Somewhere right now, a security analyst is triaging alerts at two in the morning — not because there are more threats, but because there is no system helping them decide which ones matter. Anomali, whose intelligence solution has been trusted by global enterprises and government organisations for over a decade, announced Anomali ThreatStream Next-Gen to change that. Available both as a standalone intelligence solution and embedded within the Anomali Unified Security Data Lake, ThreatStream Next-Gen makes threat intelligence the active, decisioning layer inside every security workflow — validated at 300 times faster than traditional investigation workflows across 50 enterprise deployments.
Most security platforms were built to detect. Anomali was built to decide. Where others treat intelligence as a feed to be consumed, Anomali has spent years making it structural — the connective tissue between raw security data, analyst judgment, and response action. ThreatStream Next-Gen is the culmination of that work: an intelligence layer that doesn’t just inform decisions, but drives them, with context on attackers and campaigns, AI-generated prioritisation, and recommended next actions delivered when they’re needed. Anomali built the answer before anyone knew how urgent the question would become.
“Attackers move fast, targeting identity and exploiting behaviour — often closing windows in hours. We close them faster. ThreatStream Next-Gen is the intelligence layer that competitors can’t replicate, because it’s not a bolt-on — it’s the core of everything we build, including our current innovation in agentic AI. By owning the decisioning layer between intelligence and action, we give security teams something they’ve never had before: the ability to respond at the speed of threats.” — Ahmed Rubaie, CEO, Anomali
ONE INTELLIGENCE LAYER. TWO DEPLOYMENT MODES.
| FOR THREATSTREAM CUSTOMERS ThreatStream Next-Gen standalone The world’s most trusted CTI platform, now with AI-driven prioritisation, case management, and intelligent search built in. Connects to your existing security stack and operationalises intelligence where analysts already work. | FOR ANOMALI DATA LAKE CUSTOMERS ThreatStream Next-Gen embedded Intelligence is natively embedded in the data lake — enriching every event at ingest, connecting the dots across your full security dataset, and surfacing recommended actions without analysts switching context. |
| MEETS YOU WHERE YOU ARE ThreatStream Next-Gen works with the infrastructure security teams already have — augmenting an existing SIEM, replacing it, or unlocking telemetry that lives in platforms like Databricks or Snowflake. Under every scenario, the mission is the same: find the needle in the haystack across your security controls, and act on it with confidence. |
| AGENTIC AI — EMBEDDED IN BOTH DEPLOYMENTS Operational intelligence is what makes Anomali’s agentic AI work — in both deployments, AI acts on a foundation of real threat context, not raw data alone. ThreatStream Next-Gen ships today with autonomous triage, scoring, and investigation steps (agentic levels 1 and 2), available across ThreatStream Next-Gen and the Anomali Data Lake. Autonomous response capabilities — levels 3 through 5 — are in active development, with ThreatStream Next-Gen reaching full agentic autonomy by August 2026 and the Data Lake following in 2027. The architecture is already in place. The autonomy is being released deliberately, with configurable analyst oversight at every stage. In short: an intelligence foundation designed to make agentic AI work. |
In most security operations, the bottleneck is not data — it is deciding what matters and what to do next. CTI analysts spend hours curating and contextualising intelligence; SOC analysts spend hours stitching that context across tools to validate alerts and determine response. ThreatStream Next-Gen closes that gap: five new capabilities that carry intelligence all the way from production to action, without losing fidelity at the handoff.
- Priority Intelligence Requirements (PIRs) automate recurring intelligence questions, ensuring consistent monitoring of the threats that matter most to your organisation — without analyst intervention on every cycle.
- Command centre provides a live, prioritised view of relevant threats, so analysts spend less time triaging noise and more time acting on signal.
- Intelligence search connects indicators, threat models, and campaigns with AI-generated context — compressing multi-hour investigations to minutes.
- Case management keeps investigations and response workflows synchronised, preserving full context from first signal to final resolution.
- Reporting translates technical findings into clear stakeholder outputs — no manual reformatting, no context lost in translation.
Discussion about this post