Anomali

I was using Anomali  primarily for threat intelligence operations, security monitoring, and threat detection initiatives. I was part of the SOC team, and my role and responsibilities involved working with threat intelligence feeds and providing comprehensive threat reports on a weekly basis to the SOC team.

The primary use case was threat intelligence. Before using any threat intelligence tool, the SOC team must rely on the logs they receive from their SIEM  solutions. If we integrate threat intelligence into the overall practices with Anomali , it helps us gather all the threat information beforehand so that the SIEM  engineers can schedule or create rules based on those threats or the nature of threats, making the threat hunt easier for the SIEM solutions or the SOC team. This approach is impactful for using the tool.

The best features I have used in Anomali include threat intelligence management. It provides a comprehensive and centralized threat intelligence feed for us. Based on a specific industry, we can gather all the threat IOCs with this tool. Those threat reports can be easily passed to the vulnerability management team, the threat hunting team, and the SOC team. Those threats are helpful for them to hunt a threat in a proactive way.

Reporting  is another valuable feature we have used. It provides comprehensive threat reports based on IOC enrichment and correlations. Those reports are helpful whenever we provide that data to the SIEM team or SOC team.

Anomali has positively impacted my organization by improving efficiency and reducing risks. I can provide a practical example involving monitoring indicators associated with ransomware campaigns. Anomali helps us correlate the threat intelligence with internet security technology, allowing the overall team to identify potentially relevant indicators. Without a threat intelligence tool, the SOC team would require more time to investigate or act upon the incident management plan for that threat actor. With Anomali, we benefit by obtaining threat information prior to incidents, making our threat hunts proactive and having incident response plans ready, which saves almost 40% of the time from the traditional model.

The 40% time savings have significantly impacted my team and business. In the traditional process, the SOC team relied only on the SIEM solution and the logs it gathered. Whenever it detected any potential threat or risks, they needed to manually check and hunt for the threat, consuming significant time. With Anomali, the SOC team is already aware of the nature of the threat, the threat actor, and the IOCs. This allows us to easily develop an incident response plan or proactively hunt for that threat or vulnerability, utilizing all the data from Anomali. This reduces the time for incident response by 40 to 50% overall compared to the traditional approach.

I can mention one point regarding improvements for Anomali, which is more enhanced reporting flexibility. The reporting provided to us is not too detailed and could be more enhanced. Better filtering for a large intelligence dataset would also be beneficial, as when we are deep-diving into a large dataset, it does not allow us to apply extensive filtering.

I have used Anomali for more than two years.

Anomali is stable, and I have not experienced any issues with downtime or reliability.

Anomali handles increased workloads or data volumes well, as it can easily manage significant data related to threat actors, threat initiatives, and news.

I have previously used Recorded Future , but I have not switched. I am currently using this tool because of the client's requirements.

There is a return on investment concerning time and effort saved by 40% after implementing Anomali.

Regarding Anomali's accuracy and reliability of output, I think it is important to have someone from the security engineering side validate all the outputs from the tool. Once the output has been validated, it should be passed to the incident response team.

If you are involved in cybersecurity practices, specifically in defensive security, responsible for threat hunting, threat intelligence, and vulnerability management or SOC operations, you can implement this tool in your system or environment. It can proactively provide you the threat feed, threat actor details, and IOCs, helping you create a better incident response plan and hunt threats proactively.

I have had exposure to Anomali  for over five years and have been advising many clients regarding a cyber threat intelligence platform they could use. I have recommended Anomali  to many of my clients throughout this period.

My main use case for Anomali is rooted in the fact that there are many use cases within cyber threat intelligence, which is what Anomali stands for. This helps organizations aggregate, enrich, prioritize, and operationalize threat intelligence across its security operations. Primary use cases include security operations, threat hunting, incident response, threat intelligence, and automated blocking.

I can provide a specific example of how I have seen Anomali used for threat hunting or incident response. A scenario I have advised on involves Anomali's use of artificial intelligence, which has made it analytical driven. It performs threat correlation, intelligence enrichment, and provides better pattern recognition through risk scoring. This makes it quite trustworthy and helps organizations prioritize intelligence through enrichment. I have seen Anomali provide strong results to businesses at large.

Anomali helps achieve faster threat detection and faster incident response through improved productivity of analysts who would otherwise perform many tasks manually. Automation helps significantly in enrichment and correlation of indicators of compromise. This allows organizations to make better decisions with respect to threats and enhances regulatory and executive reporting.

Anomali's best features include its mature threat intelligence platform with a large intelligence repository, which is a major strength. It has strong feed aggregation, aggregating feeds from over 200 sources. It offers fairly reasonable automation capabilities that make it easy to operationalize threat intelligence.

Among these features, threat intelligence operationalization stands out as making the biggest difference for organizations. It aggregates intelligence from hundreds of sources, automatically de-duplicates, applies risk scoring, applies context, and reduces much manual effort. Threat intelligence operationalization represents Anomali's best feature—its ability to turn raw threat intelligence into actionable security outcomes.

Threat intelligence operationalization, combined with a comprehensive threat intelligence platform, aggregation through various feeds, automation, integration, and strong correlation with MITRE, is what organizations should primarily use Anomali for. Organizations need to use these capabilities much more coherently.

Anomali has positively impacted my organization and my clients by helping them improve threat visibility, accelerate incident response, and make better use of their resources. Anomali has reduced incident response times by providing context around threats and indicators. It has significantly reduced analyst workload through automation and reduced the effort required for correlations. Additionally, it provides better vulnerability prioritization and much stronger visibility into cyber risk and emerging trends.

Anomali can be improved in various aspects. Its AI-driven automation can further advance, and AI-powered investigation summaries can improve. User experience could be enhanced through simplification of workflows. Better board-level cyber risk dashboards could provide easier visualization. Additionally, Anomali could work on simplifying the pricing structure. Although it excels in threat intelligence aggregation and operationalization, stronger GenAI capability, improved executive reporting, and a more intuitive workflow for analysts would further increase SOC efficiency and add more business value.

Regarding Anomali's AI capabilities, governance and security are quite good. Anomali has incorporated AI and machine learning primarily to improve correlation and prioritization. These capabilities are valuable but could be more mature. The platform could achieve better threat correlation, prioritization, more anomaly detection, and allow AI to accelerate intelligence analysis while further improving quality and relevance.

The accuracy and reliability of Anomali's AI output are fairly reasonable and good. The AI engine works well, but this capability could be improved. Better threat correlation with threat actors, certain indicators of compromise, malware, and campaigns is possible. Threat prioritization could increase, and alert noise could be reduced through further de-duplication. While reasonable, this is not the best available, and other products possibly have more AI maturity, such as Recorded Future  and CrowdStrike Falcon .

I have been working in my current field for over twenty-five years.

Anomali is stable in my experience with no issues regarding downtime or reliability. It is an enterprise-grade platform widely used by large clients, financial institutions, and managed security service providers. It has been a mature platform for years and is designed for high availability, making it suitable for security operations centers that work 24/7. From a reliability perspective, Anomali consistently injects threat feeds, works on automation, performs reliable API integrations, and supports enterprise scale globally.

Anomali's scalability is impressive as a mature platform capable of processing large amounts of threat intelligence and indicators of compromise data. It integrates well with firewall platforms, SIEM , and EDRs. Since it is available in cloud deployment format, it is very stable and highly available.

Anomali customer support is known for being absolutely very good for enterprise customers. I would rate Anomali customer support as very good with very responsive support for critical issues. They have strong onboarding and deployment assistance, provide a dedicated technical account manager for large customers, and engage in regular product updates and customer interaction. Resolution times can vary depending on the issue, and this is an area where they can further improve. Smaller customers may not receive the same level of attention as large customers do.

I would rate Anomali customer support on a scale of one to ten as approximately an eight point five. For responsiveness, technical expertise, and implementation support, I would rate it a nine out of ten, as my experience has been quite solid.

I did not previously use a different solution before Anomali. This was a solution that was not present in most of our clients' environments. My clients had point solutions, but they did not have a comprehensive solution that could correlate, and therefore no platform like this existed.

Anomali follows a subscription-based model for pricing, setup cost, and licensing. Their licensing is typically a combination of the number of modules you would use. It is based on the number of analysts using Anomali, the number of intelligence feeds, and whether deployment is on-premise or SaaS. For a global enterprise, costs can range from two hundred fifty thousand to five hundred thousand dollars, and mid-size organizations might spend seventy-five thousand to one hundred thousand dollars. SaaS deployment usually costs less. Mostly it is an annual platform subscription, and multi-year deals for three to five years can provide good discounts.

I have seen return on investment with Anomali, with relevant metrics including money saved, fewer employees needed, and time saved. Many clients have reported SOC efficiencies in terms of reduction in mean time to detect and mean time to respond. Analyst productivity has improved significantly, with hours saved because of automation and AI-driven work that Anomali performs. Risk reduction matrices are also available, including the number of incidents prevented or detected in time.

Specific metrics related to these improvements include a thirty to fifty percent reduction in manual threat analysis effort and a twenty to forty percent reduction in investigation time. Anomali also improves mean time to detect and mean time to respond by enhancing analyst activity.

Before choosing Anomali, I and my clients evaluated other options, including Recorded Future  and ThreatConnect.

I would clearly recommend Anomali to organizations, as I have done in the past. Anomali is appropriate for clients who have a mature security operating center consuming multiple threat intelligence sources and want to operationalize their threat intelligence across their security ecosystem. It is not suitable for small organizations with limited security maturity but rather for large, enterprise-level grade setups. New customers should define their threat intelligence objectives, start integrating and ingesting everything in a platform like Anomali to maximize value, and regularly fine-tune and review to reduce noise from intelligence sources and feeds. Treat Anomali as a strategic intelligence platform rather than simply a feed repository. I would rate this review overall as an eight out of ten.

My main use case for Anomali  is that we use it as a TIP. As a TIP in my day-to-day work, we have specific rules configured for our organization. The client we work for is an FMCG client, and we have built alert cases around that, including supply chain attacks, vendors, and the technologies we use in that client. Anything triggered around those use cases will be notified to us, and then we investigate the alerts.

Apart from this main workflow for our team, we use the Sandbox of Anomali . Specifically, our SOC team uses that, and we have integrated Anomali with our security tools including Defender and CrowdStrike in order to block the IOCs.

In my opinion, the best features Anomali offers include the ability for other organizations to score the intel according to their analysis, which helps us to grab more details about that alert and get more depth on that alert. Scoring the intel has helped my team significantly; for a particular incident, we were unsure whether it was impactful or not, but considering other organizations rated it high, we thought it was an important alert that should be investigated. Otherwise, it would have been overlooked as a benign event.

Anomali has positively impacted my organization because earlier we were not using any TIP format and were just dependent on open source, which gave us tons of irrelevant alerts. Segregating those alerts was a big task, but with Anomali, we now get very specific and targeted alerts, allowing us to navigate through a handful of alerts that are applicable to us. It has saved a ton of working hours.

I believe Anomali could be improved by making the user interface more user-friendly. Currently, it is important to have knowledge about threat intel, but it is also crucial that even SOC team members or executive people can look at the dashboard or the tool, and it should be simple to navigate. It is not only for those who specifically work in threat intel.

I believe easy integration with open-source tools including VirusTotal  and easy quick links to these tools would make the experience better.

I have been using Anomali for about two years.

In my experience, Anomali is stable; I have not seen any downtime or issues. I do not see any performance lag or issues with Anomali during peak hours or high alert volumes; it performs well.

I believe Anomali's scalability is good; whether it is an organization for ten people or one hundred thousand people, the job a threat intel platform has to do will be the same, so I do not see scalability as an issue.

The customer support has been good; people are responsive when I reach out for help.

I previously used a different solution; it was an internal tool created by our CISO.

Before choosing Anomali, we evaluated other options, including CloudSek and Recorded Future  features.

My advice to others looking into using Anomali is that it is a good platform to start with if you do not have any TIP solution in your organization. I would rate this review eight out of ten.

My main use case for Anomali  is for threat intelligence. We have a threat stream and threat practice on that. We are checking overall and verifying malicious websites, malicious hashes, and malicious URLs that are coming to the internal organization.

I can give a quick specific example of how I use Anomali  in my workflow. I have used Anomali to check which malicious URLs and websites are attacking our internal organization. We check the threat intelligence portal like VirusTotal  and other sources, and if the reputation of that URL is malicious, we block it in Anomali.

The best features Anomali offers are that it shows all the information on the particular dashboard, whether something is malicious or not and what the reputation status is.

Anomali has impacted my organization positively because our SOC team, which is actively monitoring all the tools—either SIM, SOAR , or threat intelligence platform—operates in multiple shifts. It has impacted our organization in a positive way by showing whether malicious activities or APTs are present. Whatever attackers are there, it shows on the dashboard and we can perform our analysis and execute remediation effectively.

Anomali has improved our MTTR and MTDD.

We can enhance the dashboard and create metrics and improve the themes for incident response in particular. We could implement it through SOAR  and gather more data on SOAR.

I have been using Anomali for about three months.

Anomali is stable.

I previously used a different solution.

I do not know much about the pricing, setup cost, and licensing. These aspects are taken care of by seniors and associate directors.

I did not evaluate other options before choosing Anomali.

I have used Anomali for the past four months in my previous organization.

There is nothing else I would like to add about the features.

On a scale of one to ten, I would rate Anomali an eight to nine. I would give Anomali that score because we see Anomali as a threat intelligence platform and we can work with it and improve the MTTR. I rate this product eight out of ten overall.