Vast and global “black markets”—what national-security practitioners call shadow economies—are no longer peripheral nuisances but core strategic terrain. Trade executed outside regulatory, taxation, and enforcement frameworks prolongs wars, defangs sanctions, frays alliances, and helps rogue governments and groups survive and thrive. These flows have long been treated as problems for law enforcement, but military and defense policymakers and planners must increase their efforts to account for and stem them.
Shadow trade enables regimes and insurgent groups to survive extreme pressure. Iran's illicit oil exports help sustain the regime amid punishing sanctions. North Korea endures through complex illicit portfolios: counterfeit currency, arms smuggling, cyber theft, and forced labor. Russia earns billions by evading sanctions on oil, gas, and gold exports. Oil-smuggling states create front companies and “dark fleets” of tankers—Russia alone has more than 600—that swap oil at sea to evade sanctions. Shadow insurers and financiers based in Russia, India, other Asian countries, and the Middle East have replaced Western underwriters, generating billions of dollars for the Kremlin's war machine.
Shadow economies blunt the efforts of countries and international organizations to coerce behavior, both in the near and long term. In the near term, revenue lost to sanctions can be made up by illicit trade. In the longer term, rogue states create new systems of patronage to replace formal systems of trade and finance—for example, Russian elites cut off from Western financial systems learn to profit from smuggling and offshore schemes. Shifting influence from formal institutions grants states the operational deniability and adaptability needed to evade economic warfare. There are risks—illicit actors may be empowered to pursue divergent interests—but the benefits are usually worth the costs. And all this erodes deterrence, for why should a regime fear sanctions they can evade?
Shadow economies also strain alliance cohesion. Certain countries—“permissive jurisdictions”—are willing to turn a blind eye or even lend a helping hand to sanctions circumventors. Among them are India, Turkey, UAE, Iran, certain African states, and flag-of-convenience registries.
And shadow economies lengthen wars. Russia’s illicit exports have helped the country defy predictions that it could not sustain immense expenditures on its war on Ukraine. Opium revenues helped the Taliban prevail in Afghanistan.
In the wake of Russia’s 2022 invasion of Ukraine, the shadow economy has expanded and evolved. Moscow has expanded its insurance substitutes in Asia and the Middle East. Iran has intensified illicit oil exports through shadow shipping companies. China's Belt and Road Initiative obscures illicit finance connected to strategic resource competition. African gold increasingly flows through Russia’s Wagner Group, funding Kremlin-backed mercenary campaigns while undermining global financial integrity. Southeast Asia's narcotics and cyber-crime hubs have expanded along with geopolitical competition in the Indo-Pacific.
The intersection of shadow economies and cybercrime has intensified as rogue states and criminal groups engage in ransomware, theft, and fraud against private and public institutions, laundering proceeds through increasingly sophisticated cryptocurrency mixers and exchanges in permissive jurisdictions. These cyber-enabled revenues exacerbate the difficulty in tracing funds and enforcing sanctions.
This all has implications for strategic stability and economic statecraft. Sanctions can no longer be considered silver bullets. Policymakers must anticipate leakage through illicit markets. Illicit revenue streams lengthen conflicts, necessitating long-term strategic preparedness for protracted war.
Here are some steps to take:
Apply our resources and expertise in mapping terrorist-finance networks to broader shadow economies. Use or create intelligence-fusion centers that can identify actors, flows, and chokepoints using data from financial, maritime, cyber, and law enforcement sources.
Include intelligence and assumptions about shadow economies in training, modeling, wargaming, forecasting, and planning.
Strengthen U.S. partners’ ability to enforce trade laws and regulations. Because sanctions evaders seek pathways through countries with weaker enforcement, the United States must strengthen customs, financial oversight, and regulatory capacities in frontline states through training, resource sharing, joint operations, and interoperable sanctions enforcement frameworks.
Make it harder for banks, insurers, shipping companies, and logistics firms to unwittingly enable shadow trade by providing incentives for them to use secure information-sharing platforms, create industry blacklists of shell firms, and increase due-diligence standards.
More precisely target sanctions. Instead of driving large swaths of economic activity underground, take aim at known channels of illicit activity: maritime insurance providers, logistical corridors, key financial rails, and so on.
Dissuade “permissive jurisdiction” governments from enabling shadow trade through diplomatic engagement, economic incentives, and multilateral pressure.
Fight cyber-enabled illicit finance by integrating cybersecurity and financial intelligence efforts, regulating cryptocurrency, improving cross-border cooperation, and hardening critical infrastructure.
Maj. Benjamin Backsmeier is an infantry officer assigned to the INDOPACOM Army Reserve Element. His research focuses on how illicit financial networks interact with national-security interests. The views expressed are those of the author and do not reflect the official position of the Department of the Army or Department of Defense.
In 2025, businesses are facing unprecedented challenges in the digital risk landscape. With cyber threats evolving rapidly, organizations need advanced solutions to detect, assess, and mitigate risks originating outside traditional network perimeters.
Digital Risk Protection (DRP) platforms offer proactive visibility into threats such as brand impersonation, data leaks, phishing attacks, and cybercrime activities that could harm an organization’s reputation, customers, or intellectual property.
This article reviews the Top 10 Best Digital Risk Protection (DRP) Platforms in 2025, with a detailed breakdown of their specifications, features, reasons to buy, pros, cons, and their respective best-case uses.
This guide is designed with SEO-friendly, human-readable content, helping decision-makers find the right DRP tool for their business.
Why Best Digital Risk Protection (DRP) Platforms 2025
The rise of hybrid work, cloud computing, and AI-driven cyberattacks has significantly expanded the attack surface for businesses in 2025.
Gartner and other industry leaders emphasize the adoption of DRP solutions as a critical component of enterprise cybersecurity strategies.
These platforms provide protection against external risks that traditional firewalls and endpoint solutions cannot capture such as credential leaks on dark web forums or phishing domains impersonating your brand.
Selecting the right DRP platform requires careful evaluation of features, such as contextualized threat intelligence, takedown capabilities, global threat databases, automation, and integration with existing SOC workflows.
This article simplifies the process by showcasing the top 10 DRP tools in 2025, their unique strengths, and how they stand out in the competitive cybersecurity landscape.
Comparison Table: Top 10 Digital Risk Protection Platforms 2025
Digital Shadows SearchLight is one of the most recognized DRP platforms that continuously monitors organizational risks across the open, deep, and dark web.
Companies face massive challenges due to leaked credentials, phishing attacks, and impersonation domains.
SearchLight helps reduce detection and response time by providing contextualized reporting, enriched threat intelligence, and automated takedown services.
We picked Digital Shadows because it offers one of the most extensive data collections, covering millions of sources globally.
Specifications
Digital Shadows SearchLight delivers exceptional visibility by combining advanced threat intelligence with contextual alerts. It enables enterprises to discover data breaches, domain impersonations, and compromised accounts before they escalate.
Leveraging automation significantly reduces the workload on SOC teams, while swift takedown capabilities ensure phishing websites are removed quickly.
Features
SearchLight includes a wide range of features such as stolen credential detection, data breach monitoring, dark web exploration, incident prioritization, and phishing domain takedowns.
It deploys machine learning models to filter irrelevant findings and deliver actionable intelligence. Organizations benefit from precise threat categorization and extended intelligence coverage across both structured and unstructured sources.
Reason to Buy
If your business is heavily targeted by cybercriminals or handles sensitive customer data, Digital Shadows SearchLight offers the right balance of coverage and automation.
The efficiency with which it uncovers external risks ensures businesses can avoid reputational harm and regulatory penalties. Its emphasis on speed, accuracy, and timely remediation distinguishes it from other platforms.
Pros
Comprehensive dark web monitoring
Automated phishing site takedowns
Simple integration with SOC tools
Actionable and contextual alerts
Cons
Designed mainly for large organizations
Slightly higher cost compared to alternatives
Best For: Enterprises that demand deep visibility into external threats with automated remediation capabilities.
ReliaQuest is a rising leader in DRP, known for its emphasis on unifying detection across both internal and external threat environments.
Its platform gives organizations unmatched control by blending digital risk protection with SIEM and SOAR integrations.
We selected ReliaQuest because it addresses a key market need: consolidating multiple threat intelligence feeds into a single platform.
The tool delivers enhanced analyst productivity by reducing alert fatigue. In 2025, when enterprises face budget constraints but need greater security outcomes, ReliaQuest provides cost-efficiency without sacrificing threat visibility.
Specifications
ReliaQuest DRP integrates with threat intelligence sources, business applications, and SOC systems to deliver continuous discovery and response. The platform tracks risks such as leaked credentials, malicious domains, and brand impersonation.
With an intuitive dashboard, it empowers security teams to optimize response strategies. Its key strength lies in correlating external threats with internal incidents, enabling more effective decision-making.
Features
ReliaQuest offers domain impersonation identification, data leakage detections, actionable alerts, and advanced risk scoring.
It allows automated workflows, particularly beneficial for businesses handling complex environments. In addition, flexible integration options allow seamless workflows with security orchestration tools, ensuring faster remediation.
Reason to Buy
The ability to identify external digital risks and simultaneously tie them back to internal response practices makes ReliaQuest unique.
This dual focus on external and internal threats reduces duplication of efforts and ensures efficient use of cybersecurity budgets.
Pros
Strong SIEM/SOAR integration
Simplified analyst workflows
Cost-effective DRP solution
Unified threat correlation
Cons
Fewer takedown services compared to others
Learning curve for advanced features
Best For: Enterprises seeking consolidated visibility across their security operations with external risk protection.
Proofpoint is widely known for its dominance in email security, but its digital risk protection platform takes defense a step further.
We picked Proofpoint because of its strength in identifying and mitigating threats tied to phishing and account takeover attacks.
In 2025, phishing scams continue to be a top driver of data breaches across industries, making Proofpoint’s capabilities critical. Another reason is its unmatched takedown services backed by global expertise.
Proofpoint’s tight integration with email security provides a multi-dimensional defense, allowing companies to protect users, brands, and assets simultaneously.
Specifications
Proofpoint DRP specializes in detecting phishing campaigns, malicious domains, and fraudulent social media accounts impersonating brands.
It leverages advanced threat intelligence networks, ensuring timely alerts and remediation strategies. Its comprehensive visibility covers open sources, dark web forums, and suspicious domains registered globally.
Features
Proofpoint DRP comes with takedown capabilities, detailed impersonation monitoring, fake social media account identification, and phishing domain detection.
It extends its coverage to mobile app store impersonations, making it especially valuable for consumer-focused brands.
Reason to Buy
For businesses that consider phishing attacks as their top threat, Proofpoint delivers unmatched expertise.
It enables organizations to swiftly identify and disrupt ongoing campaigns while ensuring brand integrity remains intact.
Pros
Strong phishing detection capabilities
Global takedown expertise
Integration with Proofpoint’s email defense
Comprehensive social media monitoring
Cons
Premium pricing for advanced packages
Heavier focus on phishing may limit versatility
Best For: Companies targeted by phishing and impersonation attacks on multiple channels.
UpGuard BreachSight has emerged as one of the best DRP platforms for businesses looking for continuous monitoring over their digital footprint.
We picked it because of its focus on external attack surface management combined with its ability to detect exposed data and leaked credentials rapidly.
In 2025, data leaks are one of the most frequent causes of breaches, and having a tool like UpGuard helps businesses detect vulnerabilities before criminals exploit them.
Another noteworthy reason is its user-friendly UI, which makes cyber risk insights accessible even for non-technical teams.
With its powerful automation, easily scalable engine, and actionable insights, UpGuard stands out in protecting reputations and minimizing the risks of breaches.
Specifications
UpGuard BreachSight focuses on identifying data leaks, misconfigurations, and reputational threats across the surface, deep, and dark web.
It emphasizes automated external attack surface management, enabling companies to visualize their vulnerabilities effectively.
Features
UpGuard’s features include real-time exposure monitoring, leaked credential discovery, risk scoring, third-party risk management integrations, and alert systems for compromised domains or accounts.
It leverages automation to cut analysis time while offering human-aided validation options for precise reporting.
Reason to Buy
Organizations that value ease of use and rapid time-to-value should consider BreachSight. Its powerful risk scoring and automation allow teams to stay ahead of breaches while making vendor and internal monitoring smooth.
Pros
Easy to implement and use
Strong vendor risk management capabilities
Focus on data exposure and breach detection
Automated monitoring with real-time alerts
Cons
Limited takedown services compared to competitors
Might lack advanced SOC integration features
Best For: Organizations and SMBs needing user-friendly breach detection combined with vendor risk visibility.
BlueVoyant Sky DRP is gaining global recognition because of its AI-driven risk intelligence along with continuous protection against external threats.
We selected BlueVoyant because of its unique combination of threat detection and managed services. This ensures that even organizations without major internal SOC teams can still benefit from high-level risk protection.
In 2025, outsourcing cybersecurity expertise while maintaining robust DRP solutions has become a trend, and BlueVoyant stands solidly in this niche.
The tool’s powerful network of analysts provides real-time advisories while making digital threat insights actionable. Moreover, BlueVoyant’s reputation for customer-centric service resonates strongly with enterprises that value consultative partnerships.
Specifications
The BlueVoyant Sky DRP platform delivers advanced protection covering phishing attempts, dark web monitoring, and fraudulent activities impacting client organizations.
It combines AI-powered intelligence with human-led investigations to deliver effective action. Its infrastructure gives real-time threat alerting with dashboard customization to align with enterprise reporting requirements.
Features
The features include domain takedowns, data breach discovery, threat intelligence enrichment, continuous digital footprint monitoring, and social media threat identification.
Added support from cybersecurity experts makes remediation faster and smoother for businesses.
Reason to Buy
If your organization prefers a solution combining cutting-edge technology with human expertise, BlueVoyant is an excellent choice.
It delivers faster response and ensures skilled guidance during threat detection incidents.
Pros
Real-time global threat database
24/7 managed support model
AI-driven intelligence with quick alerts
Strong customer service standards
Cons
Higher dependency on external managed support
Pricing may be premium for SMBs
Best For: Enterprises seeking a blend of AI-powered DRP capabilities and managed response services.
Recorded Future has solidified its leadership position in threat intelligence, and its Intelligence Cloud is a natural extension, delivering powerful DRP functionalities.
We picked Recorded Future because of its enormous data-driven risk intelligence framework, which stands unmatched in coverage and real-time insights.
In 2025, where intelligence-driven responses determine cybersecurity success, Recorded Future’s approach ensures businesses not only detect risks but understand their context.
Its machine learning models and data analytics deliver high-quality insights across industries. What separates Recorded Future is its vision of contextualization, offering organizations not just alerts but actionable intelligence tailored to their risks.
Specifications
Recorded Future’s Intelligence Cloud aggregates billions of indexed data points from surface, deep, and dark web sources.
It focuses on proactive external risk detection while offering seamless integration with SOC tools and threat-hunting workflows. Its in-depth contextualization of adversary tactics provides valuable foresight into risks.
Features
The platform includes automated dark web monitoring, ransomware leak site tracking, phishing domain detection, and enriched intelligence reporting.
It supports collaborative intelligence to help SOC teams prioritize events and correlate them with MITRE ATT&CK frameworks.
Reason to Buy
Organizations that prioritize intelligence-led cybersecurity will find Recorded Future invaluable. This platform ensures actionable foresight, efficient context, and powerful integrations with existing enterprise infrastructure.
Pros
Unmatched global intelligence database
Contextualized threat insights
Collaborative features with SOC integration
Strong focus on proactive defense
Cons
More complex to learn for small teams
Premium enterprise pricing
Best For: Enterprises seeking intelligence-driven cybersecurity with strong dark web visibility.
CrowdStrike Falcon Intelligence integrates seamlessly within CrowdStrike’s ecosystem, making it a preferred choice for organizations already relying on Falcon for endpoint security.
We picked it because it brings together endpoint visibility and external digital risk protection in one unified solution.
As enterprises increasingly seek consolidation, Falcon Intelligence offers both effectiveness and cost savings.
Its strong adaptive AI ensures precision by correlating external intelligence with endpoint activity. Falcon Intelligence also excels in speeding up responses to ransomware, phishing, or credential theft campaigns.
Specifications
CrowdStrike Falcon Intelligence collects threat data across the digital ecosystem, analyzes it using AI-driven models, and augments investigations with real-time intelligence reports.
Its integration with Falcon’s endpoint protection enhances risk visibility and increases detection efficiency.
Features
Its features include credential leakage tracing, phishing site takedowns, malware enrichment intelligence, ransomware preparation insights, and dark web brand monitoring.
It also leverages real-time incident correlation and integrates well with SIEM solutions.
Reason to Buy
If you seek both endpoint and external risk visibility in one console, CrowdStrike delivers a unique edge. Its proactive intelligence highlights adversary activity, increasing resilience significantly.
Pros
Strong endpoint plus DRP synergy
AI-powered contextual risk reports
Global reputation in cybersecurity
Real-time enrichment for SOC teams
Cons
Best value mainly for organizations already with CrowdStrike
Can be costly for SMBs seeking standalone DRP
Best For: Businesses seeking unified endpoint and external threat visibility.
ZeroFox is a well-known name in digital risk protection, with a significant focus on social media, domain, and dark web risk mitigation.
We picked ZeroFox because of its high coverage in protecting brands from impersonation, particularly online. In 2025, social engineering and fake social accounts remain one of the fastest-growing attack vectors exactly where ZeroFox excels.
It combines automated takedowns, intelligence feeds, and robust monitoring to reduce digital exposure effectively. The platform also delivers scalable solutions suitable for organizations of all sizes, making it flexible and highly adoptable.
Specifications
ZeroFox offers intelligence across public platforms, domain registries, and underground forums.
It delivers brand protection through domain spoof takedowns, breach discovery, and malicious content disruption, making it ideal for marketing and customer-facing enterprises.
Features
Its key features include real-time alerting, fake account identification, malicious domain removals, phishing campaign disruption, and SaaS-based deployment flexibility.
It also includes automation for large-scale monitoring of social media impersonations.
Reason to Buy
If brand and social media risks are your highest concern, ZeroFox ensures your organization maintains credibility and customer trust. Its rapid takedown services safeguard reputational equity.
Pros
Strong brand impersonation defense
Automated phishing and domain removals
User-friendly SaaS solution
Wide coverage for social platforms
Cons
Less focused on advanced intelligence analysis
Premium add-ons may increase costs
Best For: Businesses highly exposed to social engineering risks and brand impersonation.
Rapid7 is widely known for its vulnerability management tools, but Threat Command adds a vital external risk protection layer.
We picked Threat Command because it provides deep coverage of underground forums and social media environments.
In 2025, where credential theft and underground chatter act as precursors to significant attacks, Rapid7 provides critical visibility.
For companies already invested in Rapid7 solutions, this creates a solid ecosystem with both internal and external protection.
Specifications
Threat Command offers protection by correlating intelligence from the deep web, dark web, social media, and malicious domains.
It also complements forensics investigations by enriching logs with proactive intelligence. Its streamlined dashboard makes it easy to prioritize urgent risks affecting enterprises.
Features
The platform includes domain and brand monitoring, credential leakage alerts, dark web scanning, tailored risk analysis, and SOC-compatible integrations.
Automated workflows allow faster alert response rules for operational efficiency.
Reason to Buy
Rapid7’s Threat Command is highly suitable for companies using its vulnerability management solutions, offering a seamless consolidated approach to cyber defense.
Pros
Strong dark web coverage
Simple integration with Rapid7 ecosystem
Easy-to-use interface for SOC analysts
Great for comprehensive threat intelligence users
Cons
Limited takedown services compared to leaders
Focuses heavily on integration within Rapid7 users
Best For: Companies seeking synergy with Rapid7 security solutions paired with expanded DRP visibility.
PhishLabs, now part of Fortra, focuses strongly on phishing prevention and brand protection.
We picked PhishLabs because phishing remains the top enterprise cyber threat of 2025, and this tool provides specialized coverage for detecting, disrupting, and remediating phishing campaigns.
Its integration of human expertise with powerful automation makes it unique. Businesses benefit not only from detection insights but also from hands-on interventions to stop threats quickly.
PhishLabs also offers one of the best operational supports for organizations in financial services, e-commerce, and industries that are most targeted by phishing.
Specifications
PhishLabs DRP leverages global networks for phishing campaign identification and malicious content removal. It integrates directly with incident response teams ensuring timely remediation at scale.
Its intelligence feeds also improve proactive visibility into organizational risk.
Features
It offers capabilities such as phishing site takedowns, credential theft monitoring, fake social media account monitoring, dark web activity tracking, and phishing email campaign disruption.
Its case management portal ensures clear workflows for response teams.
Reason to Buy
For businesses under constant phishing attack pressure, PhishLabs provides specialized expertise unmatched in its category. Its targeted focus makes it a dependable asset for digital security strategies.
Pros
Specialized anti-phishing coverage
Extensive takedown support
Tailored case management portal
Expert-driven solutions
Cons
Narrow focus on phishing mainly
Less comprehensive than multi-purpose DRP platforms
Best For: Organizations targeted heavily by phishing campaigns needing expert-driven takedown services.
Choosing the right Digital Risk Protection (DRP) platform in 2025 depends on your organization’s exposure, priorities, and current cybersecurity stack.
From Digital Shadows’ deep intelligence coverage and Proofpoint’s phishing takedown expertise to ZeroFox’s social media defense and PhishLabs’ specialized anti-phishing capabilities, each solution brings unique strengths.
By carefully evaluating features, specifications, and cost-to-value considerations, businesses can protect their brand, customers, and reputation proactively in an era of rising cyber threats
Cybersecurity has become one of the most vital aspects of the digital-first world, where organizations face advanced and persistent threats daily.
The need for Cyber Threat Intelligence (CTI) companies has never been more important in 2025.
These companies provide organizations with real-time insights, actionable intelligence, and intelligence-driven defense mechanisms to protect sensitive data, critical infrastructure, and reputation from cybercriminals.
This article highlights the Top 10 Best Cyber Threat Intelligence Companies in 2025 that stand out with their expertise, advanced intelligence platforms, and proven solutions.
Each company listed has been reviewed based on its specifications, features, reasons to buy, and best use cases, ensuring you have the right information before choosing the right CTI solution.
Why Best Cyber Threat Intelligence Companies In 2025
With a surge in cyberattacks such as ransomware, phishing, state-sponsored attacks, and data breaches, organizations require intelligence-led solutions that go beyond firewalls and antivirus software.
Cyber Threat Intelligence (CTI) platforms provide businesses with proactive knowledge about attackers, their motives, TTPs (Tactics, Techniques, and Procedures), and vulnerabilities.
These top 10 cyber intelligence companies of 2025 have been selected based on their global reputation, innovation, scalability, machine learning integrations, and the relevance of their threat intelligence feeds.
They are highly trusted by governments, enterprises, and critical industries worldwide to safeguard against advanced persistent threats (APTs).
Comparison Table: Top 10 Cyber Threat Intelligence Companies In 2025
Recorded Future is renowned as one of the world’s most trusted threat intelligence platforms in 2025.
Its powerful machine learning-driven analytics and vast data collection capabilities ensure real-time insights into threat actor behavior.
Organizations across industries rely on it to understand emerging attack patterns, vulnerabilities actively being exploited, and potential risks to business operations.
It excels in providing structured intelligence that cybersecurity teams can quickly apply to strengthen defense systems.
Specifications
With its expansive threat data collection from open sources, dark web, and technical feeds, Recorded Future provides unmatched intelligence insights.
Its AI-driven technology processes billions of data points per day, delivering highly relevant alerts. The platform seamlessly integrates with SOC workflows, threat hunting, and incident response systems.
Features
Recorded Future is loaded with features, including dark web monitoring, vulnerability intelligence, third-party risk detection, and geopolitical threat alerts.
Its ability to detect attack campaigns early allows organizations to respond faster. Customized dashboards allow security teams to view actionable insights relevant to their sector.
Reason to Buy
Enterprises should choose Recorded Future for its industry-leading breadth of intelligence, proven track record in predicting and mitigating risks, and broad integrations with other security tools.
The solution is tailored for proactive security strategies, critical for tackling modern cyber threats.
Pros
Extensive real-time data collection
Best dark web threat visibility
AI-driven threat predictions
Global threat awareness
Cons
Premium pricing for enterprises
Can be complex for small-scale teams
Best For: Large enterprises and governments seeking complete visibility into global cyber threats.
Anomali ranks among the most innovative cyber threat intelligence providers in 2025, offering a scalable, intelligence-driven security platform.
It specializes in aggregating large volumes of threat data and correlating it with an organization’s environment to deliver actionable insights.
Security teams benefit from its ability to reduce noise by highlighting the most relevant threats that matter to their business.
The platform integrates seamlessly with an organization’s SIEM and SOC tools, empowering analysts to maximize visibility.
Anomali is widely recognized for its intelligence-driven approach and ability to map threats against global adversaries with precision. It’s designed to help enterprises detect targeted attacks quickly through enriched threat intelligence feeds.
Specifications
Anomali’s threat intelligence platform ingests data from commercial, open-source, and custom threat feeds. Its analytic engine processes this information at scale to enhance detection and threat-hunting activities.
The company uses advanced AI and machine learning models to identify attack patterns and suspicious activity, improving operational efficiency.
Features
The platform’s core features include threat visibility, automated intelligence enrichment, advanced analytics, and cross-platform integrations. Anomali also provides adversary tracking, helping organizations understand who might be targeting them.
Its unique ability to map threats against frameworks like MITRE ATT&CK ensures precise detection of real-world attacks.
Reason to Buy
Anomali offers accurate, actionable intelligence that helps organizations align their defenses with attacker tactics.
The platform enhances the capability of existing cybersecurity infrastructures while simplifying incident detection and investigation.
Pros
High scalability and integration support
Excellent adversary tracking capabilities
Real-time correlation of threat intelligence
User-friendly dashboards
Cons
Requires training for full utilization
Can be expensive for smaller firms
Best For: Mid-to-large enterprises focusing on adversary mapping and intelligence-driven defenses.
CrowdStrike is globally known for redefining endpoint security with its Falcon platform, which also integrates advanced cyber threat intelligence.
In 2025, it remains a trusted CTI solution for companies worldwide. CrowdStrike combines endpoint detection with real-time threat intelligence, providing visibility and response to nation-state and cybercrime group activities.
Its intelligence team is known for exceptional research on APT groups and ransomware gangs. The company stands apart due to its ability to merge IT operations, endpoint visibility, and threat detection on a cloud-native platform.
CrowdStrike is also a leader in proactive threat hunting and provides organizations with reports that help them anticipate and block emerging cyberattack campaigns.
Specifications
CrowdStrike’s Falcon Intelligence integrates seamlessly with its endpoint protection and SIEM solutions. It provides rich adversary profiling, real-time alerting, and threat-hunting data.
The platform combines AI capabilities and human intelligence from elite researchers and analysts. Falcon’s cloud-native architecture ensures fast deployment, scalability, and lower maintenance overheads for enterprises of all sizes.
Features
Core features include real-time endpoint monitoring, APT actor profiling, ransomware attack detection, and automated investigations.
Its intelligence feeds help provide global visibility into adversary activity around the clock. The Falcon OverWatch service provides managed threat hunting, giving companies an added layer of expertise.
Reason to Buy
CrowdStrike delivers intelligence embedded within its endpoint platform, making it ideal for organizations that want a one-stop solution for both protection and prevention.
Its reports on nation-state threats and large criminal networks make it indispensable.
Pros
Strong nation-state profiling
Endpoint and intelligence platform integration
Cloud scalability with fast deployment
Managed threat hunting service
Cons
Higher price point
Some advanced features require add-ons
Best For: Enterprises that require endpoint defense combined with advanced threat intelligence.
IBM X-Force combines decades of experience with advanced CTI innovation, positioning itself among the leaders in 2025.
The X-Force team is one of the most respected research groups globally, tracking cybercriminal behavior, malware families, and vulnerabilities at scale.
IBM integrates its intelligence into both standalone products and its enterprise-focused security services.
The key value of IBM X-Force lies in its ability to link research with direct mitigation strategies, providing practical defenses.
Organizations appreciate its comprehensive research-backed intelligence feeds and analytical approach to identifying evolving risks. With a global incident response team, X-Force is also a top partner for enterprises managing breaches.
Specifications
IBM X-Force aggregates data across millions of monitored endpoints, email servers, and network systems. Its intelligence services integrate with IBM QRadar for detection and prevention.
Advanced AI-driven analysis identifies emerging threats, while IBM Watson aids predictive capabilities. The team produces continuous threat reports, ensuring organizations stay informed about the latest attack vectors.
Features
Standout features include malware analytics, vulnerability research, predictive intelligence feeds, and global breach monitoring. IBM also provides red team exercises, penetration testing, and incident response services tied directly into its intelligence insights.
Reason to Buy
IBM Security is trusted by some of the biggest industries worldwide. The research and insights from its globally renowned intelligence team make it irreplaceable for companies aiming for enterprise-level defenses.
Pros
Globally trusted research team
Strong integration with IBM QRadar & Watson
Comprehensive vulnerability and malware research
Enterprise-level managed services
Cons
Complex deployment for small teams
Better fit for enterprise budgets
Best For: Large organizations needing enterprise-class CTI integrated with response services.
Palo Alto Networks is a pioneer in cybersecurity and continues to innovate with its Unit 42 threat intelligence team in 2025. Unit 42 actively investigates and reports on global APT campaigns, ransomware groups, and advanced exploits.
The company offers deep intelligence directly within its Next-Generation Firewalls and Prisma Cloud products, providing real-time defense integrated with its vast intelligence data.
Palo Alto Networks’ intelligence-driven approach ensures organizations benefit from both high-performing network security tools and industry-leading threat research.
Specifications
Unit 42 aggregates malware data, threat actor campaigns, and exploits to deliver intelligence across Palo Alto’s products.
AI and automation enhance detection of zero-day attacks and adversary campaigns. The intelligence is integrated directly into the products, reducing manual workflows and enhancing security speed.
Features
Key features include malware analysis, APT profiling, zero-day detection, and direct integration into network and cloud security products.
Palo Alto networks also provides detailed threat research reports, accessible to organizations worldwide.
Reason to Buy
Organizations benefit from Palo Alto’s combination of next-gen firewalls with deep CTI insights, offering protection at multiple levels.
It is ideal for businesses seeking integrated network and cloud defense backed by world-class researchers.
Pros
Industry-leading firewalls with CTI integration
Advanced AI-driven malware research
Zero-day detection capability
Strong APT tracking reports
Cons
Best used with Palo Alto’s ecosystem
Premium pricing may not suit mid-market vendors
Best For: Businesses already using Palo Alto firewalls or seeking cloud-native CTI solutions.
Mandiant remains among the most powerful names in cyber intelligence in 2025. Its expertise in incident response and threat analysis makes it highly trusted worldwide.
Mandiant provides tailored CTI services, assisting organizations in understanding adversaries and preventing breach attempts.
Known for investigating some of the largest cyberattacks globally, Mandiant delivers unmatched insights into attacker behaviors.
Organizations value its intelligence reports, which cover real-world attacks across industries.
Specifications
Mandiant collects intelligence from ongoing investigations, dark web sources, and adversary traces across the globe.
It offers both machine intelligence and expert-validated analysis. Its CTI platform enables SOCs and CISOs to detect threats targeting industries and regions precisely.
Features
Mandiant offers unique features such as attack simulation, threat hunting, APT profiling, and rapid response intelligence. Its platform can identify industry-specific threats and provide direct recommendations for defense.
Reason to Buy
Mandiant’s real-world insights and extensive research on advanced threat actors make it a great choice for organizations needing threat forecasting and quick incident response options.
Pros
Trusted globally for breach investigations
Real-world adversary profiling
Customized intelligence for industries
Rapid incident intelligence delivery
Cons
Premium consulting services can be costly
Platforms are best suited for enterprise clients
Best For: High-risk industries and enterprises requiring expertise-backed intelligence.
Digital Shadows is one of the most recognized cyber threat intelligence companies in 2025, specializing in digital risk protection and dark web monitoring.
Its award-winning platform, SearchLight, offers organizations real-time intelligence about exposed data, brand threats, and risks from the open, deep, and dark web.
We picked Digital Shadows because of its ability to tackle external risks like leaked corporate credentials, phishing domains, or insider threat chatter before they develop into critical breaches.
By leveraging automation and human expert validation, Digital Shadows provides organizations with intelligence tailored to their risk posture.
Specifications
The platform integrates external monitoring with threat intelligence, bridging internal security with global insights. Its strength lies in monitoring millions of sources across the dark web, criminal forums, and underground networks.
Digital Shadows enriches intelligence with context, making it actionable for SOC teams. Its automated workflows further optimize threat investigation and response processes.
Features
Key features include credential leakage monitoring, brand protection alerts, phishing detection, and dark web intelligence feeds.
Organizations can detect exposed assets, compromised data, or reputational risks before attackers exploit them. Dashboards deliver user-friendly insights aligned with the organization’s industry and risk profile.
Reason to Buy
Digital Shadows helps protect against external digital risks and strengthens incident response preparedness.
For organizations exposed to brand abuse, insider chatter, or phishing threats, it provides unmatched visibility.
Pros
Excellent dark web monitoring capabilities
Brand protection and phishing detection tools
Combines automation with human expert analysis
Provides actionable risk mitigation steps
Cons
May require integration with other SOC tools for full value
Advanced features are enterprise-oriented
Best For: Companies looking for dark web monitoring, brand protection, and risk exposure visibility.
FireEye, now closely aligned with Trellix, is one of the longest-standing names in cyber threat intelligence in 2025. Known for investigating global cyberattacks, FireEye CTI specializes in adversary profiling, malware research, and incident response support.
Organizations trust FireEye for deep intelligence across APT groups, ransomware trends, and targeted cyberattack campaigns.
FireEye’s threat intelligence reports are widely cited across industries for their accuracy and predictive nature. It brings together human threat hunters with automated feeds, delivering a balanced CTI solution.
Specifications
FireEye collects intelligence from its global customer deployments, automated analytics, and incident response engagements.
The intelligence is enriched by FireEye Mandiant researchers, ensuring enterprises get insights validated by experts. The platform integrates easily with SIEM, endpoint, and email security workflows.
Features
Key features include APT tracking, malware forensics, ransomware monitoring, vulnerability insights, and industry-specific attack intelligence.
FireEye combines predictive analytics with context-rich alerts. Its incident response data adds a layer of real-world experience lacking in purely automated systems.
Reason to Buy
FireEye is the go-to platform for organizations requiring advanced threat insights backed by incident forensics and intelligence validation.
Its longevity and experience in breach response highlight its unmatched reputation.
Pros
Highly experienced CTI research team
Real-world validated intelligence
Detailed ransomware and APT profiling
Wide range of integration options
Cons
Some tools now transitioned under Trellix suite
Pricing is on the higher side
Best For: Enterprises seeking validated CTI from a legacy leader in security intelligence.
Flashpoint has developed into a leading intelligence provider, focusing heavily on deep and dark web activity monitoring in 2025. Its intelligence covers fraud detection, insider activity, data leaks, and ransomware negotiations.
Flashpoint’s expertise makes it invaluable for banks, governments, and enterprises worried about criminal underground activity.
We selected Flashpoint because of its focus on operational and cyber threat intelligence combined with actionable business risk insights.
Its platform is highly specialized in fraud detection and cybercrime group tracking, making it unique among CTI providers.
Specifications
Flashpoint harvests intelligence from closed communities, criminal groups, and dark web sources where malicious activities originate.
Using natural language processing and AI simulations, it delivers enriched feeds with contextualized insights.
Features
The platform provides fraud detection tools, ransomware intelligence, credit card fraud monitoring, and phishing detection.
It offers unmatched insights into illegal forums, providing early detection of threats such as compromised user data or insider leaks.
Reason to Buy
Flashpoint is ideal for organizations where threats extend beyond IT infrastructure. Its intelligence helps businesses act on fraud-related activities and cyber risks before they escalate.
Pros
Superior dark web intelligence quality
Strong focus on business fraud detection
Monitoring of insider and underground communities
Provides actionable contextual insights
Cons
May be overwhelming for smaller companies
High-level functionality best suits larger SOCs
Best For: Financial services, government agencies, and enterprises facing fraud or underground crime risks.
RiskIQ, now part of Microsoft, is widely regarded for its external attack surface management (EASM) and threat intelligence expertise in 2025.
It provides organizations with visibility into their global digital footprint, identifying vulnerabilities and risks before attackers.
We picked RiskIQ due to its unmatched ability to expose malicious infrastructures, phishing campaigns, and impersonation domains across the web.
By combining threat intelligence with attack surface discovery, RiskIQ empowers organizations to defend proactively rather than reactively.
Its continuous monitoring of web infrastructures ensures early identification of potential threats.
Specifications
RiskIQ collects intelligence across billions of web pages, digital certificates, domains, and IP addresses daily. Its advanced analytics and external scanning tools provide unmatched breadth into attacker activities.
Integration with Microsoft security products has also increased its enterprise adoption.
Features
Notable features include attack surface mapping, phishing domain identification, SSL and certificate monitoring, and malicious infrastructure detection.
Its platform provides complete visibility into a company’s external assets connected to the internet.
Reason to Buy
RiskIQ stands out for organizations looking to manage external risks, prevent brand abuse online, and detect fraudulent domains before damage occurs.
Its connection to Microsoft further enhances its enterprise-grade reliability.
Pros
Best-in-class external attack surface monitoring
Strong phishing detection
Integration with Microsoft Security Suite
Global malicious infrastructure mapping
Cons
Complexity for smaller companies
Advanced features are enterprise-focused
Best For: Organizations prioritizing external attack surface discovery and brand protection.
The Top 10 Best Cyber Threat Intelligence Companies in 2025 represent global leaders in equipping organizations with actionable insights to stay ahead of attackers.
From Recorded Future’s predictive intelligence to RiskIQ’s attack surface visibility, each of these tools provides unmatched strengths tailored to specific business needs.
As cybercriminals become more inventive, selecting the right CTI provider ensures your organization can detect, prevent, and respond to threats before they escalate into breaches.
By analyzing the specifications, features, pros, and cons of these 10 leading platforms, businesses can align their cybersecurity investments with the intelligence that matters most.
In today’s fast-paced digital landscape, cyber attacks have become more complex, frequent, and damaging than ever before. Businesses, governments, and organizations need stronger solutions to protect their assets from evolving threats.
End-to-end threat intelligence platforms play a crucial role in providing actionable insights, real-time data, and automated defenses against cyber threats.
These solutions empower security teams to stay ahead of malicious actors, minimize risks, and achieve greater resilience.
This article highlights the Top 10 End-to-End Threat Intelligence Companies of 2025, carefully evaluated based on their threat detection capabilities, automation, scalability, integration potential, and reliability.
We have provided specifications, reasons to buy, features, pros, and cons to help you make the best decision for your security needs.
Why End-to-End Threat Intelligence Companies 2025
Choosing the right threat intelligence platform can change the entire cybersecurity posture of an organization.
These companies are market leaders because they provide real-time analytics, machine learning-driven threat detection, and integrations with other security tools.
Whether you are a large enterprise, mid-sized organization, or government entity, these solutions are designed to deliver intelligence that helps mitigate attacks before they cause substantial damage.
In 2025, the companies outlined here are truly defining the future of cybersecurity worldwide.
Comparison Table: Top 10 End-to-End Threat Intelligence Companies 2025
Mandiant has long been regarded as a global leader in threat intelligence and incident response.
In 2025, it has improved its offerings by enhancing its AI-based detection system, integrating automated response workflows, and empowering organizations with nation-state-level threat insight.
Its reputation as a trusted intelligence partner makes it one of the most reliable options for enterprises seeking proactive defense against sophisticated attacks.
Over the years, Mandiant has developed exclusive visibility into global attack trends, making its reports and insights particularly valuable for government agencies and Fortune 500 companies
Specifications
Mandiant’s specifications provide unmatched visibility into active cyber campaigns globally. The solution integrates with multiple SIEM and SOAR platforms to reduce complexity.
It is powered by advanced threat correlation engines that can discover previously unknown malware and attack vectors. Its scalability allows large enterprises with complex infrastructures to gain centralized monitoring.
Features
Mandiant comes with enhanced threat hunting features, real-time risk scoring, forensic analysis, and automated workflows. Its machine learning-powered analytics identify attack patterns early and recommend relevant responses.
Reason to Buy
Organizations should consider Mandiant for its world-renowned expertise, global intelligence visibility, and precision-driven detection systems. It also ensures faster detection-to-mitigation cycles supported by expert human analysts.
Pros
World-leading threat intelligence expertise
Strong forensic and incident response capabilities
Integrates with wide range of security tools
Cons
Expensive for smaller businesses
Requires skilled analysts to utilize full potential
Best For: Enterprises, governments, and high-security industries needing global threat intelligence and rapid incident response.
Anomali is a leading name in the field of threat detection and analysis, offering a powerful threat intelligence platform designed for scalability and precision.
In 2025, Anomali continues to deliver cutting-edge threat visibility capabilities that help enterprises of all sizes reduce risks with actionable insights.
The platform is particularly strong in its anomaly detection and its capacity to integrate threat intelligence across hybrid and multi-cloud environments.
Anomali also enhances detection precision by leveraging AI-driven analytics layered with contextual threat intelligence.
Specifications
Anomali’s solution emphasizes flexibility and integration. It can be deployed across hybrid infrastructures, enhancing coverage for organizations that span multiple environments.
Its architecture supports multi-tenant models, enabling service providers to deliver intelligence services effectively.
Features
The platform features anomaly detection, global threat feeds, correlation engines, cloud-native scaling, and API-driven integrations with all major security ecosystems.
Reason to Buy
Organizations should choose Anomali if they require high scalability, real-time anomaly-based analysis, and advanced data correlation methods while maintaining strong integration with existing security operations.
Pros
Strong anomaly detection capabilities
Easy integration with SIEM and SOAR
Excellent scalability for hybrid and cloud
Cons
May require training for advanced use
Some premium features come at additional cost
Best For: Organizations that require scalable intelligence platforms integrated directly into security workflows.
CrowdStrike is globally recognized as one of the most advanced cybersecurity companies, offering a cloud-native Falcon platform for threat intelligence, EDR, and endpoint protection.
In 2025, CrowdStrike remains ahead of attackers with AI-enabled threat detection and one of the largest telemetry datasets, collected globally.
We picked CrowdStrike because it delivers an end-to-end solution with unmatched speed of detection and highly effective automation capabilities.
The Falcon platform is also extremely lightweight compared to traditional endpoint security systems, which makes it attractive for organizations seeking seamless deployment.
Specifications
CrowdStrike Falcon provides endpoint-to-cloud visibility while scaling across global enterprise infrastructures. Its AI-driven analytics are built on one of the industry’s largest threat datasets.
APIs allow smooth integration with SIEMs, vulnerability management tools, and SOAR platforms. Its low system overhead ensures minimal disruption to user devices while maximizing data collection.
Features
Some of its top features are AI-driven real-time detection, Falcon OverWatch threat hunting, cross-platform protection, rich telemetry, and cloud-native updates.
Reason to Buy
CrowdStrike is a strong pick for those seeking high-speed prevention, detection, and remediation while integrating next-generation intelligence into automated workflows.
Pros
Cloud-native, lightweight agent
Industry-leading global telemetry
Superior AI and human-led analysis
Cons
Premium pricing model
May be resource-intensive for SMBs
Best For: Large enterprises needing reliable, AI-driven endpoint and cloud security with strong threat hunting capabilities.
Palo Alto Networks remains a global leader in cybersecurity innovation, offering its Cortex threat intelligence solutions along with industry-leading firewalls, cloud, and endpoint systems.
In 2025, their combination of AI-powered intelligence with automated threat prevention systems sets them apart.
We picked Palo Alto Networks because their tools deliver a unified security ecosystem rather than disparate solutions, simplifying security operations while improving accuracy.
Another reason is the continuous integration of Unit 42, their elite threat intelligence team, which provides global attack insights blended with machine learning-driven models.
Specifications
Palo Alto’s solution integrates Cortex XSOAR, endpoint protection, and global threat intelligence into a streamlined ecosystem. Its specifications emphasize real-time adaptive threat prevention with zero-trust support.
APIs and out-of-the-box integrations with mainstream vendor solutions make it seamless to adapt.
Features
Advanced analytics with Cortex, real-time threat feeds from Unit 42, automated response capabilities, robust firewall integration, and scalable multi-cloud support.
Reason to Buy
Palo Alto Networks is a good fit for businesses wanting an end-to-end ecosystem blending global intelligence, zero trust, automation, and broad integration capabilities.
Pros
Full-stack integration of security products
Zero trust security support
Best-in-class firewall capabilities
Cons
Higher price for complete ecosystem
Complexity may be overwhelming for SMBs
Best For: Enterprises requiring full-spectrum defense across firewalls, endpoints, and cloud security.
Recorded Future is among the most widely adopted intelligence platforms with broad coverage across cyber, open web, dark web, and geopolitical trends.
In 2025, it stands out for predictive intelligence built on real-time global monitoring. We picked Recorded Future because its Intelligence Graph delivers unparalleled contextualization of threats, which helps organizations act faster on insights.
Another key advantage is its customizable approach, allowing enterprises to align threat intelligence with business-critical assets.
The company has also invested in predictive analytics powered by machine learning that not only detects ongoing attacks but forecasts potential risks.
Specifications
Recorded Future’s platform supports seamless integration with SIEM, SOAR, and vulnerability management systems. Its specifications highlight the unique ability to link technical threat indicators with geopolitical events in real time.
The Intelligence Graph processes trillions of data points daily, delivering priority alerts to security teams. It scales across enterprise, government, and defense sectors, making it highly adaptable.
Features
Real-time intelligence graph, predictive threat modeling, geopolitical and cyber threat monitoring, customizable dashboards, and API integrations.
Reason to Buy
Recorded Future is ideal for organizations that want comprehensive and predictive intelligence deeply tied to global threats and contextual analysis.
Pros
Predictive threat analysis
Robust intelligence graph architecture
Wide global visibility including dark web
Cons
Advanced features require expertise
May be complex for small teams
Best For: Enterprises and governments needing comprehensive cyber-geopolitical intelligence with predictive analytics.
IBM Security, with its X-Force Threat Intelligence division, continues to be a major player in cybersecurity innovation.
In 2025, IBM’s X-Force has grown more powerful, combining both machine learning-driven analytics and insights from one of the largest global cybersecurity research divisions.
We picked IBM Security because it offers an enterprise-scale solution backed by decades of IBM’s expertise and global footprint.
Another big reason is its unique ability to merge offensive and defensive intelligence, thanks to X-Force Red, IBM’s ethical hacking team that uncovers vulnerabilities proactively.
Specifications
IBM X-Force supports predictive threat analysis through its massive global databases of malware, phishing, and vulnerability exploits. It integrates seamlessly with IBM QRadar SIEM, enabling advanced correlation and monitoring.
Its open architecture provides APIs that work with third-party security systems, enhancing deployment flexibility.
Features
Predictive intelligence, integration with IBM QRadar, X-Force threat feeds, penetration testing services, compliance tools, and advanced AI-driven risk detection.
Reason to Buy
Companies should choose IBM X-Force for enterprise-grade resilience, predictive intelligence, and robust integration with compliance and operational workflows.
Pros
Backed by global X-Force threat research team
Strong integration with QRadar SIEM
Predictive threat modeling capabilities
Cons
Better suited for enterprises than SMBs
Costly professional services
Best For: Large global enterprises that need predictive intelligence, compliance integration, and extensive research-backed insights.
Cisco Talos Intelligence Group is one of the world’s largest commercial threat intelligence teams, providing deep insights into malware, vulnerabilities, and global threat actors.
In 2025, Cisco Talos is valued for powering Cisco’s entire cybersecurity product line with strong intelligence feeds.
We picked Cisco Talos because it has an unmatched visibility across global internet traffic, thanks to Cisco’s massive customer base and networking infrastructure presence.
Specifications
Cisco Talos provides global intelligence collection with visibility into billions of internet requests daily. Its specifications highlight scalable integration with Cisco Firepower, SecureX, and Umbrella solutions.
The research team investigates vulnerabilities and emerging malware strains, instantly updating Cisco’s product ecosystem to block new risks.
Features
Global malware intelligence, vulnerability tracking, SecureX integration, automated threat blocking, and real-time feed updates.
Reason to Buy
Cisco Talos is a must-buy for organizations already leveraging Cisco’s ecosystem, as it enhances the efficiency of their networking, cloud, and firewall solutions with smart, adaptive intelligence.
Pros
One of the largest global visibility footprints
Best-in-class integration with Cisco infrastructure
Frequent security research publications
Cons
Optimized primarily for Cisco ecosystems
May lack standalone product flexibility
Best For: Enterprises leveraging Cisco security and networking infrastructure for integrated global threat intelligence.
Secureworks has built a reputation as a managed security services provider (MSSP) that delivers advanced intelligence-backed cybersecurity protection.
In 2025, it stands out for its Taegis platform, which offers strong managed detection and response (MDR) capabilities backed by real-time global threat intelligence.
We picked Secureworks because it makes intelligence more actionable, combining its MDR services with robust AI-powered analytics.
Another reason is its 20+ years of expertise with visibility across thousands of clients, which enables its intelligence ecosystem to be rich and timely.
Specifications
The Taegis platform is built on cloud-native architecture with AI-enhanced security analytics, ensuring fast deployment across hybrid infrastructures.
Secureworks supports alert prioritization, detection correlation, and continuous hunting – all backed by human analysts. It provides APIs for SIEM/SOAR integration, ensuring smooth workflows with existing enterprise tools.
Secureworks is perfect for organizations seeking high-quality managed security services with robust threat intelligence and MDR capabilities aligned with enterprise needs.
Pros
Strong MSSP backed by real-time intelligence
Cloud-native Taegis MDR platform
Flexible pricing and scalability
Cons
Less customizable for fully in-house SOCs
Premium MDR services can be costly
Best For: Mid-size to large enterprises wanting MDR plus real-time threat intelligence without heavy upfront investments.
LookingGlass Cyber Solutions specializes in delivering advanced external threat protection, focusing on risks beyond the traditional network perimeter.
In 2025, it shines for its advanced monitoring across the dark web, supply chains, and emerging threat infrastructures.
We picked LookingGlass because of its strong emphasis on external attack surface management, which is increasingly vital as businesses expand to multi-cloud and SaaS ecosystems.
Another reason is that it offers intelligence contextualized for specific business functions, such as fraud prevention or brand monitoring, making results more actionable.
Specifications
LookingGlass provides advanced specifications centered around continuous monitoring of external threats, including domain spoofing, phishing, and supply chain risks.
Its intelligence APIs allow integration with enterprise SIEMs and SOAR platforms. Its architecture supports large-scale attack surface mapping, delivering visibility into business-specific risks.
Features
External threat monitoring, dark web intelligence, brand protection, supply chain visibility, and business-specific dashboards.
Reason to Buy
LookingGlass is ideal for organizations requiring strong risk monitoring outside their network perimeter, with emphasis on dark web, brand, and supply chain protection.
Pros
Excellent external threat intelligence
Strong in brand and fraud protection
Customizable dashboards per industry
Cons
Narrower focus compared to broad ecosystems
Premium feeds can be costly
Best For: Enterprises with high external risk exposure, such as finance, telecom, and critical infrastructure.
LogRhythm is a well-known SIEM provider that has evolved its platform into one of the most effective intelligence-driven solutions.
In 2025, LogRhythm continues to demonstrate strength by combining SIEM, SOAR, and threat intelligence capabilities into a single unified solution.
We picked LogRhythm because it caters effectively to mid-sized enterprises that require intelligence-driven workflows without the high cost of giant vendors.
Another reason is its enhanced AI-powered analytics that provide faster detection and automated responses.
Specifications
LogRhythm’s specifications focus on providing seamless integration of SIEM and SOAR with threat intelligence feeds. Its solution supports customizable workflows and automated incident response.
With cloud, hybrid, and on-premise deployment, it caters to multiple infrastructure types. Its specifications also highlight performance analytics designed to improve SOC efficiency, allowing teams to prioritize alerts with risk-based scoring.
LogRhythm is an excellent choice for mid-to-large organizations seeking intelligence-driven SIEM and SOAR capabilities that improve SOC team efficiency.
Pros
Unified SIEM and SOAR capabilities
Strong AI-driven analytics
Cost-effective compared to top-tier competitors
Cons
May not scale as well for global enterprises
Requires training for advanced fine-tuning
Best For: Mid to large-sized enterprises needing SIEM-SOAR integration with intelligence-driven security workflows.
The Top 10 End-to-End Threat Intelligence Companies of 2025 represent the best-in-class providers shaping the future of cybersecurity.
From leaders like Mandiant and CrowdStrike offering global intelligence and incident response, to specialized vendors like LookingGlass focusing on external risk monitoring, each company brings a unique strength to enterprises worldwide.
Selecting the right solution depends on your enterprise size, security maturity, and business priorities.
Whether you need predictive intelligence (Recorded Future, IBM), MDR services (Secureworks), or scalable SIEM-SOAR integration (LogRhythm), this list provides businesses with trusted partners in their cybersecurity journey.
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
Elon Musk’s SpaceX has taken money directly from Chinese investors, according to previously sealed testimony, raising new questions about foreign ownership interests in one of the United States’ most important military contractors.
The recent testimony, coming from a SpaceX insider during a court case, marks the first time direct Chinese investment in the privately held company has been disclosed. While there is no prohibition on Chinese ownership in U.S. military contractors, such investment is heavily regulated and the issue is treated by the U.S. government as a significant national security concern.
“They obviously have Chinese investors to be honest,” Iqbaljit Kahlon, a major SpaceX investor, said in a deposition last year, adding that some are “directly on the cap table.” “Cap table” refers to the company’s capitalization table, which lists its shareholders.
Kahlon’s testimony does not reveal the scope of Chinese investment in SpaceX or the identities of the investors. Kahlon has long been close with the company’s leadership and runs his own firm that acts as a middleman for wealthy investors looking to buy shares of SpaceX.
SpaceX keeps its full ownership structure secret. It was previously reported that some Chinese investors had bought indirect stakes in SpaceX, investing in middleman funds that in turn owned shares in the rocket company. The new testimony describes direct investments that suggest a closer relationship with SpaceX.
SpaceX has thrived as it snaps up sensitive U.S. government contracts, from building spy satellites for the Pentagon to launching spacecraft for NASA. U.S. embassies and the White House have connected to the company’s Starlink internet service too. Musk’s roughly 42% stake in the company is worth an estimated $168 billion. If he owned nothing else, he’d be one of the 10 richest people in the world.
National security law experts said federal officials would likely be deeply interested in understanding the direct Chinese investment in SpaceX. Whether there was cause for concern would depend on the details, they said, but the U.S. government has asserted that China has a systematic strategy of using investments in sensitive industries to conduct espionage.
If the investors got access to nonpublic information about the company — say, details on its contracts or supply chain — it could be useful to Chinese intelligence, said Sarah Bauerle Danzman, an Indiana University professor who has worked for the State Department scrutinizing foreign investments. That “would create huge risks that, if realized, would have huge consequences for national security,” she said.
SpaceX did not respond to questions for this story. Kahlon declined to comment.
The new court records come from litigation in Delaware between Kahlon and another investor. The testimony was sealed until ProPublica, with the assistance of lawyers at the Reporters Committee for Freedom of the Press and the law firm Shaw Keller, moved in the spring to make it public. SpaceX fought the effort, but a judge ruled that some of the records must be released. Kahlon’s testimony was publicly filed this week.
Buying shares in SpaceX is much more difficult than buying a piece of a publicly traded company like Tesla or Microsoft. SpaceX has control over who can buy stakes in it, and the company’s investors fall into different categories. The most rarefied group is the direct investors, who actually own SpaceX shares. This group includes funds led by Kahlon, Peter Thiel and a handful of other venture capitalists with personal ties to Musk. Then there are the indirect investors, who effectively buy stakes in SpaceX through a middleman like Kahlon. (The indirect investors are actually buying into a fund run by the middleman, typically paying a hefty fee.) All previously known Chinese investors in SpaceX fell into the latter category.
This year, ProPublica reported on an unusual feature of SpaceX’s approach to investment from China. According to testimony from the Delaware case, the company allows Chinese investors to buy stakes in SpaceX so long as the money is routed through the Cayman Islands or other offshore secrecy hubs. Companies only have to proactively report Chinese investments to the government in limited circumstances, and there aren’t hard and fast rules for how much is too much.
After ProPublica’s report, House Democrats sent a letter to Defense Secretary Pete Hegseth raising alarms about the company’s “potential obfuscation.” “In light of the extreme sensitivity of SpaceX’s work for DoD and NASA, this lack of transparency raises serious questions,” they wrote. It’s unclear if any action was taken in response.
Kahlon has turned his access to SpaceX stock into a lucrative business. His investor list reads like an atlas of the world. The investors’ names are redacted in the recently unsealed document, but their addresses span from Chile to Malaysia. One is in Russia. At least two are in mainland China. One is in Qatar. (In one email to SpaceX’s chief financial officer, Kahlon said a Los Angeles-based fund had money from the Qatari royal family and was already invested in SpaceX.)
“You made a big fortune,” a China-based financier wrote to Kahlon four years ago. “Lol something like that. SpaceX has been the gift that keeps on giving,” Kahlon responded. “All thanks to you.”
Kahlon first met with SpaceX when it was a fledgling startup, according to court records. SpaceX’s CFO, Bret Johnsen, who’s been there for 14 years, testified that Kahlon “has been with the company in one form or fashion longer than I have.” Johnsen also testified that SpaceX has no formal policy about accepting investments from countries deemed adversaries by the U.S. government. But he said he asks fund managers to “stay away from Russian, Chinese, Iranian, North Korean ownership interest” because that could make it “more challenging to win government contracts.”
There are indications that by 2021, Kahlon was wary of raising funds from China. The U.S. government had grown increasingly concerned about Chinese investments in tech companies, and that June, Kahlon told an associate he was “being picky” with who he’d let buy into a new SpaceX opportunity. “Only people I want to have a relationship with long term. No one from mainland China,” Kahlon said.
But as he raced to assemble a pool of investors, those concerns appeared to fade away. By November 2021, Kahlon was personally raising money from China to buy SpaceX stakes. He told a Shanghai-based company that if it invested with him, it would get quarterly updates on SpaceX’s business development, “visits to SpaceX, and the opportunities to interview with Space X’s CFO,” court records show.
Hegseth expands war on leaks.Washington Post: “The Pentagon plans to impose strict nondisclosure agreements and random polygraph testing for scores of people in its headquarters, including many top officials, according to two people familiar with the proposal and documents obtained by The Washington Post, escalating Defense Secretary Pete Hegseth’s war on leakers and internal dissent.”
A draft memo from Deputy Defense Secretary Steve Feinberg says that all troops, civilian employees, and contract workers within the Office of the Defense Secretary and the Joint Staff—likely more than 5,000 people—would be required to sign a nondisclosure agreement that “prohibits the release of non-public information without approval or through a defined process.”
Chief Pentagon spokesperson Sean Parnell declined to answer questions about the plan, saying in an email that The Post’s reporting is “untrue and irresponsible.” Read on, here.
Silicon Valley in St. Louis? Movers and shakers in the Gateway City, having welcomed the recently opened National Geospatial-Intelligence Agency campus in the Bottle District, now have their sights set on turning the city into a hub for geospatial startups, arguing, perhaps, that St. Louis and defense technology go together like toasted ravioli and marinara. Defense One’s Lauren C. Williams reports, here.
Welcome to this Thursday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 2018,Washington Post journalist and Saudi dissident Jamal Khashoggi was assassinated and cut into pieces with a bone saw during a visit to the Saudi consulate in Istanbul, Turkey.
Trump 2.0
Amid a government shutdown, at least 15 government oversight websites were down Wednesday evening, removing access to watchdog reports and required hotline and whistleblower links, Natalie Alms of Nextgovreported.
The outages are not due to the shutdown—it's a deliberate move by the White House, whose Office of Management and Budget is withholding funds from the Council of the Inspectors General on Integrity and Efficiency. CIGIE is an independent entity charged by Congress with addressing oversight issues that involve more than one government agency. It provides training for investigators and auditors and acts as a watchdog for the government watchdog community.
OMB claims the IGs “have become corrupt, partisan, and in some cases, have lied to the public,” a spokesperson told Nextgov/FCW in a statement. With the websites gone, so is access to the reports of those offices as well as links for whistleblowers. Read more, here.
Some of the affected OIG offices have posted to social media to offer phone numbers and alternative online hotline complaint forms. And links to the pre-Oct. 1 versions of the sites are available here.
The move is part of the Trump administration’s campaign against the government’s independent watchdogs, which began with Trump’s firing of 17 IGs soon after he took office, a move that a federal judge recently said was an “obvious” violation of the law.
On Tuesday, Defense Secretary Pete Hegseth announced a review of the reporting processes for his department’s IG, which is currently investigating him for allegedly using an unsecure, unapproved app to conduct official business in the form of sending strike plans over Signal.
In a Tuesday memo, Hegseth said IG offices must now decide whether tips are backed by "credible evidence" within seven days and to track any "repeat complainants." Reuters: “One U.S. official who approved of Hegseth's move said the memo could mean fewer frivolous complaints, allowing investigators to focus on more important tips. But critics of the reforms argue they could ultimately hamper oversight, weaken the independence of the IG and put whistleblowers in an impossible situation.” More, here.
Trump falsely claimed National Guard troops were “in place” in Portland on Wednesday, but “no troops could be seen anywhere around the outside of the ICE facility on South Macadam Avenue,” Portland’s KGW news reported shortly afterward, though they are expected sometime early next week.
“I'm guessing [Trump] means that the 200 individuals have been selected and sent to Camp Rilea for training,” Sen. Jeff Merkley, D-Oregon, told KGW. “He may also mean the command structure from Northern Command has arrived in Oregon. He may mean that. It's definitely the sort of thing where it would be nice to have the right appointed person clarify those details. We're all trying to get the best information we can, and it's very fuzzy.”
Trump also falsely claimed “ANTIFA and the Radical Left Anarchists” were attacking federal law enforcement and immigration officers, and “many people have been badly hurt, and even killed” because he said the city is “a NEVER-ENDING DISASTER” that’s “run like a Third World Country.”
In reality, “The ICE facility in the South Waterfront neighborhood has been the site of small-scale but frequent protests in recent months, leading to a handful of arrests and some complaints about noise and tear gas, though there have been no significant injuries or deaths reported, and nearby residents and Portland police have both described the marches as relatively peaceful,” KGW reports.
Local police reax: “The city of Portland is about 145 square miles. This is one city block,” Portland Police Chief Bob Day told reporters Tuesday. “And even the events that are happening down there do not rise to the level of attention that they are receiving.”
Legal insight: “The Trump administration is hoping no one notices that, although federal law defines ‘domestic terrorism,’ it provides no special authorities against anyone whose behavior meets that definition,” Georgetown University national security law professor Steve Vladeck writes on Substack.
He’s talking about Trump’s recent “National Security Presidential Memorandum-7” (NSPM-7), which is a memo signed last Thursday titled “Countering Domestic Terrorism and Organized Political Violence.” That memo, Vladeck says, “reflects a dramatic escalation in the Trump administration’s efforts to cast a whole lot of constitutionally protected speech and political activity as unlawful ‘political violence and intimidation.’” The point of the memo seems to be “to scare, intimidate, cajole, and harass a wide array of non-governmental (and non-profit) organizations into self-censoring—lest they risk triggering the investigations and potential prosecutions the memorandum threatens,” Vladeck writes.
On its face, the memo is “an exercise in legally empty but rhetorically dangerous symbolism,” says Vladeck, “one that is trying to coerce more and more individuals and groups to ‘obey in advance,’ even though there are no new substantive rules that they need to actually obey.” Read on, here.
Developing: The U.S. will soon begin helping Ukraine strike deeper inside Russia via a new intelligence-sharing agreement pertaining to “long-range missile strikes on Russia’s energy infrastructure,” the Wall Street Journalreported Wednesday. “President Trump recently signed off on allowing intelligence agencies and the Pentagon to aid Kyiv with the strikes,” U.S. officials said as Trump’s recent efforts to end Vladimir Putin’s Ukraine invasion have gone nowhere so far.
Also pending: Possible U.S. delivery of Tomahawk and Barracuda cruise missiles as well as “other American-made ground- and air-launched missiles that have ranges of around 500 miles,” officials told the Journal. Vice President JD Vance teased the Tomahawk possibility Sunday. The Kremlin’s reaction the following day seemed relatively muted compared to November 2024, e.g., according to Reuters reporting Monday.
Even without the new intelligence, Ukraine has attacked 21 of Russia’s 38 large oil refineries since January, triggering fuel shortages and price hikes that one gas station manager compared “to the hyperinflation experienced by post-Soviet Russia,” according to the BBC. “In my opinion we haven't had a crisis like this since 1993-1994,” he said.
An estimated 38% of Russia’s oil refining capacity is reportedly offline, and about 70% of that was caused by Ukrainian drone strikes, according to Moscow-based newspaper Lenta, reporting Tuesday.
Panning out: “Retail petrol prices have surged, while wholesale prices—the cost at which retailers buy from producers—have risen even faster, growing by 40% since January.”
One large plant near Moscow has been hit five times this calendar year, but August was the busiest month with more than a dozen such attacks. Read more, here.
New: Russia appears to have modified its ballistic missiles to better evade Patriot air defense systems, the Financial Times reports. That includes Moscow’s “Iskander-M mobile system, which launches missiles with an estimated range of up to 500km, as well as Kinzhal air-launched ballistic missiles, which can fly up to 480km,” officials said.
“The missiles now follow a typical trajectory before diverting and plunging into a steep terminal dive or executing manoeuvres that ‘confuse and avoid’ Patriot interceptors,” according to Ukrainian and western officials. These adjustments appear to have helped Russia attack “At least four drone-making plants in and around Kyiv” over the summer, including “strike on August 28 on a facility producing Turkish Bayraktar drones.”
Related: The Polish government believes Russia deliberately sent drones into its airspace last month to test the resolve of the country and its NATO allies—and that such tests will keep coming. That means the Polish military needs a better counter-unmanned systems plan, Foreign Minister Radosław Sikorski told reporters on Wednesday. The European Union is leading that effort, he added, securing $150 billion in loans for member states, as well as joint ventures with Ukraine, whose counter-UAS prowess was born out of necessity in the nearly four years it’s been fighting off Russian drones, Defense One’s Meghann Myers reports.
Also this week: Finland said it’s gonna help protect Denmark’s airspace, which is one of several European nations that have experienced suspicious overflights of sensitive sights.
Additional reading: “Suspicious drones apparently spied on critical infrastructure,” Germany’s Der Spiegel reported Wednesday, highlighting newly-revealed overflights of German army and naval bases in Sanitz and Rostock as well as defense industry locations elsewhere.
Around the world
Lastly: President Trump seems to have quietly committed the U.S. to defending Qatar, according to an executive order Trump signed Monday during Israeli prime minister Benjamin Netanyahu’s visit to the White House.
The order is “bizarre,” observed Ankit Panda of the Carnegie Endowment for International Peace, writing Wednesday on Substack. He then focuses on what he says are “two big problems with this from the broader perspective of the practice of U.S. extended deterrence and alliances. First of all—and I’ve expressed this frustration elsewhere—it matters to the United States, its people, and U.S. allies that assurances and extended deterrence relationships are codified in treaties,” he writes. And secondly, “from the vantage point of U.S. treaty allies, these relatively empty assurances to Qatar could be seen as cheapening the value of actually being in a treaty alliance with the United States.”
After some consideration, he goes on to describe Trump’s order as “a perverse reflection of the domestic political incentives that shape how the United States thinks about its various allied relationships” under the current president, in particular. “I won’t go as far as to argue that this new executive order for the Qataris is a huge problem for American alliances in 2025,” he continues. “[T]hat would be hyperbolic and there are far more obvious culprits. But it’s certainly not the sort of thing that makes the actual treaty allies remember or recognize any value in an actual treaty-based relationship.”
Second opinion: “An executive order is not a treaty and can be overturned by another president, but the declaration of a military commitment to a foreign nation without ratification by the Senate as the Constitution requires shows the belief of administration officials that they can act as they wish without consulting Congress,” writes Heather Cox Richardson of Boston College.
However, “the deal shows just how ill-advised Trump’s illegal demand for, and then receipt of, a $400 million luxury 747-8 from Qatar turned out to be, for now it certainly looks as if Qatar received U.S. military commitments in exchange for a used plane,” she adds.
On Tuesday, Defense Secretary Pete Hegseth declared that changes would be coming to the department’s inspector general office. Just hours earlier, the Office of Management and Budget effectively defunded an office that supports and trains oversight employees who root out waste, fraud, and abuse governmentwide.
Both moves raised red flags among bipartisan members of Congress and governmental oversight organizations who have been critical of President Donald Trump’s actions against inspectors general since he fired 17 of them during the first days of his second term.
“This is not the final step, but we're getting close to the final steps of undoing the entire system of oversight within the executive branch,” said Andrew Bakaj, chief legal counsel for the nonprofit Whistleblower Aid.
Hegseth vs. his OIG
During his Tuesday speech to senior military leaders in Quantico, Virginia, Hegseth said that the IG process “has been weaponized, putting complainers, ideologues and poor performers in the driver's seat.”
Hegseth, who inveighed against DOD's equal opportunity and military equal opportunity programs, said that there would be: “No more frivolous complaints. No more anonymous complaints. No more repeat complainants. No more smearing reputations. No more endless waiting. No more legal limbo. No more sidetracking careers. No more walking on eggshells.”
Bakaj argued that the event, at which Trump also spoke, would deter people from whistleblowing.
“The atmosphere that was created in the meeting yesterday by the secretary of — still the secretary of Defense, Congress has not changed the name to secretary of War — the secretary of Defense and the president chilled the ability for anybody to come forward,” said Bakaj, who used to work in the DOD IG office.
In a memo released after his speech, Hegseth ordered the military secretaries to work with the department IG to make several changes to the IG investigation process including:
Requiring an evaluation to be completed within seven days of receiving a complaint to assess its credibility before launching an investigation. Hegseth also directed the military departments to “explore the use of artificial intelligence with human oversight” to meet such a timeline.
Updating the subject of a complaint, their commander and the complainant every 14 days on the investigation’s status.
“Establish[ing] clear and enforceable procedures to identify and manage complainants who submit multiple complaints without credible evidence, that are frivolous or that knowingly include false information.”
Faith Williams, the director of the Effective and Accountable Government Program at the Project on Government Oversight, contended that the credibility assessment and regular updates could be beneficial, but the focus on repeat complainants stood out to her.
“It reinforced a tone that I had sort of picked up on throughout the memo, which is this assumption that the complaints and information that inspectors general were receiving are somehow false or malicious,” she said.
While noting that whistleblower retaliation has been an issue across administrations, Williams argued that the memo recasts how whistleblowers are portrayed.
“Whistleblowers perform a critical oversight role. They help report and prevent waste, fraud and abuse of power. And I think many prior administrations, many elected officials, would agree that they're essential,” she said. “This [memo] puts whistleblowers, instead of in a more heroic position, into this more villainous position.”
In a Wednesday statement, Bakaj argued that the memo would enable “senior officials to dictate timelines and procedures from the top down” and lead to disclosures being “weaponized” against whistleblowers.
In speaking with Government Executive, Bakaj also cited one of his former clients as an example of how a repeat complainant can be valuable to an agency.
“She was fulfilling an audit role, looking at various contracts, and she had the unique perspective to be able to see when something was going wrong,” he said in an interview. “One of this individual's last disclosures was, in fact, evidence, which ultimately became substantiated, of a multimillion dollar fraud committed by a contractor.”
Mark Greenblatt, who was IG at the Interior Department before Trump removed him as part of the mass firing in January, emphasized that IGs are themselves already subject to oversight from Congress and periodic review by other IG offices to ensure fairness.
“It's hard for me to believe that IGs can kind of slip one past the goalie on a partisan basis when we have so many guardrails in place,” he said.
Hegseth is currently under evaluation by the DOD IG, at the request of Senate Armed Services Chairman Roger Wicker, R-Miss., and ranking member Jack Reed, D-R.I., over his use of Signal to discuss upcoming military operations in Yemen.
Withholding funding
OMB on Sept. 26 informed the Council of the Inspectors General on Integrity and Efficiency that it would not be apportioned funding for fiscal 2026, according to a letter that Tammy Hull, the IG for the U.S. Postal Service and acting chair of CIGIE, sent to Congress.
Hull wrote that CIGIE’s work would not be affected by the ongoing shutdown because of how the agency is funded, but that OMB’s decision is forcing them to furlough 25 employees. She added that the disruption would interrupt congressionally authorized whistleblower hotlines, IG employee training and an oversight body that reviews allegations of wrongdoing against the watchdogs.
Senate Appropriations Committee Chair Susan Collins, R-Maine, and Sen. Chuck Grassley, R-Iowa, a longtime IG defender, on Monday sent a letter to OMB Director Russell Vought urging him to “reverse course.”
“Effectively defunding CIGIE — contrary to congressional intent — will disrupt numerous important oversight functions, including the Oversight.gov website, whistleblower reporting portals and activities designed to ensure the inspectors general community is held accountable,” they wrote.
Grassley announced on Wednesday that OMB has since apportioned $5 million to the Pandemic Response Accountability Committee, a part of CIGIE that investigates fraud in COVID-19 pandemic spending and was extended until 2034 in the One Big Beautiful Bill Act. He and Collins said in a statement that OMB should “promptly apportion funds for CIGIE as well.”
But the Trump administration does not seem to be inclined to do that.
“Inspectors general are meant to be impartial watchdogs identifying waste and corruption on behalf of the American people. Unfortunately, they have become corrupt, partisan and in some cases, have lied to the public,” an OMB spokesperson said in a statement to Government Executive. “The American people will no longer be funding this corruption.”
During his first term, Trump fired the IG whose notification to Congress led to his first impeachment.
“Without [CIGIE’s] infrastructure, I fear that individual IGs will be isolated, their effectiveness diminished and their ability to protect taxpayer interests severely compromised,” Greenblatt said in a statement. “Defunding CIGIE eliminates the infrastructure that enables inspectors general to coordinate, share best practices and hold federal agencies accountable across government.”
Greenblatt, a former CIGIE chair, hypothesized that the entity’s effective defunding is due to its 2024 finding that Homeland Security Department inspector general Joseph Cuffari, who was appointed during Trump’s first term, abused his authority and engaged in substantial misconduct. But President Joe Biden took no disciplinary action against him, and Cuffari was spared during January’s mass firing.
“Make no mistake: this decision is not about budget efficiency nor streamlining government,” Greenblatt said in his statement. “Over the last few years, Cuffari and his minions have led a long-term and highly destructive campaign to undermine CIGIE and the IG community. I believe this is a direct outgrowth of that dishonest effort.”
Cuffari filed a lawsuit, which a federal judge dismissed in 2023, alleging that CIGIE’s investigation of him amounted to unlawful harassment. The DHS OIG did not respond to a request for comment.
Congressional Democrats slammed the Trump administration’s actions as well. House Appropriations Committee ranking member Rosa DeLauro, D-Conn., argued that “OMB is choking off resources of the Council of the Inspectors General to halt their operations.”
“This moment demands action. The fastest way to restore trust is to guarantee inspectors general true independence — and to finally establish an inspector general at the ‘nerve center of federal spending,’ the Office of Management and Budget,” she said in a statement. “I call on Russ Vought and the Office of Management and Budget to release CIGIE’s funding immediately, and I look forward to working with my colleagues on both sides of the aisle to make sure this never happens again.”
The threat actor known as Confucius has been attributed to a new phishing campaign that has targeted Pakistan with malware families like WooperStealer and Anondoor.
“Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries — especially in Pakistan – using spear-phishing and malicious documents as initial
A new proof-of-concept (PoC) tool named Obex has been released, offering a method to prevent Endpoint Detection and Response (EDR) and other monitoring solutions’ dynamic-link libraries (DLLs) from loading into processes.
The tool, created by a researcher known as “dis0rder0x00,” is designed to block specified DLLs both during the initial startup of a process and at runtime, potentially allowing malware or red team tools to operate without being detected by security software.
Obex functions by launching a target application under its debug control. This allows it to intercept critical system operations. Specifically, it hooks the ntdll!LdrLoadDll function, which is responsible for loading DLLs into a process.
When an application attempts to load a DLL, Obex intercepts the call and checks the DLL’s name against a configurable blocklist.
If the DLL is on the list, the tool simulates a failed load attempt, preventing the library from being injected into the process.
If the DLL is not on the list, the loading process is allowed to continue as normal. This technique effectively blinds security tools that rely on injecting their own DLLs into processes to monitor their behavior.
The tool is written in C and has no external dependencies, making it lightweight and portable. By default, Obex is configured to block amsi.dll, the library for the Antimalware Scan Interface, but users can provide a custom list of DLLs to block.
The developer has made the tool available on GitHub, positioning it as a technique for security researchers to understand and test evasion methods.
Security solutions widely use DLL injection to establish user-mode hooks for monitoring API calls and system behavior. Tools like Obex demonstrate methods that can be used to circumvent these defenses.
While valuable for penetration testers and red teams, such tools also provide defenders and security vendors with important insights into evasion techniques, helping them to develop more resilient detection and protection strategies against sophisticated threats.
A proof-of-concept (PoC) exploit has been released for a critical vulnerability chain in VMware Workstation that allows an attacker to escape from a guest virtual machine and execute arbitrary code on the host operating system.
The exploit successfully chains together an information leak and a stack-based buffer overflow vulnerability to achieve a full guest-to-host escape, one of the most severe types of security flaws in virtualization software.
The exploit targets vulnerabilities that were first demonstrated at the Pwn2Own Vancouver event in 2023. Security researcher Alexander Zaviyalov of NCC Group recently published a detailed technical analysis and a functional PoC, demonstrating the practical risk posed by these flaws.
The Two-Stage Attack
The guest-to-host escape is accomplished by chaining two distinct vulnerabilities found in the virtual Bluetooth device functionality of VMware Workstation. This feature, which is enabled by default, allows a guest VM to use the host’s Bluetooth adapter.
Information Leak (CVE-2023-20870, CVE-2023-34044): The first stage of the attack leverages a Use-After-Free (UAF) memory leak. By sending specifically crafted USB Request Block (URB) control transfers to the virtual mouse and Bluetooth devices, an attacker can leak memory pointers from the vmware-vmx.exe process on the host.
This information leak is crucial for bypassing Address Space Layout Randomization (ASLR), a standard security feature that randomizes memory locations to make exploitation more difficult.
Exploit
Buffer Overflow (CVE-2023-20869): With ASLR bypassed, the attacker proceeds to the second stage. This involves triggering a stack-based buffer overflow by sending a malicious Service Discovery Protocol (SDP) packet from the guest VM to another Bluetooth device discoverable by the host.
The overflow allows the attacker to hijack the program’s execution flow, and with the previously leaked memory addresses, they can execute a custom payload on the host system.
The combination of these vulnerabilities allows an attacker with control over a guest VM to gain full control of the host machine. In the demonstration, the exploit successfully launched a reverse shell from a Linux guest to a fully patched Windows 11 host, effectively compromising the underlying system, Alexander Zaviyalov said.
The full exploit chain primarily affects VMware Workstation 17.0.1 and earlier versions. The specific vulnerabilities have different patch timelines:
The stack-based buffer overflow (CVE-2023-20869) was addressed in version 17.0.2.vmware-workstation-guest-to-host-escape.pdf
The memory leak vulnerabilities (CVE-2023-20870 and CVE-2023-34044) were patched across versions 17.0.2 and 17.5.0, respectively.vmware-workstation-guest-to-host-escape.pdf
Because the complete exploit requires both the buffer overflow and the memory leak, users running version 17.0.1 or older are at the highest risk.
Mitigations
The primary recommendation for all users is to update their VMware Workstation software to the latest available version (17.5.0 or newer), which contains patches for all the discussed vulnerabilities.
For users who cannot immediately update, a potential workaround is to disable the virtual Bluetooth device. This can be done by unchecking the “Share Bluetooth devices with the virtual machine” option in the virtual machine’s USB Controller settings.
Disabling this feature removes the attack surface exploited by this specific PoC. The detailed research highlights the complexity of modern exploits and underscores the importance of timely patching for virtualization platforms.
Yes
No.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
