Sentinel plus Cortex XSOAR integrations. Platform at the enterprise tier opens the full 16-endpoint Platform API and the RIOT benign-service feed for whitelisting Microsoft, AWS, and Google scanner traffic.

The load-bearing wedge is alert tuning: a SOC drowning in scan-related alerts can suppress 60 to 80 percent of them by checking GreyNoise on ingest. The catch is narrow scope. GreyNoise classifies scanner activity, not finished intelligence; if your team needs actor profiles, dark-web monitoring, or vulnerability intel, GreyNoise pairs with another platform rather than replacing one.

Pros

  • The unique scanner-noise wedge: which IPs scan everyone, which target you specifically
  • Community Free tier covers single-IP lookups via web visualizer and limited API
  • Block tier adds bulk IP feeds, IP Timeline, tag enrichment for SMB SOCs
  • Native Splunk, Sentinel, and Cortex XSOAR integrations at Block and above
  • RIOT benign-service feed at Platform whitelists scanner traffic from cloud providers

Cons

  • Page score uses Platform as typical, while Block is the realistic entry (500 percent gap)
  • Narrow scope: scanner classification only, not actor profiles or dark-web intel
Community Free + BlockIP Timeline + RIOT feedFounded 2017Community Free tier forever; demo for paid tiers

Best for: SOCs drowning in scan-related alerts that want to suppress background-noise pages. Pairs with a finished-intelligence platform rather than replacing one.

Coverage
7
Freshness
9
Workflow
8
Value
7
Support
7
Try GreyNoise

How we picked

Each pick gets a transparent composite score from price, features, free-tier availability, and editor fit. Pricing flows from our live database, so when a vendor changes prices the score updates here too.

We weight price 40, features 30, free tier 15, fit 15. Tier names like Foundation, Subscription, and Block do not match our heuristic, so the score lands on the upgrade tier for several picks. Largest gaps: Mandiant Premium vs Subscription (233 percent), GreyNoise Platform vs Block (500 percent), Recorded Future Advanced vs Foundation (200 percent). All in cons.

We don't claim "30,000 hours of testing." Our methodology is the formula above plus the editor's published verdict for each pick. Verifiable, auditable, and updated when the underlying data changes.

Why trust Subrupt

We're a subscription tracker first, a buying guide second. Every claim on this page is something you can check.

By use case

Best overall threat intelligence

Recorded Future

Read the full review →

Try Recorded Future

Best endpoint-integrated threat intelligence

CrowdStrike Falcon Intelligence

Read the full review →

Try CrowdStrike Falcon Intelligence

Best SMB-affordable threat intelligence

Pulsedive

Read the full review →

Try Pulsedive

Best free community threat intelligence

AlienVault OTX (LevelBlue)

Read the full review →

Try AlienVault OTX (LevelBlue)

Best open-source self-hostable threat intelligence

MISP

Read the full review →

Try MISP

Didn't make the list

Anomali ThreatStream

Cut because all paid tiers are custom-quoted starting at around $60k a year. Established TIP with STIX-TAXII feed aggregation and Anomali Match retrohunt; right call when budget justifies it.

ThreatConnect

Cut because all paid tiers are custom-quoted starting at around $50k. Free Community Edition is useful for analyst evaluation; TI Ops adds Risk Quantifier (CRQ scoring) and CAL reports.

Flashpoint

Cut because all paid tiers are custom-quoted starting at around $80k. Strongest dark-web and underground-forum coverage via Ignite; right call for orgs prioritizing fraud and brand intel.

Intel 471

Cut because all paid tiers are custom-quoted starting at around $70k. Underground adversary intelligence on TITAN; right call for orgs needing high-fidelity cybercrime actor profiles.

How to choose your Threat Intelligence Platform

Seven kinds of product compete for one head term

The 'best threat intelligence' search covers seven shapes for different SOC jobs. Recorded Future at custom Foundation pricing is the brand reference for finished intelligence with Insikt Group analysts behind the IOC and actor feeds. Mandiant Advantage at custom Subscription pricing brings frontline incident-response pedigree (the M-Trends report) and was acquired by Google in 2022. CrowdStrike Falcon Intelligence at $14.99 per endpoint bundles intel into the Falcon EDR platform with Adversary Intelligence as a custom-quoted module add-on. Pulsedive at $29 Pro is the SMB-affordable analyst TIP, the only realistically-priced paid pick in the lineup. GreyNoise at custom Block pricing answers the unique scanner-noise question for SOC alert tuning. AlienVault OTX is the largest free collaborative exchange at 180k-plus contributors. MISP is the MIT-licensed CIRCL-maintained self-host pick used by NATO, EU institutions, and national CERTs worldwide.

Why our scoring sometimes shows the upgrade tier instead of the entry

Most threat-intel vendors use custom tier names (Foundation, Advanced, Subscription, Block, Platform) that our typical-tier heuristic cannot recognize. The heuristic looks for common standards like Premium, Pro, or Individual, then for commitment names, then falls back to the second-cheapest paid tier above any disqualified entry. When names do not match, the fallback fires and the page score reflects what the upgrade tier costs, not what most readers pay. Recorded Future Advanced is the fallback from realistic Foundation (a 200 percent gap). Mandiant Premium is the fallback from realistic Subscription (233 percent). GreyNoise Platform is the fallback from realistic Block (500 percent). The realistic mid-market SOC budget is $30k to $80k a year for any one finished-intelligence platform. The realistic SMB budget is under $400 a year (Pulsedive Pro plus optional community feeds). The cons block on each pick acknowledges the gap.

Custom-quoted enterprise pricing: how to budget without a public list

Every enterprise threat-intel platform in 2026 is custom-quoted with no public list pricing. Recorded Future starts sales conversations at around $50k a year for Foundation; a real SOC with two or more modules pays $150k to $300k after one renewal cycle. Mandiant Threat Intelligence Subscription starts at around $30k a year; Premium with Digital Threat Monitoring runs $100k a year. CrowdStrike Falcon Intelligence as a standalone module is around $30k on top of whatever the Falcon endpoint contract costs. Anomali, ThreatConnect, Flashpoint, and Intel 471 all start in the $50k to $80k range. The budgeting pattern: assume a $50k minimum entry for any enterprise TIP, a $150k three-year average for a mid-market SOC, and a $300k ceiling for an enterprise SOC running two or more vendors. Discounts of 10 to 20 percent are available for multi-year commitments. The free and SMB lane (Pulsedive, OTX, MISP, GreyNoise Community) covers under $400 a year if the team can absorb analyst time.

When community + open-source replaces commercial: the SMB and CERT case

Pulsedive Pro, AlienVault OTX free, MISP self-host free, and GreyNoise Community free cover most of what a 1-3 analyst small SOC actually needs. The pattern: Pulsedive Pro for aggregated OSINT pivots, OTX for community Pulses around active campaigns, GreyNoise Community for scanner-noise spot checks, and MISP self-host for structured IOC sharing with peers or ISACs. Combined cost: under $400 a year. The trade-off is meaningful. None provide finished intelligence reports, high-confidence actor attribution, dark-web forum coverage with operator personas, or analyst RFI service. For a startup, a small bank, or a regional MSP, the trade-off is reasonable. For a Fortune 500 SOC the trade-off fails; analyst time outweighs the savings on a Foundation contract. CERTs run the inverse case: MISP self-host is the default because inter-agency sharing requires data residency. Teams wanting STIX 2-native alongside often add OpenCTI (Apache 2.0 self-host).

Integration depth: SIEM, SOAR, and EDR pipelines that actually work

Threat intelligence value is realized at the integration layer, not the platform UI. Recorded Future and Mandiant ship native apps for Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle, and Cortex XSOAR; the apps handle IOC ingestion, enrichment, alert triage, and pivots back to the analyst portal. CrowdStrike Falcon Intelligence integrates natively with Falcon Insight XDR (zero configuration if you already run Falcon EDR) and ships connectors for the major SIEMs. Pulsedive offers REST API plus a published Splunk app and Cortex XSOAR pack. GreyNoise has first-class Splunk and Sentinel apps; integration is simple because the data model (IP plus tags plus timeline) is narrow. OTX exposes DirectConnect API plus STIX export; quality filtering is required. MISP exposes a comprehensive REST API plus STIX 1 and 2 plus OpenIOC plus Snort and Suricata exports; integration depth is strong but operational complexity is on the customer.

Pricing volatility 2022 to 2026: Mastercard buys Recorded Future, AT&T spins out OTX

Threat intelligence pricing was stable until 2024. Two big moves: Mastercard acquired Recorded Future May 2024 for $2.65B (the largest TI vendor exit on record), which signals long-term enterprise stability but raises questions about cross-sell shaping the roadmap. AT&T spun out AlienVault as LevelBlue (joint venture with WillJam Ventures) in May 2024; OTX stayed free throughout. Google folded Mandiant into Google Threat Intelligence at RSA 2024 with VirusTotal integration, which improved the platform but pulled the brand toward the Google Cloud ecosystem. CrowdStrike Falcon pricing has been unchanged at $14.99 Pro and $19.99 Enterprise per device per month since 2023. Pulsedive Pro has been unchanged since the 2024 refresh. MISP and OTX have been free throughout. GreyNoise raised the Block tier entry from around $300 to around $500 a month in 2024. Expect more competition in 2026 to 2027 as Mastercard, Google, and LevelBlue parents look for cross-sell synergies.

Frequently asked questions

Are these prices guaranteed not to change?

Vendor pricing changes regularly. Rates here are what each vendor advertises or industry reports cite in May 2026. Recorded Future was acquired by Mastercard May 2024 for $2.65B; expect renewal-cycle pricing pressure. AT&T spun out AlienVault as LevelBlue May 2024; OTX itself stayed free throughout. CrowdStrike Falcon pricing has been unchanged since 2023. Verify the current rate on the vendor site before signing.

Does Subrupt earn a commission from any of these picks?

We track which picks have approved affiliate programs in our database, and the FTC disclosure block at the top of every guide names which ones currently have a click-tracking partnership. Affiliate revenue does not change ranking. Threat-intel platforms generally have weak or no affiliate programs because of the enterprise sales motion; most picks here appear on editorial fit only.

Why is Recorded Future ranked first if MISP wins the scoring math?

MISP wins the raw composite because the free open-source self-host model means our scoring renormalizes the price weight (40 percent) across feature, free-tier, and fit axes, which heavily favors free products. We list Recorded Future first because it is the brand reference for finished intelligence with around 1,800 customers including roughly half of the Fortune 500. MISP at picks 7 is the European public-sector and CERT wedge; not the mainstream head-term default.

What is the cheapest threat intelligence stack for a 2-3 analyst SMB SOC?

Pulsedive Pro at the per-analyst monthly rate plus AlienVault OTX free plus GreyNoise Community free covers most of what a 1-3 analyst small SOC actually needs. Combined cost: under $400 a year. Add MISP self-host (free) if the team needs structured IOC sharing with peers or ISACs. The trade-off versus enterprise: no finished intelligence reports, no named actor attribution, no dark-web operator personas. For startup security, small banks, regional MSPs, that trade-off is reasonable.

Why no Anomali, ThreatConnect, Flashpoint, or Intel 471 in the picks?

All four are well-known enterprise TIPs that we cut to honorable mention because all paid tiers are custom-quoted starting at $50k to $80k a year. They are right calls for orgs that want Anomali Match retrohunt, ThreatConnect Risk Quantifier, Flashpoint dark-web coverage, or Intel 471 cybercrime intelligence. The picks lineup prioritizes mainstream brand reference plus the SMB and free lane.

How do I migrate from one threat-intel platform to another without losing IOC history?

Most enterprise platforms support STIX 1 and 2 export and TAXII 2.x feeds for inter-platform migration. Pattern: export STIX bundles from the source, import via STIX adapter on the destination, validate that custom tags and analyst notes survive (often they do not), bridge any lost metadata via custom Python against both REST APIs. Plan for two to four weeks of work for any historical dataset above 100k IOCs.

Finished intelligence vs raw feeds: when does each pay off?

Finished intelligence (Recorded Future Insikt Group, Mandiant frontline reports, Flashpoint dark-web operator personas) wins when the SOC needs context: who is this actor, what campaigns are they running, what is the attribution confidence. Raw feeds (OTX Pulses, MISP community shares, Pulsedive OSINT, GreyNoise scanner classification) win when the SOC needs volume and freshness for SIEM ingestion. Most mature SOCs run both.

EU data residency: which picks store intelligence data in the EU?

MISP self-host gives full control of data residency (the load-bearing pick for European public-sector). Recorded Future offers an EU region. Mandiant offers EU residency via Google Cloud Frankfurt. CrowdStrike Falcon offers an EU region. Pulsedive Enterprise offers on-premise deployment. Anomali and ThreatConnect both offer EU regions. AlienVault OTX and GreyNoise are US-only.

STIX and TAXII: which picks support standardized intelligence exchange?

All seven picks support STIX export in some form. MISP supports STIX 1 and 2 plus OpenIOC plus Snort and Suricata signature export, the most mature open-source implementation. The other six all expose STIX 2.x and TAXII 2.x feeds. Setup pattern: configure your TIP or SIEM as a TAXII client, point at the vendor URL, authenticate via API token, set polling at 15 to 60 minute intervals, validate IOC ingestion in SIEM.

How often is this guide updated?

We re-review pricing and feature changes annually at minimum, with mid-year refreshes when major vendor announcements happen. The Mastercard acquisition of Recorded Future, the LevelBlue spinout of AlienVault, and the Google Threat Intelligence integration of Mandiant each triggered same-week updates. The lastReviewed date reflects the most recent pass.

Subrupt Editorial

The team behind subrupt.com. We track subscriptions, surface cheaper alternatives, and publish buying guides where the score formula is on the page so you can recompute it yourself. We do not claim 30,000 hours of testing. What we claim is live pricing from our database, a transparent composite score, and honest savings math against a category baseline.

Last reviewed

Citations

Affiliate disclosure: Subrupt earns a commission when you switch to a service through our recommendation links. This never changes the price you pay. We only recommend services where there's a real cost or feature advantage for you, and our picks are based on the data on this page, not on which programs pay the most.

Related buying guides

Buying guide

Best VPNs of 2026

Read guide

Buying guide

Best Free VPNs of 2026

Read guide

Buying guide

Best VPN for Streamings of 2026

Read guide

Track your subscriptions on Subrupt

Add the Threat Intelligence Platform you pay for and see how much you'd save by switching.

Open dashboard

More buying guides

Independent rankings for the subscriptions worth paying for.

See all guides