Anomali Reviews

I have had exposure to Anomali for over five years and have been advising many clients regarding a cyber threat intelligence platform they could use. I have recommended Anomali to many of my clients throughout this period.

My main use case for Anomali is rooted in the fact that there are many use cases within cyber threat intelligence, which is what Anomali stands for. This helps organizations aggregate, enrich, prioritize, and operationalize threat intelligence across its security operations. Primary use cases include security operations, threat hunting, incident response, threat intelligence, and automated blocking.

I can provide a specific example of how I have seen Anomali used for threat hunting or incident response. A scenario I have advised on involves Anomali's use of artificial intelligence, which has made it analytical driven. It performs threat correlation, intelligence enrichment, and provides better pattern recognition through risk scoring. This makes it quite trustworthy and helps organizations prioritize intelligence through enrichment. I have seen Anomali provide strong results to businesses at large.

Anomali helps achieve faster threat detection and faster incident response through improved productivity of analysts who would otherwise perform many tasks manually. Automation helps significantly in enrichment and correlation of indicators of compromise. This allows organizations to make better decisions with respect to threats and enhances regulatory and executive reporting.

Anomali's best features include its mature threat intelligence platform with a large intelligence repository, which is a major strength. It has strong feed aggregation, aggregating feeds from over 200 sources. It offers fairly reasonable automation capabilities that make it easy to operationalize threat intelligence.

Among these features, threat intelligence operationalization stands out as making the biggest difference for organizations. It aggregates intelligence from hundreds of sources, automatically de-duplicates, applies risk scoring, applies context, and reduces much manual effort. Threat intelligence operationalization represents Anomali's best feature—its ability to turn raw threat intelligence into actionable security outcomes.

Threat intelligence operationalization, combined with a comprehensive threat intelligence platform, aggregation through various feeds, automation, integration, and strong correlation with MITRE, is what organizations should primarily use Anomali for. Organizations need to use these capabilities much more coherently.

Anomali has positively impacted my organization and my clients by helping them improve threat visibility, accelerate incident response, and make better use of their resources. Anomali has reduced incident response times by providing context around threats and indicators. It has significantly reduced analyst workload through automation and reduced the effort required for correlations. Additionally, it provides better vulnerability prioritization and much stronger visibility into cyber risk and emerging trends.

Anomali can be improved in various aspects. Its AI-driven automation can further advance, and AI-powered investigation summaries can improve. User experience could be enhanced through simplification of workflows. Better board-level cyber risk dashboards could provide easier visualization. Additionally, Anomali could work on simplifying the pricing structure. Although it excels in threat intelligence aggregation and operationalization, stronger GenAI capability, improved executive reporting, and a more intuitive workflow for analysts would further increase SOC efficiency and add more business value.

Regarding Anomali's AI capabilities, governance and security are quite good. Anomali has incorporated AI and machine learning primarily to improve correlation and prioritization. These capabilities are valuable but could be more mature. The platform could achieve better threat correlation, prioritization, more anomaly detection, and allow AI to accelerate intelligence analysis while further improving quality and relevance.

The accuracy and reliability of Anomali's AI output are fairly reasonable and good. The AI engine works well, but this capability could be improved. Better threat correlation with threat actors, certain indicators of compromise, malware, and campaigns is possible. Threat prioritization could increase, and alert noise could be reduced through further de-duplication. While reasonable, this is not the best available, and other products possibly have more AI maturity, such as Recorded Future and CrowdStrike Falcon.

I have been working in my current field for over twenty-five years.

Anomali is stable in my experience with no issues regarding downtime or reliability. It is an enterprise-grade platform widely used by large clients, financial institutions, and managed security service providers. It has been a mature platform for years and is designed for high availability, making it suitable for security operations centers that work 24/7. From a reliability perspective, Anomali consistently injects threat feeds, works on automation, performs reliable API integrations, and supports enterprise scale globally.

Anomali's scalability is impressive as a mature platform capable of processing large amounts of threat intelligence and indicators of compromise data. It integrates well with firewall platforms, SIEM, and EDRs. Since it is available in cloud deployment format, it is very stable and highly available.

Anomali customer support is known for being absolutely very good for enterprise customers. I would rate Anomali customer support as very good with very responsive support for critical issues. They have strong onboarding and deployment assistance, provide a dedicated technical account manager for large customers, and engage in regular product updates and customer interaction. Resolution times can vary depending on the issue, and this is an area where they can further improve. Smaller customers may not receive the same level of attention as large customers do.

I would rate Anomali customer support on a scale of one to ten as approximately an eight point five. For responsiveness, technical expertise, and implementation support, I would rate it a nine out of ten, as my experience has been quite solid.

I did not previously use a different solution before Anomali. This was a solution that was not present in most of our clients' environments. My clients had point solutions, but they did not have a comprehensive solution that could correlate, and therefore no platform like this existed.

Anomali follows a subscription-based model for pricing, setup cost, and licensing. Their licensing is typically a combination of the number of modules you would use. It is based on the number of analysts using Anomali, the number of intelligence feeds, and whether deployment is on-premise or SaaS. For a global enterprise, costs can range from two hundred fifty thousand to five hundred thousand dollars, and mid-size organizations might spend seventy-five thousand to one hundred thousand dollars. SaaS deployment usually costs less. Mostly it is an annual platform subscription, and multi-year deals for three to five years can provide good discounts.

I have seen return on investment with Anomali, with relevant metrics including money saved, fewer employees needed, and time saved. Many clients have reported SOC efficiencies in terms of reduction in mean time to detect and mean time to respond. Analyst productivity has improved significantly, with hours saved because of automation and AI-driven work that Anomali performs. Risk reduction matrices are also available, including the number of incidents prevented or detected in time.

Specific metrics related to these improvements include a thirty to fifty percent reduction in manual threat analysis effort and a twenty to forty percent reduction in investigation time. Anomali also improves mean time to detect and mean time to respond by enhancing analyst activity.

Before choosing Anomali, I and my clients evaluated other options, including Recorded Future and ThreatConnect.

I would clearly recommend Anomali to organizations, as I have done in the past. Anomali is appropriate for clients who have a mature security operating center consuming multiple threat intelligence sources and want to operationalize their threat intelligence across their security ecosystem. It is not suitable for small organizations with limited security maturity but rather for large, enterprise-level grade setups. New customers should define their threat intelligence objectives, start integrating and ingesting everything in a platform like Anomali to maximize value, and regularly fine-tune and review to reduce noise from intelligence sources and feeds. Treat Anomali as a strategic intelligence platform rather than simply a feed repository. I would rate this review overall as an eight out of ten.

My main use case for Anomali is as a TIP platform, and the multiple services that I use include Security Analytics, Anomali SaaS platform, and Anomali Integrator.

A specific example of how I use Anomali in my daily work is that we have integrated all of the security controls present in our environment with Anomali. Anomali collects all the intelligence throughout the globe, and we distribute it further to our different security controls. We have a Security Analytics platform from Anomali, and with that, we have integrated our SIM and TIP platform together. With that, we can easily flag which IOCs are interacting with our environment and at what pace and what action is occurring. For example, if an action is allowed, blocked, dropped, or denied, we can easily flag the IOCs interacting with our environment and take quick action against them.

With Anomali, we create many dashboards that are very useful to present in leadership meetings so that leadership can easily understand the data, which IOCs are interacting with our environment, what are the top malwares within our industry, what are the top ransomwares, and what is the nature of the IOCs interacting within our environment. We create beautiful widgets and dashboards with the Security Analytics platform and present them to leadership.

Anomali has positively impacted our organization with many improvements since we started using it. From the day we began using Anomali, we saw many improvements as we receive many block hits from them, and we can say that our coverage has been extended to 90% because we do MITRE mapping. After MITRE mapping, our results have always been above 90%. Anomali helps us perform MITRE mapping and lets us know where we stand in terms of the global IOCs and the global TTP vectors interacting within different organizations and how prepared we are for them.

To measure that 90% coverage, we use the MITRE framework and map with it. After the post mapping, we find out how many tactics and techniques we have covered and whether we have a solution for them or how good our coverage is. After that, we calculate or come to a conclusion about what percentage we are covering.

The best features Anomali offers, in my opinion, are the dynamic dashboards that we can easily create and Anomali Query Language, which is very fundamental and very useful for us.

The dynamic dashboards and Anomali Query Language are so valuable for my work because when we talk about data, the tough part is how to represent it. Anomali eases out that highly important task for us because we cannot go to leadership and tell them in numbers. The widgets and dashboards make it more attractive and make it easier to represent and help others understand. Anomali adds a bonus to it because it makes it really easy for us to do that.

Anomali can be improved, specifically the Security Analytics feature, because I feel there is a slight lag in that. Except for that, I find it to be a very good product overall.

During our integration of our SIM with the cloud platform of Anomali, we found that there is some lag because when huge data streams started ingesting data into it, sometimes our log collectors integrated with it using universal links showed some lag, as the services got stopped automatically. Some scripts can be written or some automated changes can be made so that we can improve it further.

I have been using Anomali for the last three years.

Anomali on-premises is one hundred percent stable, and Anomali SaaS platform is also very stable. However, there was some downtime with the Security Analytics feature, but for the last two and a half years, it has also been very stable.

Anomali's scalability is such that it can handle growing data and more users easily. If more users and data are present, simply upgrading your licenses will help.

The customer support provided by Anomali is the best in the market.

My advice to others looking into using Anomali is to go all out for Anomali. Trust their customer service as it is the best in the market. They will provide you with the best support, listen to your challenges, work at the back-end for your challenges, and come up with a solution as soon as possible.

We have not used any other TIP solution before Anomali, although we have done proofs of concept of multiple clients' solutions, but we have not opted for any of them over Anomali.

We have seen a return on investment, as we saved a lot of time because performing our threat intelligence manually is a very tedious task that we cannot handle. Anomali provides us with a very cost-effective value compared to the market, and I would rate it ten out of ten for return on investment metrics.

My experience with pricing, setup cost, and licensing is that there are not many follow-ups, but once we interacted with the product team or the leadership of Anomali, they managed a lot with us, and it all paid off to reach a conclusion that we would continue with this product. We have been working with Anomali for more than five or seven years, and if I talk about my particular organization that has used Anomali, they are still continuing with it. We see a lot of trust and faith in Anomali leadership, and they expect the same from us.

Before choosing Anomali, we evaluated other options such as Google Threat Intel platform, Palo Alto Threat Intel platform, and ThreatConnect, and we found them not to be as mature as Anomali.

Anomali integrates with other security tools or platforms in our environment using on-premises integrators.

We manage threat intelligence feeds within Anomali by having both automated and manual processes. We integrate open-source feeds, paid source feeds, and trusted circle groups that we have particularly joined. We perform a monthly activity to check how many false positives we get from the feeds that we have integrated using the feed optimizer option. This is how we manage our feeds and keep a check on whether we are getting many false positives, how they are interacting with our environment, and if we are receiving daily updates from the feeds or if we are getting feeds at their certain refresh interval.

We handle false positives in Anomali by following a process for reviewing those IOCs that are of our business needs but are flagged by different sources. We follow tagging procedures. For example, certain IOCs are marked malicious from one feed, but they are not highly malicious or they are for our business needs. We label them as false positive tags, and within our rules created for sharing intelligence with our integrators, we exclude that data with that particular false positive tag.

To ensure compliance or regulatory requirements are met using Anomali, we follow a quarterly review activity in which all patch updates and all the vulnerability assessments are performed for the servers that Anomali utilizes. We conduct a complete application-level assessment on a quarterly basis. After that, we get a list of vulnerabilities found within the servers involved with Anomali, and we take actions to fix those vulnerabilities or the assessments found.

User access and permissions within Anomali are role-based.

We maintain and update Anomali's threat intelligence sources by manually reviewing the sources.

The learning curve for new users on Anomali is very easy. Anomali University portal provides very good learning insights, making it easy and user-interactive. I would rate this product a nine out of ten overall.

My main use case for Anomali is that it helps me with intelligence gathering and dark web monitoring. It has good functionality of integration with other solutions like Google Mandiant and Flashpoint, which are other CTI solutions. It also integrates with other SIEM solutions such as Splunk, allowing us to push all the indicators of compromise and IOCs to the SIEM solution. We can customize based on the confidence score of this indicator; for instance, if the confidence score is over 75, we push it to Splunk for real-time sightings within the network. I think it's one of the awesome tools I've worked with to date.

A specific example of how I've used Anomali for intelligence gathering or integration with Splunk is that Anomali captures all the latest intel from various sources, whether forums, open sources, articles published on social media, or researchers posting their findings in their blogs. It collects all the TTPs, IOCs, and captures them to publish within Anomali. We push those indicators to Splunk via an API-based integration for real-time checks within the network if there are any sightings or hits.

Regarding my main use case with Anomali, while much of it is confidential, one unique capability is Anomali's TAXII/STIX based integration with different platforms. For instance, we recently integrated with the CISA platform run by the US government, which provides us with the latest advisories. They push all the results into Anomali, creating a single UI that helps us avoid jumping into various sources to find intel, which I think is a unique feature of Anomali.

The best features Anomali offers are that it acts as an application that pulls data from different solutions. As I mentioned earlier, we utilize Mandiant, Flashpoint, and other CTI solutions. Using Anomali, I push all the results into it, providing a single UI to see what Flashpoint and Google Mandiant are providing rather than jumping into different platforms, which can be time-consuming. Anomali helps us stay on a single platform and provides the required results.

The user interface in Anomali is very good. I have worked in Anomali for five years and think they have a great UI for writing queries and finding specific results much more efficiently than in other solutions where you need to scroll down through different widgets. Anomali has a query-based language, similar to SQL, that helps us dig out specific results, whether vulnerability-related or concerning threat actors and TTPs. We can also perform string-based searches. I think it's an awesome feature. Furthermore, regarding integration, Anomali has capabilities to integrate with different downstream applications such as Palo Alto, allowing us to create playbooks to block domains, URLs, or IPs directly within the firewall.

Anomali has positively impacted my organization by reducing the time required to find intel specific to our needs. We can create our own queries specific to our organization and pull out results related to any posts within the dark web or any activities from threat actors targeting us. This capability enables us to create saved searches that provide exact results. I estimate that Anomali has saved me about 30% of my time.

In terms of improvements, I think Anomali has a good UI and integration capabilities. However, one area for improvement is providing a heat map of cyberattacks around the world. It would be helpful to have a list of which countries are facing the most attacks or experiencing major data breaches, and I think those areas could be enhanced.

One more improvement I would mention is regarding compromised credential monitoring. Anomali should increase their capability to fetch details from various dark web solutions where threat actors post compromised credentials. Expanding in that area could significantly enhance its utility.

I have been using Anomali for around five years now.

Anomali is stable. The good thing is that they have a health check page, and if any issues arise, they notify us. We can continuously track the real-time status of Anomali platform through this webpage.

Anomali's scalability is good; it performs well.

Customer support from Anomali is reliable; they provide support regularly during incidents or any requirements and are responsive to our needs.

I have not previously used a different solution; this is the only one I have used in the last five years.

I have seen a return on investment from using Anomali.

My experience with pricing involved a yearly, two-year contract; I can't specify the setup cost, but it was aligned with our budget, so I consider it good.

I did evaluate other options before choosing Anomali, but I can't recall the names of the specific ones.

My advice for others considering Anomali is to go for it, depending on your organization. Whether it is retail, finance, or service-based, decide on your PIRs and use cases to evaluate if Anomali covers those adequately.

Any new customers looking for a solution should consider Anomali as a great option. However, it depends on the organization; whether retail, finance, product-based, or service-based, you should evaluate the use cases for yourself, conduct a POC, and see if it meets all your needs. I would rate this solution an 8 out of 10.

Public Cloud

Other

I was using Anomali primarily for threat intelligence operations, security monitoring, and threat detection initiatives. I was part of the SOC team, and my role and responsibilities involved working with threat intelligence feeds and providing comprehensive threat reports on a weekly basis to the SOC team.

The primary use case was threat intelligence. Before using any threat intelligence tool, the SOC team must rely on the logs they receive from their SIEM solutions. If we integrate threat intelligence into the overall practices with Anomali, it helps us gather all the threat information beforehand so that the SIEM engineers can schedule or create rules based on those threats or the nature of threats, making the threat hunt easier for the SIEM solutions or the SOC team. This approach is impactful for using the tool.

The best features I have used in Anomali include threat intelligence management. It provides a comprehensive and centralized threat intelligence feed for us. Based on a specific industry, we can gather all the threat IOCs with this tool. Those threat reports can be easily passed to the vulnerability management team, the threat hunting team, and the SOC team. Those threats are helpful for them to hunt a threat in a proactive way.

Reporting is another valuable feature we have used. It provides comprehensive threat reports based on IOC enrichment and correlations. Those reports are helpful whenever we provide that data to the SIEM team or SOC team.

Anomali has positively impacted my organization by improving efficiency and reducing risks. I can provide a practical example involving monitoring indicators associated with ransomware campaigns. Anomali helps us correlate the threat intelligence with internet security technology, allowing the overall team to identify potentially relevant indicators. Without a threat intelligence tool, the SOC team would require more time to investigate or act upon the incident management plan for that threat actor. With Anomali, we benefit by obtaining threat information prior to incidents, making our threat hunts proactive and having incident response plans ready, which saves almost 40% of the time from the traditional model.

The 40% time savings have significantly impacted my team and business. In the traditional process, the SOC team relied only on the SIEM solution and the logs it gathered. Whenever it detected any potential threat or risks, they needed to manually check and hunt for the threat, consuming significant time. With Anomali, the SOC team is already aware of the nature of the threat, the threat actor, and the IOCs. This allows us to easily develop an incident response plan or proactively hunt for that threat or vulnerability, utilizing all the data from Anomali. This reduces the time for incident response by 40 to 50% overall compared to the traditional approach.

I can mention one point regarding improvements for Anomali, which is more enhanced reporting flexibility. The reporting provided to us is not too detailed and could be more enhanced. Better filtering for a large intelligence dataset would also be beneficial, as when we are deep-diving into a large dataset, it does not allow us to apply extensive filtering.

I have used Anomali for more than two years.

Anomali is stable, and I have not experienced any issues with downtime or reliability.

Anomali handles increased workloads or data volumes well, as it can easily manage significant data related to threat actors, threat initiatives, and news.

I have previously used Recorded Future, but I have not switched. I am currently using this tool because of the client's requirements.

There is a return on investment concerning time and effort saved by 40% after implementing Anomali.

Regarding Anomali's accuracy and reliability of output, I think it is important to have someone from the security engineering side validate all the outputs from the tool. Once the output has been validated, it should be passed to the incident response team.

If you are involved in cybersecurity practices, specifically in defensive security, responsible for threat hunting, threat intelligence, and vulnerability management or SOC operations, you can implement this tool in your system or environment. It can proactively provide you the threat feed, threat actor details, and IOCs, helping you create a better incident response plan and hunt threats proactively.

On-premises

Other

My main use case for Anomali in my organization is threat intelligence. We use threat intelligence with Anomali in my day-to-day work to query feeds.

What we do is query those feeds looking for all kinds of indicators of compromise: IP, URL, and other indicators of compromise. They are evaluated according to the score given by Anomali, and we also do other processing for those indicators, validations for those indicators. After that analysis, they are integrated with the different security controls: firewalls, IPS, proxy, and among others.

We also use it for hunting topics and security bulletins.

I consider the best features offered by Anomali to be its versatility, good information, various integrations, and feeds that are free. There are also others that are integrated and paid, but its capacity is large. It really has a high storage of indicators of compromise and its reliability is quite accurate.

Anomali has positively impacted my organization significantly; it has been a great help. Anomali is a very versatile platform, quite effective, and very fast when it comes to downloading and maintaining the information of the indicators of compromise. Additionally, it has a large amount of information about those indicators of compromise, such as their score and evaluation, and it also brings where they come from and tries to attach vectors to those indicators, which makes threat intelligence and security bulletins much easier. All the information that it provides makes it much easier to analyze and generate valuable information.

I think that Anomali could be improved by addressing a major weakness, which is the issue of its integrators. The capacity they have when publishing a large number of indicators is quite limited. This makes it almost indispensable to set up one integrator per control, which is not efficient. It should have a much larger capacity to publish the application on a single server and for that server to handle a large quantity and volume of indicators.

Regarding the web interface, there are several problems when it comes to administration. These integrators publish a web interface that after a while generates quite a few errors and the service has to be restarted quite a lot in order to administer it, which is not efficient.

I have been working in the field of computer security for more than 10 years. I have been using Anomali for 3 years.

I consider Anomali to be 100% stable.

I would rate the scalability of Anomali highly; it adapts well to my organization's growth needs.

My experience with Anomali's customer support has not gone so well for us. Not because they are bad at support, but because the tool being limited means the support people fall short.

Before using Anomali, I used ThreatConnect. I decided to switch from ThreatConnect to Anomali really for commercial reasons. ThreatConnect is also a quite complete platform.

Before choosing Anomali, I understand that ThreatConnect was there, but I do not know about the others.

I think the platform is fine as it is for now. In terms of costs, Anomali is not the cheapest, but it has helped on the operational side in reducing the efficiency burden on staff. Not the reduction of staff as such, but in the efficiency of the staff on other tasks with the reduction of the administration of this platform. My advice to other people who are considering implementing Anomali is that they validate their infrastructure. If they have too many controls that will need Anomali to disseminate, they have to take into account that they are going to deploy many integrators, which translates into on-premise infrastructure, which raises costs and increases the administrative burden. Other than that, Anomali is a very good platform in terms of dissemination of indicators of compromise and all the benefits it has at the threat intelligence level. I give this review an overall rating of 8.

Public Cloud

Other

My main use case for Anomali is that we use it as a TIP. As a TIP in my day-to-day work, we have specific rules configured for our organization. The client we work for is an FMCG client, and we have built alert cases around that, including supply chain attacks, vendors, and the technologies we use in that client. Anything triggered around those use cases will be notified to us, and then we investigate the alerts.

Apart from this main workflow for our team, we use the Sandbox of Anomali. Specifically, our SOC team uses that, and we have integrated Anomali with our security tools including Defender and CrowdStrike in order to block the IOCs.

In my opinion, the best features Anomali offers include the ability for other organizations to score the intel according to their analysis, which helps us to grab more details about that alert and get more depth on that alert. Scoring the intel has helped my team significantly; for a particular incident, we were unsure whether it was impactful or not, but considering other organizations rated it high, we thought it was an important alert that should be investigated. Otherwise, it would have been overlooked as a benign event.

Anomali has positively impacted my organization because earlier we were not using any TIP format and were just dependent on open source, which gave us tons of irrelevant alerts. Segregating those alerts was a big task, but with Anomali, we now get very specific and targeted alerts, allowing us to navigate through a handful of alerts that are applicable to us. It has saved a ton of working hours.

I believe Anomali could be improved by making the user interface more user-friendly. Currently, it is important to have knowledge about threat intel, but it is also crucial that even SOC team members or executive people can look at the dashboard or the tool, and it should be simple to navigate. It is not only for those who specifically work in threat intel.

I believe easy integration with open-source tools including VirusTotal and easy quick links to these tools would make the experience better.

I have been using Anomali for about two years.

In my experience, Anomali is stable; I have not seen any downtime or issues. I do not see any performance lag or issues with Anomali during peak hours or high alert volumes; it performs well.

I believe Anomali's scalability is good; whether it is an organization for ten people or one hundred thousand people, the job a threat intel platform has to do will be the same, so I do not see scalability as an issue.

The customer support has been good; people are responsive when I reach out for help.

I previously used a different solution; it was an internal tool created by our CISO.

Before choosing Anomali, we evaluated other options, including CloudSek and Recorded Future features.

My advice to others looking into using Anomali is that it is a good platform to start with if you do not have any TIP solution in your organization. I would rate this review eight out of ten.

Private Cloud

Microsoft Azure

We use Anomali as our threat intelligence platform for a variety of threat intelligence feeds that we subscribe to, needing a more central place to store everything so we can correlate which feeds have seen this indicator before and which haven't. This was the biggest use case for us to solve, which is why we went after it. It is definitely more than just a threat intel platform where we store all these indicators; it's almost very much a threat hunting tool that allows analysts to do investigations on those indicators and make connections, looking for other related things that we didn't necessarily see. It allows us to take a more proactive kind of approach.

The API is our most important feature. We are very much into automation, so being able to handle things programmatically at scale has been immensely powerful for us. We've evolved beyond just the two use cases I mentioned. One of the things we decided to do is utilize the Anomali API to push everything into that platform after sorting and normalizing everything. We now have a very robust collection of threat intelligence based on the capabilities that Anomali provides. It's very adaptable; you can do a lot with it, making it a very powerful tool.

There is always room for improvement, as there are always new ideas. They have been dabbling with some AI functionality built into the platform, which is still very new, so there's a lot of improvement that could happen there, especially as the technology enhances.

I have been using Anomali for about 7 or 8 years.

The initial setup depends on which kind of deployment you choose; they offer both an on-prem solution and a Cloud deployment. If you choose the Cloud deployment, there's nothing you have to do; you just log in and start using it. It's pretty seamless. If you're using an on-prem setup, they provide an appliance for enterprise customers, and after subscribing, they ship you a device that you can set up by following their setup guide, which provides all the details and instructions.

Stability has been pretty seamless so far, but we've run into some issues more recently due to changes in how some platform functions operate. It doesn't seem they're considering enough how customers use those functions as they change them, and they don't give us enough time to adapt to those changes. For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.

The scalability is massive, allowing us to store millions of indicators. Unless you have a threat intelligence platform, you can't scale to the level Anomali offers, especially compared to trying to do it in a SIEM tool such as Splunk or Sentinel. It seems almost unlimited; I'm sure there's a limit, but they do a good job of never allowing us to hit that limit.

Support in the past has been top-notch, but recent trends indicate that it has taken a back seat, as we often don't get answers for days. We'll receive excuses such as "I was out of the office" or "I forgot to follow up on this, I apologize." While they apologize, it doesn't seem very professional how they're handling support anymore.

Positive

You have to have at least a threat intelligence background or a SOC analyst background to use it, as that's the information you'll dig around with in there. If you don't have that kind of knowledge, it probably can be a little hard to use, but they do provide training. They offer training not only for how to use the platform but also some basic threat intelligence training to explain what these things are and what these terms mean.

My company is a customer of Anomali.

I would recommend it to other people.

I would advise making sure you don't pick it without testing other products and have your use cases well thought out and documented before testing, so you know it will solve the problems you're trying to address. Keep an open mind with it and realize that whatever you can dream of, you can probably do with the platform.

Overall, I would rate Anomali an eight out of ten.

Public Cloud

Other

My main use case for Anomali was a proactive approach to integrate Anomali Threat Intel, the TIP platform, with different security controls. The customer had two use cases: one related to the proactive approach of ingesting the IOCs into different security controls such as their IPS, IDS, email security gateways, proxy, and endpoint systems so that any malicious activity or traffic coming into their environment would be proactively blocked on all their security controls.

We also had another use case where we wanted to get specific vulnerabilities whenever published for the specific products used within the customer's environment. Apart from that, we created some custom policies to detect any malicious activity based on the telemetry data Anomali Analytics was providing, triggering alerts and notifying us.

I utilized Anomali security analytics to understand our attack surface so we could know how many anomalies or malicious traffic was running into our environment. That helped in running threat hunting activities and identifying users and machines interacting with malicious IPs, hashes, or any IOCs exposed over the internet. It helped us to identify machines containing some vulnerabilities; if there is a vulnerability exposed that bad actors utilize, we focus on and prioritize those assets for patching.

We identified based on threat actors' activities if any threat actor is tightly associated with our organization type. Supporting a financial sector organization, we targeted and identified threat actors targeting financial and insurance sector organizations, helping us to proactively mitigate and secure the environment based on IOCs or attack patterns available for the specific threat actors.

Anomali positively impacts our organization, notably improving our vulnerability management program under reducing attack surface management. It supports our threat hunting activities, helping us identify gaps, create logical rules, and understand the context of threat policies on our SIEM platforms. We successfully present quantitative data to our leadership, offering an executive summary on the attack surface and identifying various security gaps and mitigation strategies.

In one time period, we had around 1,000 alerts related to malicious IPs or TOR activities in our platform. After implementing IOCs into our Palo Alto platform, we proactively blocked these malicious IPs from reaching our proxy, resulting in a significant drop in alerts. Previously, we faced around 100 alerts monthly for TOR activities, but following the integration with Anomali, that number reduced to just five or six cases in a month.

The best features Anomali offers include the TIP platform and Anomali Analytics, previously called Anomali Match, which provides a perspective to identify our attack surface. Correlating IOCs with the telemetry data we are ingesting from our data sources allows us to pull monthly reports identifying how many assets and users interacted with malicious content, giving insight into whether communications failed or users accessed restricted content, providing complete visibility of the IOCs traveling throughout our environment.

Anomali Analytics, or Anomali Match, helped us identify scenarios where we were getting a lot of alerts on our SIEM solution for TOR activities. Some alerts were missed, but we identified through Anomali Analytics how many interactions were happening with malicious IOCs and TOR IPs associated with vulnerabilities. We were able to identify vulnerable systems that were not patched and were interacting with those threat IPs linked to the threat actor Skinny Hunter, targeting financial sector organizations.

We identified the IOCs within our environment, observed attack patterns for that threat actor, mapped those patterns to identify vulnerable assets, and recommended to the vulnerability management team to patch on priority.

Anomali's dashboarding stands out; they introduced Anomali Query Language, allowing us to create dashboards identifying specific data sources and logs we push to security controls. We had Palo Alto and Check Point firewalls where we tracked data to identify how many IOCs we pushed and how many passed through or were blocked, providing deeper insights from each integrated security control due to the correlation of the TIP platform and Anomali Security Analytics.

Integration is quite easy; based on APIs, we can integrate different security controls without limitations, although Anomali could improve by offering more out-of-the-box connectors. There were good connectors for Zscaler and CrowdStrike, but for firewalls such as Check Point or Palo Alto, it relies on APIs. The integration was solid, and Anomali's ability to correlate and integrate different Threat Intel platforms, such as Mandiant and PolySwarm, is another valuable feature, removing duplicacy and enabling the application of specific IOCs across various security controls.

Anomali could improve by providing more out-of-the-box solutions for integration. Some API queries fail because certain values within the queries cannot pass through the integrator. Additionally, the email notification system could be enhanced to present data better to leadership so that those in management roles can understand the logs more easily, improving visibility.

I have been using Anomali for around the last three years for one of my clients, managing that platform as Threat Intel to integrate with their multiple security tools such as their firewalls, IPS, and IDS.

Anomali is stable and has performed reliably.

Anomali handles our growth and expansion well, integrating with our other security platforms.

I do not have specific ROI numbers, but we have saved a lot of time. Previously, we needed to sift through extensive data via SIEM solutions to achieve visibility and prepare dashboards manually, but now we can identify metrics quicker.

Pricing and licensing are good, but the costs for purchasing threat feeds are somewhat complicated and a bit on the higher side. I was not part of the setup cost but know that we had to consider the costs before integrating feeds into our environment.

We evaluated Mandiant and Cybel before choosing Anomali.

Public Cloud

Amazon Web Services (AWS)

I use Anomali for threat hunting, threat collection, operationalization of intelligence, such as indicators of compromise (IOCs), and dissemination of reports for report writing and documentation.

The most valuable aspect of Anomali is the threat modeling capability. It collects threat intel documents and IOCs and allows us to tailor it to our needs and prioritize intelligence requirements (PIRs). This enables us to receive prioritized threat intelligence.

An area for improvement is the intelligence sharing within the Anomali community. The tagging system can be inconsistent, as any company can use any tags for their reporting. Combining all aliases into a coherent solution would be beneficial, as we had to review each individual source ourselves. This would improve intelligence collection across Anomali.

I have been using Anomali for the last six years.

The initial deployment of Anomali was straightforward and went well.

I have not experienced any downtime with Anomali's cloud platform. It has been scaled very well.

The scalability of Anomali is impressive, as indicated by the smooth operation of its cloud platform.

The technical support at Anomali is excellent. They respond to inquiries within 24 to 48 hours.

Positive

I have used Recorded Future and Mandiant Advantage, which they bought from FireEye, in the past.

The initial setup of Anomali was easy and took about three months to deploy. The full operationalization took around three quarters to one year.

A dedicated engineer is needed for deployment, but for integrations and other tasks, multiple teams might be involved.

I have evaluated Recorded Future and Mandiant Advantage as alternatives to Anomali.

For new users, I recommend taking the training provided by Anomali as it is very well articulated. I advise reading the user manual and taking the instructor-led training sessions from the customer support success manager. This will effectively kickstart the journey. I rate the Anomali solution a solid nine out of ten.

Hybrid Cloud

Other

My main use case for Anomali is for threat intelligence. We have a threat stream and threat practice on that. We are checking overall and verifying malicious websites, malicious hashes, and malicious URLs that are coming to the internal organization.

I can give a quick specific example of how I use Anomali in my workflow. I have used Anomali to check which malicious URLs and websites are attacking our internal organization. We check the threat intelligence portal like VirusTotal and other sources, and if the reputation of that URL is malicious, we block it in Anomali.

The best features Anomali offers are that it shows all the information on the particular dashboard, whether something is malicious or not and what the reputation status is.

Anomali has impacted my organization positively because our SOC team, which is actively monitoring all the tools—either SIM, SOAR, or threat intelligence platform—operates in multiple shifts. It has impacted our organization in a positive way by showing whether malicious activities or APTs are present. Whatever attackers are there, it shows on the dashboard and we can perform our analysis and execute remediation effectively.

Anomali has improved our MTTR and MTDD.

We can enhance the dashboard and create metrics and improve the themes for incident response in particular. We could implement it through SOAR and gather more data on SOAR.

I have been using Anomali for about three months.

Anomali is stable.

I previously used a different solution.

I do not know much about the pricing, setup cost, and licensing. These aspects are taken care of by seniors and associate directors.

I did not evaluate other options before choosing Anomali.

I have used Anomali for the past four months in my previous organization.

There is nothing else I would like to add about the features.

On a scale of one to ten, I would rate Anomali an eight to nine. I would give Anomali that score because we see Anomali as a threat intelligence platform and we can work with it and improve the MTTR. I rate this product eight out of ten overall.