ThreatStream - Threat Intelligence Platform
Anomali ThreatStream

Automate the collection, management, and distribution of your threat intelligence at scale

Schedule demo
Anomali ThreatStream

See threats faster

Anomali ThreatStream is a Threat Intelligence Platform that aggregates threat intelligence from diverse sources, provides an integrated set of tools for fast and efficient investigations, and delivers operationalized threat intelligence to your security controls at machine speed.

Anomali ThreatStream Automation screenshot

Automate the collection of ALL available threat intelligence

ThreatStream automates and accelerates the process of collecting all relevant global threat data, giving you the enhanced visibility that comes with diversified, specialized intelligence sources, without increasing administrative load.

  • Automate threat data collection from hundreds of sources into a single, high fidelity set of threat intelligence
  • Improve your security posture by diversifying intelligence sources without generating administrative overhead
  • Easily try and buy new sources of threat intelligence via the integrated marketplace

Accurately curate diverse threat intelligence into a single set of actionable data

Whether it's Open Source data from OSINT feeds, paid Premium Feeds, our own Anomali Labs curated feeds, or indicators being shared by an ISAC, Anomali takes that data, normalizes it across sources, enriches it with Actor, Campaign, and TTP information, then de-duplicates it and removes false positives using our patented machine learning algorithm. Think of ThreatStream as your mission control for Threat Intelligence.

  • De-duplicate data and remove false positives at scale to deliver a single high fidelity set of threat intelligence
  • Score threat intelligence for confidence and severity with a powerful machine learning algorithm
  • Operationalize threat intelligence into machine-readable form
Anomali ThreatStream management screenshot
Anomali ThreatStream integration screenshot

Turnkey integration with your security controls

ThreatStream delivers operational threat intelligence to your security controls via the industry's largest set of turnkey integrations, enabled by a robust set of SDKs and APIs. This allows you to push the data out to your security systems for blocking and monitoring on an automated basis, including your SIEM, Firewall, IPS, EDR, and SOAR.

  • Turnkey integrations with leading enterprise SIEMs, firewalls, EDRs, and SOARs deliver fast time-to-value
  • Scalable, real-time intelligence distribution to security controls
  • Round-trip visibility into threat intelligence quality with MyAttacks
  • Reduce false positives and alert storms
  • Extensible platform with restful API and SDKs for feeds, enrichments, and security system integrations

Accelerate your threat research and insights

ThreatStream's Investigations workbench provides an integrated platform to dramatically increase security analyst productivity in threat research, analysis, and finished intelligence publication.

  • Automatically associate indicators to MITRE ATT&CK TTPs
  • Analyze adversary attack infrastructure with visual Explorer tool
  • Detonate malware and phishing emails to extract indicators
  • Quickly create and publish professional-looking threat bulletins
Anomali ThreatStream management screenshot
Anomali ThreatStream sharing screenshot

Share threat intelligence with your peers and partners

ThreatStream provides a complete threat intelligence sharing platform, the most trusted globally by ISACs, ISAOs, and holding companies to power secure collaboration within and between organizations. For example, you can get ahead of the threat by learning from an industry group when an attacker is targeting your industry.

  • Collaborate on threat identification via our "Trusted Circles" to reduce response times to cyber events
  • Speed up preventative measures by ensuring that users can participate securely and seamlessly in two-way sharing
  • Keep your proprietary information private to guarantee the confidentiality of shared information.
On-demand webinar

Know thine enemy – profiling cyber threat actors

In reality, our enemies are not even on our radar because we overlook the smaller signals caught by our controls. But sometimes these are small pieces of a bigger puzzle that we need to understand. Every detection by our security controls tells a story, and this is why we profile.

Flexible deployment options to fit your requirements


For organizations requiring a best-of-breed threat intelligence platform that provides fast time-to-value, ThreatStream offers a cloud-native implementation that can be deployed in minutes.

Virtual machine

For organizations requiring their threat intelligence platform to be hosted in their cloud platform of choice, ThreatStream can be deployed as a virtual machine.


For organizations that need to ensure the security of locally generated threat intelligence, ThreatStream On-Prem provides a locally managed private instance that includes the ability to access global cloud-based threat intelligence feeds.

Air gap

For organizations requiring maximum security, ThreatStream AirGap is a completely standalone private instance, delivering full functionality without connecting to the Internet or any other threat intelligence service.

Case study

Blackhawk Network

Learn how Blackhawk Network integrated disparate threat feeds into a high fidelity data set of intelligence, synchronized threat intelligence with their SIEM alerts, and provided the threat context around IOCs necessary for analysts to understand their true importance.


Go with Anomali and improve your security posture

Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.