Just the TIP of the Iceberg: Categorizing the Evolving Threat Intelligence Platform

Building an Intelligence-Led Defense (From the Start)

While at RSA, I had countless meetings where people asked where we were going with our Platform and in particular, why we were incorporating orchestration and workflow as features.


How the Threat Intelligence Platform became our category
During ThreatConnect’s first few years, there were multiple names for what we were building. The one that stuck: Threat Intelligence Platform (TIP). ThreatConnect has been known as, and a leader in the TIP category since its inception. At that outset, our vision and the TIP category were in alignment and all was well with the world.

Unfortunately, over time, given market realities, and competitive offerings watering down the requirements, the TIP category has become something less than what we have built, and on it’s own it is no longer suitable to describe our complete product. This is best reflected by the types of problems we’re helping our customers solve with ThreatConnect today. Some of them fall in the “TIP box”; some of them don’t. The label is less important to us than what we are doing for our customers. However, product categories are a useful selection tool for buyers and analysts, so it’s important that we address here what problems we solve, and how we uniquely architected our solution to solve them, in order to give the proper bounds on what label we are given.

Let’s start with the vision

So if we are more than a TIP, what are we….Security Automation Orchestration (SAO), Security Orchestration, Automation, and Response (SOAR), or some other category and acronym that hasn’t been thought up yet? ThreatConnect is all these things and more.


Here is what I wrote in my very first description of the platform 7 years ago:  

“Choreographer is a business process management suite (BPMS) for cyber analytics automation. With Choreographer, a project team can model, deploy and manage cyber analyst activities that combine system and human tasks using a completely visual solution.”

So, right from the very beginning, ThreatConnect – back then Choreographer – had a vision to improve cyber analysis processes. This required us to build software that enabled security professionals to model, implement, execute, monitor, and optimize any security processes that they were responsible for.

Lead with Intelligence, so we can be Intelligence-Led

“Choreographer, provides a fusion of intelligence sources to support analysis and decision making.”

We led with intelligence. Why? Because we strongly believe intelligence, e.g. actionable knowledge of threats and your ability to prevent, detect, respond to them, should inform all security processes. An intelligence-led defense benefits mid-to-large enterprises by enhancing detection, shortening response and remediation engagements, and allowing more predictive and proactive strategic decision making.

Intelligence is more powerful when internal and external knowledge is fused, supplementing each other. One of the first things we enabled was the ability for organizations to capture their internal knowledge of threat activity and selectively share it within trusted communities. Today, we support several ISAC, ISAO, and other private sharing groups with the ability to share bespoke intelligence with each other. 

Flexibility and Extensibility as Core Principles

“An extensible data model is required to represent all data collected and a rules engine may be used to enrich and analyze data to make it meaningful.”

Flexibility and innovation were key. We needed to provide ThreatConnect users the ability to configure the platform based on their own unique requirements and their need to model their own internal processes for enabling an intelligence-led defense across all security functions. More importantly, we wanted to encourage users to share what works with the community. That meant that the data model, Apps, playbooks, and dashboards all needed to be extensible, so we decided to build a platform not a tool.

But we had another problem: the platform would need tight integrations into many aspects of the security ecosystem, which at the time was impossible due to lack of usable API’s, lack of standards, and vendor disinterest. I knew a lot about this problem since my last startup (Layer 7 Technologies) addressed the challenge of building Integrated systems of re-usable applications across the business — Service Orientation Architecture (SOA). We were patient, and focused on getting the foundation of the platform built while we waited for the integration problem to work itself out.   

Over the past 5 or so years, the security industry has in fact evolved: API’s are common and standards are evolving. We’ve made use of this trend. The ThreatConnect Platform today incorporates more than 100 intelligence sources and over 240 enrichment and processing Apps that can be used in creating and using intelligence across any process in the security team’s technology stack. Our focus is not simply to take feeds of data from the internet and firehose them into our customers networks, as many TIPs do, but rather to refine data a customer has from any relevant source into an intelligence service. Each of these services enables the business to integrate data, analyze it to add context and determine relevanancy, to provide insights and recommendations, or most powerfully – to take immediate action when appropriate.  


Utility Across the Security Team

 “At the heart of the Choreographer product is the concept of an “Activity”.  Activities are processes performed by Analysts regularly in their day-to-day jobs that have been modeled in Business Process Modeling Notation (BPMN) and execute automatically with the Analyst Choreographer product. With Choreographer, every customer takes advantage of pre-built activities, and additionally can build their own activities using the activity modeling graphical interface.”  

Now, activities in this definition were not specific to threat intelligence, response, vulnerability management or anything else across the business.  Instead, we thought then — and still believe today — that ThreatConnect should provide activity management capabilities for the various security personnel’s key workflows, as all are either consuming, creating, or processing intelligence in the course of their activities.

Today, with our range of integrations and automation capabilities, customers are using ThreatConnect to facilitate use cases as broad as intelligence-led patch management, phishing email triage, infected host containment, detection and alert enrichment in the SIEM, and intelligence report creation and sharing…to just highlight a few.


Process Automation for Scale and Efficiency

How do we enable these use-cases? The ThreatConnect Platform’s Playbooks capability allows a sequence of automated or human tasks, arranged as a process, to be configured as a playbook, executed to incorporate automated analytics or human workflows, and measured to support continuous improvement. The processes, playbooks, dashboards, and apps can be built, shared, and utilized by anyone in the ThreatConnect community.


We had a vision to build a cyber security platform that transforms the way that security professionals do their jobs. Using data, analytics, and intelligence was a no-brainer since the only way to augment humans is to act like them. Humans use data to produce knowledge which becomes wisdom. That wisdom is the equivalent of our Intelligence and is what makes “sense-making” possible in the ThreatConnect platform. Our Playbooks and other automation capabilities enable the refinement of data into intelligence suitable for decision making, and also leverage that newly created intelligence to inform decisions across the security team.

Industry labels: TIP, SOAR, [insert new term], are not going to constrain the problems we aim to solve. Regardless of how we are categorized, our customers are doing amazing things with our product. I am very proud of what our team and product are doing to enable security teams worldwide.  

Adam Vincent
About the Author
Adam Vincent

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, four children, and dog.