Sold by: Anomali
Anomali delivers the first Intelligence-Native Agentic SOC Platform unifying a fully featured security data lake, threat intelligence, and agentic AI into a single modern experience. The platform accelerates detection, investigation, and response; delivering earlier insights, faster action, and scalable modernization across any environment.
4.5
Overview
The Anomali Intelligence-Native Agentic SOC Platform unifies a full-featured security data lake, next-generation managed threat intelligence, and Agentic AI into a single, modern security operations experience. The platform delivers agentic decision-making, embedded intelligence, and advanced analytics across the entire security lifecycle, helping organizations detect, investigate, and respond faster while reducing operational complexity. Customers can adopt either product independently or combine them for maximum impact. The platform scales seamlessly from augmenting existing SIEM investments to fully replacing legacy SIEM architectures.
Highlights
- Always-hot, normalized telemetry across cloud, endpoint, network, identity, and applications.
- Curated threat intelligence applied continuously to alerts and investigations.
- Intelligence-informed guidance that supports analyst decision-making.
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Anomali Platform | Anomali Platform - 3500 employees / 0.5 TB a day / 6 months storage | $520,000.00 |
Threatstream Enterprise | Threatstream Enterprise annual subscription | $150,000.00 |
Copilot Essential | Anomali Copilot Essential | $83,333.00 |
ThreatStream AI Enterprise - 50GB | TS AI Enterprise with 50GB per day IOC Ingest | $338,461.00 |
Vendor refund policy
All fees are non-cancellable and non-refundable except as required by law.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
The Customer Success Organization (CSO) provides customers with 24-hour support and additional services. CSO uses a tiered approach to allow clients to contact Anomali through their assigned operations staff member or via our support portal. With experts in all major client integration solutions and areas of security development, CSO provides clients with the knowledge necessary to address all threat intelligence related inquiries. Support@anomali.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
Top
25
In Log Analysis
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Security Data Lake
Always-hot, normalized telemetry across cloud, endpoint, network, identity, and applications.
Threat Intelligence Integration
Curated threat intelligence applied continuously to alerts and investigations.
Agentic AI Capabilities
Agentic decision-making and intelligence-informed guidance supporting analyst decision-making throughout the security lifecycle.
Detection and Investigation Acceleration
Advanced analytics enabling faster detection, investigation, and response across the entire security operations workflow.
Multi-Environment Scalability
Seamless scaling from augmenting existing SIEM investments to fully replacing legacy SIEM architectures across any environment.
Behavioral Analytics Engine
Applies behavioral analytics to detect threat actor tactics through Tactic Graphs, leveraging 20+ years of attack and threat data plus 1400+ incident response engagements
Multi-Environment Threat Detection
Unifies detection and response across endpoint, network, and cloud environments with correlated event visibility in a single dashboard
Identity Risk Monitoring
Continuously monitors environment for identity misconfigurations and risks, detects 100% of MITRE ATT&CK Credential Access techniques, and provides dark web intelligence on compromised credentials
Extended Investigation Capabilities
Supports extended log retention, search query functionality, user-defined reporting, and custom use case support for threat hunting and incident investigation
Automated Threat Intelligence Correlation
Automatically correlates threat landscape knowledge with security telemetry and continuously updated built-in threat intelligence
Agentless Detection Architecture
Agentless approach for security detection and response without requiring agent installation across cloud infrastructure.
Real-time Configuration Monitoring
Continuous tracking of behavior and configuration changes to provide an updated model of the environment with instant analysis of security and compliance implications.
Threat Detection Framework
Threat detection across Network and IAM using MITRE ATT&CK framework driven by machine learning analysis.
Attack Chain Visualization
Dynamic visual attack storyline that connects workloads, network data, cloud identities, and audit logs for root cause analysis.
CloudTwin Technology
CloudTwin technology designed to provide a precise and constantly updated model of the cloud environment for rapid response capabilities.
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
No security profile
-
-
-
-
-
No security profile
Standard contract
No
No
Customer reviews
ChrisCollins
Enables automated threat intelligence sorting and enhances proactive threat hunting capabilities
Reviewed on May 12, 2025
Review provided by PeerSpot
What is our primary use case?
We use Anomali as our threat intelligence platform for a variety of threat intelligence feeds that we subscribe to, needing a more central place to store everything so we can correlate which feeds have seen this indicator before and which haven't. This was the biggest use case for us to solve, which is why we went after it. It is definitely more than just a threat intel platform where we store all these indicators; it's almost very much a threat hunting tool that allows analysts to do investigations on those indicators and make connections, looking for other related things that we didn't necessarily see. It allows us to take a more proactive kind of approach.
What is most valuable?
The API is our most important feature. We are very much into automation, so being able to handle things programmatically at scale has been immensely powerful for us. We've evolved beyond just the two use cases I mentioned. One of the things we decided to do is utilize the Anomali API to push everything into that platform after sorting and normalizing everything. We now have a very robust collection of threat intelligence based on the capabilities that Anomali provides. It's very adaptable; you can do a lot with it, making it a very powerful tool.
What needs improvement?
There is always room for improvement, as there are always new ideas. They have been dabbling with some AI functionality built into the platform, which is still very new, so there's a lot of improvement that could happen there, especially as the technology enhances.
For how long have I used the solution?
I have been using Anomali for about 7 or 8 years.
What was my experience with deployment of the solution?
The initial setup depends on which kind of deployment you choose; they offer both an on-prem solution and a Cloud deployment. If you choose the Cloud deployment, there's nothing you have to do; you just log in and start using it. It's pretty seamless. If you're using an on-prem setup, they provide an appliance for enterprise customers, and after subscribing, they ship you a device that you can set up by following their setup guide, which provides all the details and instructions.
What do I think about the stability of the solution?
Stability has been pretty seamless so far, but we've run into some issues more recently due to changes in how some platform functions operate. It doesn't seem they're considering enough how customers use those functions as they change them, and they don't give us enough time to adapt to those changes. For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.
What do I think about the scalability of the solution?
The scalability is massive, allowing us to store millions of indicators. Unless you have a threat intelligence platform, you can't scale to the level Anomali offers, especially compared to trying to do it in a SIEM tool such as Splunk or Sentinel . It seems almost unlimited; I'm sure there's a limit, but they do a good job of never allowing us to hit that limit.
How are customer service and support?
Support in the past has been top-notch, but recent trends indicate that it has taken a back seat, as we often don't get answers for days. We'll receive excuses such as "I was out of the office" or "I forgot to follow up on this, I apologize." While they apologize, it doesn't seem very professional how they're handling support anymore.
What other advice do I have?
You have to have at least a threat intelligence background or a SOC analyst background to use it, as that's the information you'll dig around with in there. If you don't have that kind of knowledge, it probably can be a little hard to use, but they do provide training. They offer training not only for how to use the platform but also some basic threat intelligence training to explain what these things are and what these terms mean.
My company is a customer of Anomali.
I would recommend it to other people.
I would advise making sure you don't pick it without testing other products and have your use cases well thought out and documented before testing, so you know it will solve the problems you're trying to address. Keep an open mind with it and realize that whatever you can dream of, you can probably do with the platform.
Overall, I would rate Anomali an eight out of ten.
Sai Puneeth Gundamraju
Effective threat modeling and intelligence prioritization streamline threat hunting
Reviewed on Apr 28, 2025
Review provided by PeerSpot
What is our primary use case?
I use Anomali for threat hunting, threat collection, operationalization of intelligence, such as indicators of compromise (IOCs), and dissemination of reports for report writing and documentation.
What is most valuable?
The most valuable aspect of Anomali is the threat modeling capability. It collects threat intel documents and IOCs and allows us to tailor it to our needs and prioritize intelligence requirements (PIRs). This enables us to receive prioritized threat intelligence.
What needs improvement?
An area for improvement is the intelligence sharing within the Anomali community. The tagging system can be inconsistent, as any company can use any tags for their reporting. Combining all aliases into a coherent solution would be beneficial, as we had to review each individual source ourselves. This would improve intelligence collection across Anomali.
For how long have I used the solution?
I have been using Anomali for the last six years.
What was my experience with deployment of the solution?
The initial deployment of Anomali was straightforward and went well.
What do I think about the stability of the solution?
I have not experienced any downtime with Anomali's cloud platform. It has been scaled very well.
What do I think about the scalability of the solution?
The scalability of Anomali is impressive, as indicated by the smooth operation of its cloud platform.
How are customer service and support?
The technical support at Anomali is excellent. They respond to inquiries within 24 to 48 hours.
Which solution did I use previously and why did I switch?
How was the initial setup?
The initial setup of Anomali was easy and took about three months to deploy. The full operationalization took around three quarters to one year.
What about the implementation team?
A dedicated engineer is needed for deployment, but for integrations and other tasks, multiple teams might be involved.
Which other solutions did I evaluate?
I have evaluated Recorded Future and Mandiant Advantage as alternatives to Anomali.
What other advice do I have?
For new users, I recommend taking the training provided by Anomali as it is very well articulated. I advise reading the user manual and taking the instructor-led training sessions from the customer support success manager. This will effectively kickstart the journey. I rate the Anomali solution a solid nine out of ten.
Information Technology and Services
Vendor Agnostic largest Threat Intel Database
Reviewed on Oct 12, 2021
Review provided by G2
What do you like best about the product?
Anomali is one of those Vendors which gives the complete Threat Intel regardless of Vendor. It has 15-16 vendors' free threat intel along with the other Top vendor's Threat Intels. Even customers can create their own Intel and share it with others.
What do you dislike about the product?
It should be a bit cost-friendly to support all types of customers. Also, it should support offline Threat downloads.
What problems is the product solving and how is that benefiting you?
Nowadays, most customers have many devices/solutions in their Infra, and so much traffic is flowing in. But we don't know which traffic is good or which traffic is bad. So we need some solution that can give us the Intel to filter on that basis.
Recommendations to others considering the product:
If any company is looking for a consolidated threat intel solution that provides Threat Intel from multiple vendors, which include some free subscribers as well, Anomali ThreatSteam is the best SaaS based solution. We can create our threat intel as well and share it with others.