Overview
Group-IB Threat Intelligence introduction
Group-IB Threat Intelligence introduction

Product video
Group-IB Threat Intelligence
Group-IB Threat Intelligence is a cyber threat intelligence platform that combines automated collection across open, technical, and criminal sources with human analyst intelligence gained through formal cooperation agreements with INTERPOL, Europol, and AFRIPOL. Delivered through the Group-IB Unified Risk Platform, it aggregates intelligence from ISP-level sensors, honeypot networks, dark web forums, instant messaging channels (Telegram, Discord), malware detonation infrastructure, C&C server tracking, and compromised data repositories.
Intelligence Layers
Strategic Intelligence Informs executive decision-making and long-term threat landscape understanding through regular analyst-written reports tailored to your industry and region.
Operational Intelligence Covers threat actor profiles, attack campaigns, and kill chain reconstruction in MITRE ATT&CK format - enabling security teams to build detection logic and response playbooks aligned with real adversary behaviors.
Tactical Intelligence Delivers continuously updated indicators of compromise (IPs, domains, file hashes, URLs) that can be automatically ingested into network and endpoint controls to block threats at the moment of first observation worldwide.
Prevyn AI - Agentic Intelligence
Group-IB's agentic AI solution, Prevyn AI, is an orchestrated multi-agent system consisting of 11 specialized, domain-expert agents that autonomously conduct adversary-focused research, malware attribution, and dark web monitoring. Prevyn AI Command orchestrates these agents to execute complex, multi-step threat research, identify attacker intent, and track infrastructure staging automatically. The system evaluates campaign indicators and maps them to active adversarial TTPs to predict threats before they launch. An integrated AI Assistant allows analysts to instantly query CVEs, track emerging threat actor profiles, and map indicators to the MITRE ATT&CK framework.
Key Capabilities
- Structured threat actor attribution with full TTP and infrastructure profiling
- Dark web monitoring across forums, markets, paste sites, and messenger channels
- Compromised credential and payment card detection with automated alerts before data is weaponized
- Suspicious IP intelligence covering VPN, proxy, SOCKS, Tor, and scanner nodes used by adversaries, for attribution and enrichment of internal alerts
- Suspicious payment details (SPD) feeds for integration with transaction-monitoring systems to detect fraud
- Investigative Graph interface for mapping relationships between actors, tools, and infrastructure
- Incident Management Center for structuring external threats into a trackable workflow: define incidents, automate detection rules, and manage threats end-to-end within the platform
- Malware file detonation and reverse engineering
- Vulnerability tracking cross-referenced against active exploitation activity targeting your industry
Security and Compliance
Group-IB Global Private Limited holds ISO/IEC 27001:2022 certification issued by TUV AUSTRIA GMBH (Certificate Registration No. TA420243018927, valid until 2027-07-01). The certification scope covers the Threat Intelligence solution, Fraud Protection platform, and information security Audit and Consulting services. For certificate details, visit https://www.group-ib.com/resources/certificates/
Industry Use Case: Financial Services
A financial services SOC subscribes to Group-IB Threat Intelligence and configures Threat Hunting Rules for their card BIN ranges and corporate domains. When compromised payment card data linked to their institution appears on a dark web market, the platform generates an automated alert. The SOC analyst uses the Graph interface to trace the breach to a specific JS-sniffer campaign, reviews the threat actor profile mapped to MITRE ATT&CK techniques, and deploys blocking rules to their SIEM. CERT-GIB initiates a takedown of the phishing domains used in the campaign.
Integrations and Deployment
Group-IB Threat Intelligence supports unlimited users and API calls under a single annual subscription. Out-of-the-box integrations support SIEM, SOAR, EDR, and TIP platforms including Splunk, with STIX/TAXII data transfer for custom integrations. Available via AWS Marketplace, the platform is suited for organizations running security operations on AWS infrastructure.
Analyst Recognition
The platform is recognized by Gartner (included in the 2023 Market Guide for Security Threat Intelligence Products and Services), Forrester, IDC, Datos Insights, KuppingerCole, and Frost & Sullivan.
Evaluation
For a proof of concept or personalized demo showing intelligence relevant to your industry and region, contact the Group-IB team through the AWS Marketplace listing or visit https://www.group-ib.com/products/threat-intelligence/ to learn more.
Highlights
- Intelligence from inside the adversary's world: Proprietary, closed-source data gathered by human experts through years of embedded access to criminal communities, undercover sources, malware analysis, and law enforcement collaboration. This is the foundation for attribution and adversary tracking of exceptional depth.
- Know your adversary, mapped to MITRE ATT&CK: Structured profiles of the threat actors targeting your industry, covering their tools, tactics, techniques, and infrastructure, reconstructed across the full kill chain and mapped to MITRE ATT&CK for direct use in detection and response.
- Enterprise scale, no per-seat limits: A single subscription covers unlimited users, out-of-the-box SIEM, SOAR, EDR, and TIP integrations including Splunk, and STIX/TAXII transfer, backed by a dedicated team of Group-IB analysts.
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/36 months |
|---|---|---|
Group-IB Threat Intelligence | Modules and terms defined in private offer | $1,830,000.00 |
Vendor refund policy
Parties will negotiate in good faith any necessary amendments to this Agreement to address the change. If the Parties are unable to reach an agreement, and a governmental or regulatory authority has determined that continuing to perform as currently required would violate the law then either Party may upon written notice terminate this Agreement without penalty
Custom pricing options
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
Group-IB provides 24/7 global support for Threat Intelligence customers, with direct access to product specialists, threat analysts, and a dedicated account team across all regions.
Support Channels:
- APAC: +65 3159 4398
- Europe and North America: +31 20 890 55 59
- MEA: +971 4 540 6400
- LATAM: +56 2 275 473 79
- Email: info@group-ib.com
- Slack: Dedicated channel with your support team (provisioned at onboarding)
- Website: https://www.group-ib.com/products/threat-intelligence/
Onboarding Process and Time-to-Value:
- Subscribe via AWS Marketplace and receive platform credentials instantly
- Provide your monitored domains, BIN ranges, and SIEM/SOAR endpoint details
- Onboarding team configures Threat Hunting Rules tailored to your organization
- Integration support connects your SIEM, SOAR, TIP, or custom STIX/TAXII feeds
- Ongoing refinement of intelligence filters with your dedicated analyst team
Buyer prerequisites: Prepare a list of monitored domains, card BIN ranges (if applicable), and integration endpoint URLs or API tokens for your SIEM/SOAR/TIP platforms before onboarding begins.
What is Included:
- Onboarding assistance and integration configuration support
- Analyst access for custom intelligence requests and briefings
- Threat Hunting Rule creation and continuous refinement
- Managed Threat Intelligence Specialist Service for custom RFIs, malware reverse engineering, threat enrichment, and ransomware data analysis
- Dark Web Feed Monitoring Service with customized reports
Requesting Assistance: For product issues, integration troubleshooting, custom intelligence requests, or subscription and billing inquiries including refunds, contact the support team via phone, email, or your dedicated Slack channel. Your dedicated account team is available to assist with any platform-related needs.
For a proof of concept or demo, contact the sales team through the AWS Marketplace listing or the website link above.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.