evaluating-threat-intelligence-platforms

# Evaluating Threat Intelligence Platforms ## When to Use Use this skill when: - Conducting a formal RFP or vendor evaluation for a TIP solution - Assessing whether the current TIP (e.g., MISP) needs to be replaced or augmented as the CTI program scales - Establishing evaluation criteria aligned to organizational maturity and budget **Do not use** this skill for evaluating feed quality independently of the TIP — feed evaluation is a separate workflow focused on data quality rather than platform capabilities. ## Prerequisites - Documented CTI program requirements: team size, feed sources, integration targets, use cases - Budget range and procurement timeline - Technical staff who will administer the platform (Python/API experience for open-source TIPs) - List of current and planned integrations (SIEM, SOAR, EDR, firewalls) ## Workflow ### Step 1: Define Evaluation Criteria Structure requirements into mandatory (M) and desired (D) categories: **Core TIP Functions**: - M: STIX 2.1 import/export with TAXII 2.1 server - M: REST API for automated IOC ingestion and export - M: Indicator deduplication and TTL management - M: TLP classification enforcement - D: Built-in MITRE ATT&CK integration and technique tagging - D: Graph visualization of indicator relationships - D: Workflow automation for analyst triage **Integrations**: - M: SIEM integration (Splunk, Sentinel, QRadar) via syslog, API, or native connector - M: EDR integration for IOC push (CrowdStrike, Defender, Senti...