Threat Intelligence Doesn't Have to Be Inconceivable


Stop Your Opponents with ThreatConnect’s Four New Intelligence Defense Products

The Princess Bride is one of my favorite movies. It’s got everything: Fencing, fighting, torture, revenge, giants, monsters, chases, escapes, true love, miracles… kind of like any given day on a security team. The sequence that reminds me most of the security space, though, is the one where Westley faces off against Princess Buttercup’s kidnappers: first he beats Inigo at fencing, then Fezzik at wrestling, then Vizzini at a battle of wits.


Hello. My name is Inigo Montoya. You hacked my network. Prepare to be validated as not a false positive, blocked on my firewall, and assigned to an analyst for further investigation. Because we follow standard operating procedure.

Let me explain why this scene reminds me of cybersecurity by comparing each battle to one of ThreatConnect’s new products.

The Products

In each battle, Westley applies exactly the right tools he needs to defeat each opponent. He does not try to outwit Inigo, and does not use his sword against Fezzik (otherwise Fezzik would have brained him with a rock). The same principle applies in cybersecurity: bringing the right tools (or platform) and skillset to bear based on the opponent and the resources available to you. That’s why ThreatConnect created these four new products:

TC Identify™ – Threat Intelligence Delivered with ThreatConnect

TC Manage™ – Intelligence-Driven Orchestration

TC Analyze™ – Threat Intelligence Platform (TIP)

TC Complete™ – Security Operations and Analytics Platform

TC Identify

The fencing duel in The Princess Bride is precise; It is focused, and backed up by years of training. It’s kind of like ThreatConnect’s in-house Research team. Just as the duel is Westley’s first stop on his quest, TC Identify can be thought of as the first stop for organizations taking their beginning steps into threat intelligence. TC Identify includes more than 100 OSINT feeds, as well as some basic system-of-record-functionality for teams without the personnel or budget to take full advantage of the ThreatConnect Platform.

One of the most exciting features of TC Identify is the inclusion of our new ThreatConnect Intelligence source. Built from the ground-up by our Research Team, it includes intelligence on focused attacks and crimeware. If you imagine Fezzik’s punches as a brute force feed that’s just a big list of indicators, ThreatConnect intelligence and is an easy way to get our threat intel into one of your defensive tools.



  Few APTs will give you the benefit of pretending to be left-handed.


TC Identify is also perfect for larger organizations that already have an in-house threat intelligence solution but want to supplement it with our intel.

TC Identify also comes with CAL™ (our Collective Analytics Layer)  and ThreatAssess, which brings with them the wisdom of the hivemind and can really help boost an organization that is just getting started. It would be like if Westley came with an army of 10,000 expert fencers!

TC Manage

After defeating Inigo, Westley moves on to Fezzik: a 500-lb giant who challenges Westley to a battle of strength. Westley is no pushover, but it’s simple physics: there’s no way he can win on brute force alone. He needs to apply the power of leverage. TC Manage was designed for teams in Westley’s situation: experienced, but too small to be able to knock down the sheer volume of alerts and incidents that must be addressed every single day.

In other words, teams without a dedicated TI function, but who want to make intel-driven processes and confident decisions, plus anyone that wants to automate all or part of their processes for managing threat data.



You mean, you’ll put down your spreadsheets, I’ll get rid of these 50 buggy Python scripts, and… try to orchestrate our security processes like civilized people?

The centerpiece of TC Manage is Playbooks: a new capability in ThreatConnect that allows users to automate and orchestrate processes to enrich data, take blocking actions, analyze malware, and so much more. All using a simple, drag-and-drop interface with no coding required.



Apply the right leverage and you can bring down a giant.

One of the most powerful aspects of Playbooks in the Platform is that they can leverage our data model; Indicators, Incidents, Tasks, and more can all be managed using Playbooks for analysis and action. They also expand our philosophy of sharing intel: use Playbooks to share institutional knowledge and best practices.

With TC Manage, a team of one can actually feel like a team of ten.

TC Analyze

Finally, after besting the swordsman and the giant, Westley comes at last to Vizzini, who challenges him to a battle of wits. Each combatant’s intelligence is tested. Westley triumphs in the end because he has more information: he knows each cup is poisoned – he has all the intel. He essentially set up a honeypot: he knew it was bad, and got his adversary to drink. When it comes to a battle of threat intelligence, the same principle applies: if you have all the relevant intel, you can win.

You fell victim to one of the classic blunders! … Never assume raw threat data is the same as threat intelligence! Hahaha!

TC Analyze was designed for threat intelligence teams with experienced analysts who want to take raw threat data and create new intelligence. It includes advanced analysis and recordkeeping capabilities, as well as force-multiplier features like CAL and ThreatAssess. In our newest release, it also includes some exciting new tools tailor-made for analysts.

Investigation Links

The knowledge an analyst has access to is key to an investigation. For example, Vizzini knows that iocaine powder comes from Australia. In TC Analyze, users have access to our library of dozens of enrichment sources for all types of indicators. You can even set your own!


Dozens of investigative sources? Inconceivable!


Pivot on Attributes

Records in ThreatConnect aren’t just free text: everything is machine-readable and data-driven. Essentially you can take nearly any field and look up other records with the same data. Want to see every adversary that reached a specific Phase of Intrusion? Or see which other IPs were tied to an attack on a specific network port? Just click the button.

 Click the magnifying glass to find related intel.

TC Complete

Though Westley faces only three opponents, ThreatConnect offers four products. The last is TC Complete. Westley is TC Complete: he combines the accuracy and precision of TC Identify, the leverage of TC Manage, and the intelligence of TC Analyze. Only by embodying the strengths of all of his opponents is he able to defeat them. That’s what TC Complete is: it’s Westley; the whole package!



Hackers cannot stop true threat intel. All they can do is delay it for a while.

TC Complete is designed for teams that want to use a Security Operations and Analytics Platform (SOAP) as the centerpiece for building a cybersecurity operation. It includes CAL, ThreatAssess, all of our investigative features, Playbooks, and more. This product is for teams who want to do it all: analyze, hunt, create and take action on threat intelligence, build custom apps, etc. Teams that buy TC Complete also include savvy engineers who can take full advantage of our three SDKs and APIs to really grow ThreatConnect as their operations expand.

Learn More

This post barely scratches the surface of ThreatConnect’s new product lineup. From Playbooks and CAL, to ThreatAssess and more, we’ve added many new features. Learn more about the products, here. For a full copy of the release notes, please contact For product feedback, please contact me directly at

Dan Cole
About the Author
Dan Cole

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.