Tips for TIPs
Researching and procuring TIPs can be tough. Here's some words of wisdom collected from real teams who have gone through the POC and implementation process.
Researching and procuring threat intelligence platforms (TIPs) can be confusing, frustrating, and occasionally misguided. Based on internal research and informational interviews with colleagues, we've gathered a few solution-agnostic words of wisdom to help you alleviate some sources of pain associated with TIPs.
If you've previously considered threat intelligence platforms, you already understand product fundamentals, overall market offerings, and best practices. There is an established need and expectation for resource investment. These additional reminders come from conversations with real teams who shared frustrations about their TIP journey after this initial phase. We hope their advice will help you determine which solution will actually work for your organization:
1. Get Specific.
Prepare a handful of concrete test cases that can be evaluated within a 2-4 week TIP POC period, with clear pass/fail outcomes.
Tests could assess if the UI is well-tailored to support current analyst research needs, confirm working integrations with your existing tools, validate proper ingestion of your ISAC's STIX feeds, or something else entirely. Even if you can't get everything in place before the procurement process, the more upfront work done to get your internal ducks in a row, the better you can predict which solutions will hit the ground running.
Side Note: Lacking the development, engineering, or analyst resources to prepare for a POC is in and of itself an indicator of challenges to come.
If a vendor can easily share resources, links, or best practices addressing your specific requirements, it's a positive sign that they're actively and continuously investing in successful deployments. For open source solutions, keep an eye out for robust community discords, GitHub repositories, and other peer-to-peer channels to prevent needlessly reinventing the wheel. You can also measure outcomes on a scale (e.g., 0-5) for a more nuanced assessment that captures: total fail; possible with some improvements, custom code, or on the roadmap; working as desired out of the box.
2. Assign a Point Person.
This is commonly a dedicated CTI lead but can also be an individual willing to wear the CTI hat.
Avoid diffusion of responsibility or cross-wire efforts by identifying a person with the capability and interest to implement and maintain a TIP over time. Even if the goal is to automate everything, it won't be very effective without a human thoughtfully approaching the preparation, monitoring, and tuning.
Side Note: The chance of a successful TIP deployment significantly increases when you have at least a part-time, in-house engineering resource to tap into. This is important not only at the time of deployment but on an ongoing basis.
TIPs, just like threat intelligence programs, are never "set it and forget it." Selecting a TIP groundskeeper to be the nexus for issues and opportunities helps keep the platform investment from becoming a confusing waste of time, money, and energy. This also creates a clear flow for vendor relationships to get the most out of your customer success and support teams.
3. Establish Pricing Early and Often.
Unsurprisingly, pricing was the top pain point, regardless of budget, use case, maturity, and sector.
The number of times peers have lamented that pricing and sales were a deal-breaker far too late in the process was eye-opening. Keep in mind: this is more than whether or not a solution was too expensive. Struggles also included mismatched expectations or perceived curveballs around pricing structures, necessary infrastructure/support services, and terms.
Side Note: Jokes aside, this is a two-way conversation. Since every organization and its needs vary widely, a ton of complexity may be baked into estimating an accurate initial cost range. Be honest about what you're looking for (need, want, nice to have) and can/cannot do.
At a minimum, request a range early on with similar recent deployments and be diligent about understanding various pricing models. Ask trust groups and colleagues if you're not directly getting a satisfactory starting point. Then, clarify what a POC includes and break out potential extra costs - per seat, per endpoint, by limits, for integrations, services, etc. - to mitigate future surprises. It's reasonable for prices to change over time, but try to lock in a set rate over the short-term or cap year-over-year increases during final negotiations.
That's all, folks!
This advice here is universally applicable to anyone looking for a TIP. Thanks to everyone who chimed in with their experiences and helped us share this back with the CTI community (you know who you are :) )
We took these words of wisdom to help design our procurement process - from the vendor side. If you want to learn more about Pulsedive Enterprise, check out our Enterprise page.