10 Questions You Should Ask a Vendor Before Buying a Cyber Threat Intelligence Solution

Making an informed decision when choosing the right cyber threat intelligence vendor.

Choosing the right cyber threat intelligence product is a major decision for any organization, especially as the role of threat intelligence has never been more important in the fight against the dark web. With so many products claiming to have the data needed to defend your organization, it can be difficult to determine which vendor is right for the company.

If you are looking for a new cyber threat intelligence partner and want to ensure they meet your organization’s needs, these 10 questions will help you to make an informed decision.

Want more best practice on selecting a cyber threat intelligence provider? Download “The Essentials Buyer’s Guide to Cyber Threat Intelligence (CTI)”.

#1 Can the vendor fulfill your intelligence gaps?

To determine if a vendor can fulfill your intelligence gaps, it’s crucial to understand your specific goals and needs. Start by asking yourself what you aim to achieve with your cyber threat model. Are there particular dark web threats targeting your industry or region that you need to combat? Are you primarily focused on protecting IP and brand reputation, or are you aiming to stop cyber attacks before they start? Once you have these answers, you’ll understand the different types of intelligence your organization needs from a vendor to answer your team’s questions.

#2 How regularly does the vendor collect data?

Based on your intelligence requirements, how often does the vendor harvest content from sources which will help you respond to the requirement? Information and intelligence gathered from the dark web needs to be timely. If you are interested in identifying breached credentials to mitigate the possibility of unauthorized access you will want this information disseminated to you rapidly, potentially on an hourly or daily basis. Delays will increase the probability of malicious activity occurring.

#3 Does the vendor have sufficient coverage of my focus area?

Every provider has a different dark web dataset, and not one dataset will likely be perfect for your needs. The needs of a company in the manufacturing sector in India for example will be very different to an American software company.

#4 How quickly is data made available?

The speed at which data is made available to your team is critical for timely threat detection and response. With that in mind, you should look for a security vendor who is able to provide you with real-time intelligence updates to avoid leaving your organization vulnerable to fast emerging threats.

#5 Is the vendor compliant with your organization’s legal requirements?

Where does the vendor host its content and services? Are they compliant from a legal, policy, and contact standpoint?

#6 Does the vendor offer access to unstructured or structured data?

There is a difference between unstructured data (information) and structured data (intelligence). Understanding whether the cyber threat intelligence provider disseminates, or makes available, information or intelligence, will impact the amount of organic processing needed and the skillset required by your team. Ask the vendor whether the information they provide makes it possible for cyber threat intelligence teams to answer the critical “So what?” question effectively.

#7 How intuitive is the tool and user experience?

You can have the best dataset in the world, however if the tool isn’t easy to use and your team won’t actively use it day in, day out then you’ll be wasting valuable time and resource. To counter the risk of purchasing a tool that nobody uses and doesn’t get renewed after a year, ask the vendor if they offer a trial period to gather feedback from other key stakeholders and users within your organization.

#8 Does the vendor’s platform allow users to collaborate?

To fulfill your intelligence requirements, you will likely need to gather information from various sources – some in-house and some from your vendor(s). Ideally, you want to visualize all this dark web data in a single view. Depending on the size and structure of your company, you may not have a tool to consolidate all of the information you’re collecting. That’s why the ability to add comments, assessments, or recommendations to harvested dark web information can be useful. Lastly, the ability to assign or prioritize harvested content among your team will enable better management of your data.

#9 What format is the intelligence provided in?

Many cyber threat intelligence providers deliver their intelligence in the form of static reports. The challenge with these reports is that they’re out of date the minute they’re published, not to mention they can be hard to integrate into your other systems. Additional questions you should ask are whether the vendor offers access to an online portal, platform, or access via native integrations or an API.

#10 How open is the vendor to accepting data source requests?

There will be times when new data sources emerge or a source which you feel will be beneficial to answering your requirements. Intelligence is only ever going to be as good as the information which feeds it. Is the vendor willing to accept data collection requests, or are you going to be stuck with the ones on initial offer?

Finding the right cyber threat intelligence partner

Using these questions when speaking with a potential cyber threat intelligence vendor will help to reduce the noise of vendors that don’t provide the right intelligence, or have the right tools to enhance your cybersecurity infrastructure and mitigate the risk of cyberattacks.