Anomali

I have had exposure to Anomali for over five years and have been advising many clients regarding a cyber threat intelligence platform they could use. I have recommended Anomali to many of my clients throughout this period.

My main use case for Anomali is rooted in the fact that there are many use cases within cyber threat intelligence, which is what Anomali stands for. This helps organizations aggregate, enrich, prioritize, and operationalize threat intelligence across its security operations. Primary use cases include security operations, threat hunting, incident response, threat intelligence, and automated blocking.

I can provide a specific example of how I have seen Anomali used for threat hunting or incident response. A scenario I have advised on involves Anomali's use of artificial intelligence, which has made it analytical driven. It performs threat correlation, intelligence enrichment, and provides better pattern recognition through risk scoring. This makes it quite trustworthy and helps organizations prioritize intelligence through enrichment. I have seen Anomali provide strong results to businesses at large.

Anomali helps achieve faster threat detection and faster incident response through improved productivity of analysts who would otherwise perform many tasks manually. Automation helps significantly in enrichment and correlation of indicators of compromise. This allows organizations to make better decisions with respect to threats and enhances regulatory and executive reporting.

Anomali's best features include its mature threat intelligence platform with a large intelligence repository, which is a major strength. It has strong feed aggregation, aggregating feeds from over 200 sources. It offers fairly reasonable automation capabilities that make it easy to operationalize threat intelligence.

Among these features, threat intelligence operationalization stands out as making the biggest difference for organizations. It aggregates intelligence from hundreds of sources, automatically de-duplicates, applies risk scoring, applies context, and reduces much manual effort. Threat intelligence operationalization represents Anomali's best feature—its ability to turn raw threat intelligence into actionable security outcomes.

Threat intelligence operationalization, combined with a comprehensive threat intelligence platform, aggregation through various feeds, automation, integration, and strong correlation with MITRE, is what organizations should primarily use Anomali for. Organizations need to use these capabilities much more coherently.

Anomali has positively impacted my organization and my clients by helping them improve threat visibility, accelerate incident response, and make better use of their resources. Anomali has reduced incident response times by providing context around threats and indicators. It has significantly reduced analyst workload through automation and reduced the effort required for correlations. Additionally, it provides better vulnerability prioritization and much stronger visibility into cyber risk and emerging trends.

Anomali can be improved in various aspects. Its AI-driven automation can further advance, and AI-powered investigation summaries can improve. User experience could be enhanced through simplification of workflows. Better board-level cyber risk dashboards could provide easier visualization. Additionally, Anomali could work on simplifying the pricing structure. Although it excels in threat intelligence aggregation and operationalization, stronger GenAI capability, improved executive reporting, and a more intuitive workflow for analysts would further increase SOC efficiency and add more business value.

Regarding Anomali's AI capabilities, governance and security are quite good. Anomali has incorporated AI and machine learning primarily to improve correlation and prioritization. These capabilities are valuable but could be more mature. The platform could achieve better threat correlation, prioritization, more anomaly detection, and allow AI to accelerate intelligence analysis while further improving quality and relevance.

The accuracy and reliability of Anomali's AI output are fairly reasonable and good. The AI engine works well, but this capability could be improved. Better threat correlation with threat actors, certain indicators of compromise, malware, and campaigns is possible. Threat prioritization could increase, and alert noise could be reduced through further de-duplication. While reasonable, this is not the best available, and other products possibly have more AI maturity, such as Recorded Future and CrowdStrike Falcon.

I have been working in my current field for over twenty-five years.

Anomali is stable in my experience with no issues regarding downtime or reliability. It is an enterprise-grade platform widely used by large clients, financial institutions, and managed security service providers. It has been a mature platform for years and is designed for high availability, making it suitable for security operations centers that work 24/7. From a reliability perspective, Anomali consistently injects threat feeds, works on automation, performs reliable API integrations, and supports enterprise scale globally.

Anomali's scalability is impressive as a mature platform capable of processing large amounts of threat intelligence and indicators of compromise data. It integrates well with firewall platforms, SIEM, and EDRs. Since it is available in cloud deployment format, it is very stable and highly available.

Anomali customer support is known for being absolutely very good for enterprise customers. I would rate Anomali customer support as very good with very responsive support for critical issues. They have strong onboarding and deployment assistance, provide a dedicated technical account manager for large customers, and engage in regular product updates and customer interaction. Resolution times can vary depending on the issue, and this is an area where they can further improve. Smaller customers may not receive the same level of attention as large customers do.

I would rate Anomali customer support on a scale of one to ten as approximately an eight point five. For responsiveness, technical expertise, and implementation support, I would rate it a nine out of ten, as my experience has been quite solid.

I did not previously use a different solution before Anomali. This was a solution that was not present in most of our clients' environments. My clients had point solutions, but they did not have a comprehensive solution that could correlate, and therefore no platform like this existed.

Anomali follows a subscription-based model for pricing, setup cost, and licensing. Their licensing is typically a combination of the number of modules you would use. It is based on the number of analysts using Anomali, the number of intelligence feeds, and whether deployment is on-premise or SaaS. For a global enterprise, costs can range from two hundred fifty thousand to five hundred thousand dollars, and mid-size organizations might spend seventy-five thousand to one hundred thousand dollars. SaaS deployment usually costs less. Mostly it is an annual platform subscription, and multi-year deals for three to five years can provide good discounts.

I have seen return on investment with Anomali, with relevant metrics including money saved, fewer employees needed, and time saved. Many clients have reported SOC efficiencies in terms of reduction in mean time to detect and mean time to respond. Analyst productivity has improved significantly, with hours saved because of automation and AI-driven work that Anomali performs. Risk reduction matrices are also available, including the number of incidents prevented or detected in time.

Specific metrics related to these improvements include a thirty to fifty percent reduction in manual threat analysis effort and a twenty to forty percent reduction in investigation time. Anomali also improves mean time to detect and mean time to respond by enhancing analyst activity.

Before choosing Anomali, I and my clients evaluated other options, including Recorded Future and ThreatConnect.

I would clearly recommend Anomali to organizations, as I have done in the past. Anomali is appropriate for clients who have a mature security operating center consuming multiple threat intelligence sources and want to operationalize their threat intelligence across their security ecosystem. It is not suitable for small organizations with limited security maturity but rather for large, enterprise-level grade setups. New customers should define their threat intelligence objectives, start integrating and ingesting everything in a platform like Anomali to maximize value, and regularly fine-tune and review to reduce noise from intelligence sources and feeds. Treat Anomali as a strategic intelligence platform rather than simply a feed repository. I would rate this review overall as an eight out of ten.

My main use case for Anomali is that we use it as a TIP. As a TIP in my day-to-day work, we have specific rules configured for our organization. The client we work for is an FMCG client, and we have built alert cases around that, including supply chain attacks, vendors, and the technologies we use in that client. Anything triggered around those use cases will be notified to us, and then we investigate the alerts.

Apart from this main workflow for our team, we use the Sandbox of Anomali. Specifically, our SOC team uses that, and we have integrated Anomali with our security tools including Defender and CrowdStrike in order to block the IOCs.

In my opinion, the best features Anomali offers include the ability for other organizations to score the intel according to their analysis, which helps us to grab more details about that alert and get more depth on that alert. Scoring the intel has helped my team significantly; for a particular incident, we were unsure whether it was impactful or not, but considering other organizations rated it high, we thought it was an important alert that should be investigated. Otherwise, it would have been overlooked as a benign event.

Anomali has positively impacted my organization because earlier we were not using any TIP format and were just dependent on open source, which gave us tons of irrelevant alerts. Segregating those alerts was a big task, but with Anomali, we now get very specific and targeted alerts, allowing us to navigate through a handful of alerts that are applicable to us. It has saved a ton of working hours.

I believe Anomali could be improved by making the user interface more user-friendly. Currently, it is important to have knowledge about threat intel, but it is also crucial that even SOC team members or executive people can look at the dashboard or the tool, and it should be simple to navigate. It is not only for those who specifically work in threat intel.

I believe easy integration with open-source tools including VirusTotal and easy quick links to these tools would make the experience better.

I have been using Anomali for about two years.

In my experience, Anomali is stable; I have not seen any downtime or issues. I do not see any performance lag or issues with Anomali during peak hours or high alert volumes; it performs well.

I believe Anomali's scalability is good; whether it is an organization for ten people or one hundred thousand people, the job a threat intel platform has to do will be the same, so I do not see scalability as an issue.

The customer support has been good; people are responsive when I reach out for help.

I previously used a different solution; it was an internal tool created by our CISO.

Before choosing Anomali, we evaluated other options, including CloudSek and Recorded Future features.

My advice to others looking into using Anomali is that it is a good platform to start with if you do not have any TIP solution in your organization. I would rate this review eight out of ten.

My main use case for Anomali is for threat intelligence. We have a threat stream and threat practice on that. We are checking overall and verifying malicious websites, malicious hashes, and malicious URLs that are coming to the internal organization.

I can give a quick specific example of how I use Anomali in my workflow. I have used Anomali to check which malicious URLs and websites are attacking our internal organization. We check the threat intelligence portal like VirusTotal and other sources, and if the reputation of that URL is malicious, we block it in Anomali.

The best features Anomali offers are that it shows all the information on the particular dashboard, whether something is malicious or not and what the reputation status is.

Anomali has impacted my organization positively because our SOC team, which is actively monitoring all the tools—either SIM, SOAR, or threat intelligence platform—operates in multiple shifts. It has impacted our organization in a positive way by showing whether malicious activities or APTs are present. Whatever attackers are there, it shows on the dashboard and we can perform our analysis and execute remediation effectively.

Anomali has improved our MTTR and MTDD.

We can enhance the dashboard and create metrics and improve the themes for incident response in particular. We could implement it through SOAR and gather more data on SOAR.

I have been using Anomali for about three months.

Anomali is stable.

I previously used a different solution.

I do not know much about the pricing, setup cost, and licensing. These aspects are taken care of by seniors and associate directors.

I did not evaluate other options before choosing Anomali.

I have used Anomali for the past four months in my previous organization.

There is nothing else I would like to add about the features.

On a scale of one to ten, I would rate Anomali an eight to nine. I would give Anomali that score because we see Anomali as a threat intelligence platform and we can work with it and improve the MTTR. I rate this product eight out of ten overall.

My main use case for Anomali in my organization is threat intelligence. We use threat intelligence with Anomali in my day-to-day work to query feeds.

What we do is query those feeds looking for all kinds of indicators of compromise: IP, URL, and other indicators of compromise. They are evaluated according to the score given by Anomali, and we also do other processing for those indicators, validations for those indicators. After that analysis, they are integrated with the different security controls: firewalls, IPS, proxy, and among others.

We also use it for hunting topics and security bulletins.

I consider the best features offered by Anomali to be its versatility, good information, various integrations, and feeds that are free. There are also others that are integrated and paid, but its capacity is large. It really has a high storage of indicators of compromise and its reliability is quite accurate.

Anomali has positively impacted my organization significantly; it has been a great help. Anomali is a very versatile platform, quite effective, and very fast when it comes to downloading and maintaining the information of the indicators of compromise. Additionally, it has a large amount of information about those indicators of compromise, such as their score and evaluation, and it also brings where they come from and tries to attach vectors to those indicators, which makes threat intelligence and security bulletins much easier. All the information that it provides makes it much easier to analyze and generate valuable information.

I think that Anomali could be improved by addressing a major weakness, which is the issue of its integrators. The capacity they have when publishing a large number of indicators is quite limited. This makes it almost indispensable to set up one integrator per control, which is not efficient. It should have a much larger capacity to publish the application on a single server and for that server to handle a large quantity and volume of indicators.

Regarding the web interface, there are several problems when it comes to administration. These integrators publish a web interface that after a while generates quite a few errors and the service has to be restarted quite a lot in order to administer it, which is not efficient.

I have been working in the field of computer security for more than 10 years. I have been using Anomali for 3 years.

I consider Anomali to be 100% stable.

I would rate the scalability of Anomali highly; it adapts well to my organization's growth needs.

My experience with Anomali's customer support has not gone so well for us. Not because they are bad at support, but because the tool being limited means the support people fall short.

Before using Anomali, I used ThreatConnect. I decided to switch from ThreatConnect to Anomali really for commercial reasons. ThreatConnect is also a quite complete platform.

Before choosing Anomali, I understand that ThreatConnect was there, but I do not know about the others.

I think the platform is fine as it is for now. In terms of costs, Anomali is not the cheapest, but it has helped on the operational side in reducing the efficiency burden on staff. Not the reduction of staff as such, but in the efficiency of the staff on other tasks with the reduction of the administration of this platform. My advice to other people who are considering implementing Anomali is that they validate their infrastructure. If they have too many controls that will need Anomali to disseminate, they have to take into account that they are going to deploy many integrators, which translates into on-premise infrastructure, which raises costs and increases the administrative burden. Other than that, Anomali is a very good platform in terms of dissemination of indicators of compromise and all the benefits it has at the threat intelligence level. I give this review an overall rating of 8.

My main use case for Anomali is that it helps me with intelligence gathering and dark web monitoring. It has good functionality of integration with other solutions like Google Mandiant and Flashpoint, which are other CTI solutions. It also integrates with other SIEM solutions such as Splunk, allowing us to push all the indicators of compromise and IOCs to the SIEM solution. We can customize based on the confidence score of this indicator; for instance, if the confidence score is over 75, we push it to Splunk for real-time sightings within the network. I think it's one of the awesome tools I've worked with to date.

A specific example of how I've used Anomali for intelligence gathering or integration with Splunk is that Anomali captures all the latest intel from various sources, whether forums, open sources, articles published on social media, or researchers posting their findings in their blogs. It collects all the TTPs, IOCs, and captures them to publish within Anomali. We push those indicators to Splunk via an API-based integration for real-time checks within the network if there are any sightings or hits.

Regarding my main use case with Anomali, while much of it is confidential, one unique capability is Anomali's TAXII/STIX based integration with different platforms. For instance, we recently integrated with the CISA platform run by the US government, which provides us with the latest advisories. They push all the results into Anomali, creating a single UI that helps us avoid jumping into various sources to find intel, which I think is a unique feature of Anomali.

The best features Anomali offers are that it acts as an application that pulls data from different solutions. As I mentioned earlier, we utilize Mandiant, Flashpoint, and other CTI solutions. Using Anomali, I push all the results into it, providing a single UI to see what Flashpoint and Google Mandiant are providing rather than jumping into different platforms, which can be time-consuming. Anomali helps us stay on a single platform and provides the required results.

The user interface in Anomali is very good. I have worked in Anomali for five years and think they have a great UI for writing queries and finding specific results much more efficiently than in other solutions where you need to scroll down through different widgets. Anomali has a query-based language, similar to SQL, that helps us dig out specific results, whether vulnerability-related or concerning threat actors and TTPs. We can also perform string-based searches. I think it's an awesome feature. Furthermore, regarding integration, Anomali has capabilities to integrate with different downstream applications such as Palo Alto, allowing us to create playbooks to block domains, URLs, or IPs directly within the firewall.

Anomali has positively impacted my organization by reducing the time required to find intel specific to our needs. We can create our own queries specific to our organization and pull out results related to any posts within the dark web or any activities from threat actors targeting us. This capability enables us to create saved searches that provide exact results. I estimate that Anomali has saved me about 30% of my time.

In terms of improvements, I think Anomali has a good UI and integration capabilities. However, one area for improvement is providing a heat map of cyberattacks around the world. It would be helpful to have a list of which countries are facing the most attacks or experiencing major data breaches, and I think those areas could be enhanced.

One more improvement I would mention is regarding compromised credential monitoring. Anomali should increase their capability to fetch details from various dark web solutions where threat actors post compromised credentials. Expanding in that area could significantly enhance its utility.

I have been using Anomali for around five years now.

Anomali is stable. The good thing is that they have a health check page, and if any issues arise, they notify us. We can continuously track the real-time status of Anomali platform through this webpage.

Anomali's scalability is good; it performs well.

Customer support from Anomali is reliable; they provide support regularly during incidents or any requirements and are responsive to our needs.

I have not previously used a different solution; this is the only one I have used in the last five years.

I have seen a return on investment from using Anomali.

My experience with pricing involved a yearly, two-year contract; I can't specify the setup cost, but it was aligned with our budget, so I consider it good.

I did evaluate other options before choosing Anomali, but I can't recall the names of the specific ones.

My advice for others considering Anomali is to go for it, depending on your organization. Whether it is retail, finance, or service-based, decide on your PIRs and use cases to evaluate if Anomali covers those adequately.

Any new customers looking for a solution should consider Anomali as a great option. However, it depends on the organization; whether retail, finance, product-based, or service-based, you should evaluate the use cases for yourself, conduct a POC, and see if it meets all your needs. I would rate this solution an 8 out of 10.

We use Anomali as our threat intelligence platform for a variety of threat intelligence feeds that we subscribe to, needing a more central place to store everything so we can correlate which feeds have seen this indicator before and which haven't. This was the biggest use case for us to solve, which is why we went after it. It is definitely more than just a threat intel platform where we store all these indicators; it's almost very much a threat hunting tool that allows analysts to do investigations on those indicators and make connections, looking for other related things that we didn't necessarily see. It allows us to take a more proactive kind of approach.

The API is our most important feature. We are very much into automation, so being able to handle things programmatically at scale has been immensely powerful for us. We've evolved beyond just the two use cases I mentioned. One of the things we decided to do is utilize the Anomali API to push everything into that platform after sorting and normalizing everything. We now have a very robust collection of threat intelligence based on the capabilities that Anomali provides. It's very adaptable; you can do a lot with it, making it a very powerful tool.

There is always room for improvement, as there are always new ideas. They have been dabbling with some AI functionality built into the platform, which is still very new, so there's a lot of improvement that could happen there, especially as the technology enhances.

I have been using Anomali for about 7 or 8 years.

The initial setup depends on which kind of deployment you choose; they offer both an on-prem solution and a Cloud deployment. If you choose the Cloud deployment, there's nothing you have to do; you just log in and start using it. It's pretty seamless. If you're using an on-prem setup, they provide an appliance for enterprise customers, and after subscribing, they ship you a device that you can set up by following their setup guide, which provides all the details and instructions.

Stability has been pretty seamless so far, but we've run into some issues more recently due to changes in how some platform functions operate. It doesn't seem they're considering enough how customers use those functions as they change them, and they don't give us enough time to adapt to those changes. For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.

The scalability is massive, allowing us to store millions of indicators. Unless you have a threat intelligence platform, you can't scale to the level Anomali offers, especially compared to trying to do it in a SIEM tool such as Splunk or Sentinel. It seems almost unlimited; I'm sure there's a limit, but they do a good job of never allowing us to hit that limit.

Support in the past has been top-notch, but recent trends indicate that it has taken a back seat, as we often don't get answers for days. We'll receive excuses such as "I was out of the office" or "I forgot to follow up on this, I apologize." While they apologize, it doesn't seem very professional how they're handling support anymore.

You have to have at least a threat intelligence background or a SOC analyst background to use it, as that's the information you'll dig around with in there. If you don't have that kind of knowledge, it probably can be a little hard to use, but they do provide training. They offer training not only for how to use the platform but also some basic threat intelligence training to explain what these things are and what these terms mean.

My company is a customer of Anomali.

I would recommend it to other people.

I would advise making sure you don't pick it without testing other products and have your use cases well thought out and documented before testing, so you know it will solve the problems you're trying to address. Keep an open mind with it and realize that whatever you can dream of, you can probably do with the platform.

Overall, I would rate Anomali an eight out of ten.

I use Anomali for threat hunting, threat collection, operationalization of intelligence, such as indicators of compromise (IOCs), and dissemination of reports for report writing and documentation.

The most valuable aspect of Anomali is the threat modeling capability. It collects threat intel documents and IOCs and allows us to tailor it to our needs and prioritize intelligence requirements (PIRs). This enables us to receive prioritized threat intelligence.

An area for improvement is the intelligence sharing within the Anomali community. The tagging system can be inconsistent, as any company can use any tags for their reporting. Combining all aliases into a coherent solution would be beneficial, as we had to review each individual source ourselves. This would improve intelligence collection across Anomali.

I have been using Anomali for the last six years.

The initial deployment of Anomali was straightforward and went well.

I have not experienced any downtime with Anomali's cloud platform. It has been scaled very well.

The scalability of Anomali is impressive, as indicated by the smooth operation of its cloud platform.

The technical support at Anomali is excellent. They respond to inquiries within 24 to 48 hours.

I have used Recorded Future and Mandiant Advantage, which they bought from FireEye, in the past.

The initial setup of Anomali was easy and took about three months to deploy. The full operationalization took around three quarters to one year.

A dedicated engineer is needed for deployment, but for integrations and other tasks, multiple teams might be involved.

I have evaluated Recorded Future and Mandiant Advantage as alternatives to Anomali.

For new users, I recommend taking the training provided by Anomali as it is very well articulated. I advise reading the user manual and taking the instructor-led training sessions from the customer support success manager. This will effectively kickstart the journey. I rate the Anomali solution a solid nine out of ten.