In recent years, digital-risk protection has merged with threat intelligence products.
Gartner frames this shift with a contextual note for its first Magic Quadrant dedicated to this market. Beyond this convergence, the research firm underscores that despite ongoing innovation (automation, enrichment, integrations…), the core capabilities—collection and analysis—remain highly valued. This is reflected in how it ranked the vendors.
17 Vendors, 5 Leaders
The assessment spans two dimensions, “Execution” and “Vision.” The first measures the ability to meet needs (product quality, pricing, market track record…). The second centers on strategies (go-to-market, sector focus, geographic reach…).
The standings on the “Execution” axis:
| Rank | Vendor |
| 1 | Recorded Future |
| 2 | CrowdStrike |
| 3 | |
| 4 | ZeroFox |
| 5 | Cyble |
| 6 | Flashpoint |
| 7 | Group-IB |
| 8 | Intel 471 |
| 9 | Bitsight |
| 10 | SOCRadar |
| 11 | CTM360 |
| 12 | KELA |
| 13 | CYFIRMA |
| 14 | ReliaQuest |
| 15 | Flare |
| 16 | Axur |
| 17 | NSFOCUS |
On the “Vision” axis:
| Rank | Vendor |
| 1 | CrowdStrike |
| 2 | |
| 3 | Recorded Future |
| 4 | ReliaQuest |
| 5 | ZeroFox |
| 6 | Group-IB |
| 7 | Bitsight |
| 8 | NSFOCUS |
| 9 | CYFIRMA |
| 10 | SOCRadar |
| 11 | CTM360 |
| 12 | KELA |
| 13 | Cyble |
| 14 | Flashpoint |
| 15 | Intel 471 |
| 16 | Axur |
| 17 | Flare |
Five vendors carry the “Leader” label: CrowdStrike, Google, Group-IB, Recorded Future, and ZeroFox.
Vendors Praised for Automation…
Among the Leaders, Google stands out for agent-based capabilities. Specifically for malware code analysis, extraction of techniques and tactics, and simulating adversary behavior.
On the AI/automation front, three “Visionaries” receive credit. NSFOCUS, for its automated sector-based classification and for its browser extension that highlights IOC while enriching them. ReliaQuest, for its capabilities around consolidation and response. SOCRadar, for the creation and deployment of detection rules.
Gartner also praises Axur’s proprietary multimodal AI (“niche player”). In particular, a vision model to detect brand abuse, plus agentic automation that eases response escalation and validation of dismantling actions.
… and Others Lagging Behind
One of the Leaders receives a critical note on AI/automation: Group-IB. It has not yet fully delivered predictive capabilities; its platform still relies largely on rule-based logic and analyst-guided workflows.
For Flare (niche player), AI plays a supporting rather than a decision-making role. It focuses on summarization, relevance scoring, noise reduction, and analyst-friendly interpretation. Predictive and agent-based facets are not developed, and closed-loop automation (for example, generating rules from IOC) is limited.
Flashpoint (challenger) has not fully automated IOC lifecycle management. Intel 471 (niche) prioritizes human expertise over advanced automation. While strong on correlation and contextualization, Recorded Future places less emphasis on response automation, which leans heavily on downstream tools.
Pricing, Sometimes Complex or Opaque
Bitsight (Visionary) stands out for transparent pricing. Costs are predictable for user and API access as well as for add-on modules.
This isn’t the case for CrowdStrike. Its multi-tier pricing—based on endpoints or on employees—is complex.
Pricing for KELA (niche) lacks structure: costs can be hard to forecast depending on the functional mix or deployment scope.
Regarding ReliaQuest, Gartner describes pricing as “opaque”: advertised prices are tied to high-level indicators, with no details on packaging or public pricing structures.
Pricing is also complex with ZeroFox, combining asset-based billing, a bucket model for takedowns, and add-ons for certain integrations.
Leaders’ Offerings, Often Complex to Deploy or Operate
Three Leaders come with cautions about implementation and/or operational complexity.
For Google, premium features (private scans, advanced automation, etc.) can quickly accumulate and complicate the operationalization of the stack.
The Group-IB offering is better suited to mature teams; others may need to define additional processes to maximize value.
With Recorded Future, achieving “full value” often requires multiple add-ons, which can raise overall costs.
Mobile Apps and Browser Extensions Still Often Lacking
Functionally, Axur does not offer a browser extension, a mobile app, or automated generation of SIEM/EDR rules.
CTM360 also lacks a browser extension. Gartner notes that its core features are not protected by patents.
On mobile, Google lacks a native app, and some tasks require manual copy-paste.
The offering from Intel 471 likewise does not include a browser extension or a mobile app, nor agent-driven workflows.
For SOCRadar, there is a mobile app, but it is limited; overall user experience is not fully stabilized, particularly for alert delivery.
Many Players with Limited Geographic Footprints
A number of vendors operate with constrained geographic reach.
- Axur: customer base largely in Latin America
- CrowdStrike: revenue concentrated in North America
- CTM360: limited customer base, recurring annual revenue and “modest” growth
- CYFIRMA (Visionary): customer base concentrated in the Asia-Pacific region
- Flashpoint: customer base and activity focused in North America
- Group-IB: limited presence in North America
- KELA: uneven geographic distribution of teams, mainly located in North America
- NSFOCUS: primarily present in the Asia-Pacific region
- Recorded Future: revenue and support concentrated in North America and EMEA
- ZeroFox: customer base mainly in North America
