Adversaries don’t operate in the open. They trade stolen credentials on dark web forums, sell ransomware access to the highest bidder, and build command-and-control infrastructure designed to stay hidden until it’s too late. The intelligence that matters most— the kind that gives defenders a fighting chance — lives underground.
Today, Anomali and RedSense are changing that. We’re proud to announce Anomali Underground Threat Intelligence powered by RedSense: five new high-fidelity intelligence feeds integrated into Anomali ThreatStream Next-Gen. Together, these feeds close the gaps that most threat intelligence programs leave open, like crimeware and nation-state actor coverage, pre-compromise alerting, outside-in C2 detection, and automated credential monitoring.
The Intelligence Gap Most Teams Don’t Know They Have
Most commodity threat feeds are built for breadth, not depth. They catalog known malicious IPs and domains, but they lack the context that matters: Who is behind the attack? What are they doing right now? Are they already inside your network?
Anomali Underground Threat Intelligence powered by RedSense is different. By combining Anomali’s platform with RedSense’s deep expertise in underground surveillance, security operations teams now have access to:
• Deep crimeware and nation-state actor coverage (APT35/CharmingKitten, BellaCiao, CYCLOPS) with full threat actor attribution
• Pre-compromise visibility before ransomware access is sold to threat actors
• Outside-in C2 detection that fires before your EDR or SIEM sees the connection
• Automated credential monitoring scoped to your organization’s email domains
• Executive-ready threat briefings published directly as ThreatStream Threat Bulletins
Five Feeds. One Integrated Platform.
All five feeds integrate seamlessly into ThreatStream’s existing workflows, delivering actionable intelligence where your analysts already work.
1. Anomali Dark Web Intelligence
Delivers high-fidelity threat indicators — IPs, domains, and file hashes — verified as active within crimeware and nation-state threat actor operations. Each observable is mapped to actor profiles and campaign context, so suspicious IPs are enriched with attribution the moment they surface in your environment. Available to all ThreatStream customers by default.
2. Anomali Early Warning Alerts
Monitors adversary Initial Access Broker (IAB) collections for your IP ranges and fires an alert when your network access appears in one. This typically provides a 24–72 hour window before ransomware actors purchase and execute the access. Low volume, high fidelity. Available to customers who provide their IP scope (opt-in).
3. Anomali C2 Detection
Detects when your IPs are observed beaconing to known adversary command-and-control infrastructure, from the outside in, before your internal EDR or SIEM detects the connection. EachC2 IP is linked to specific APT actors and campaigns for immediate attribution. Available to customers who provide their IP scope (opt-in).
4. Anomali Credential Monitoring
Monitors dark web dumps and infostealer logs for employee credentials matching your organization’s email domains. When a match is found, a targeted alert delivers the complete credential record in ThreatStream, giving your identity team everything needed to force a password reset before business email compromise or account takeover occurs. Available to all customers, automatically scoped by email domain.
5. Anomali Threat Briefings
Structured threat intelligence reports, like APT35/KittenBusters targeting the Middle East energy sector, published as ThreatStream Threat Bulletins. Each briefing links tactical and strategic intelligence to IOCs, giving executives and analysts alike a clear picture of what adversaries are doing, why it matters, and what to hunt. Available to all ThreatStream customers by default.
What This Means for Your Security Operations Team
Anomali Underground Threat Intelligence delivers earlier detection, faster attribution, and visibility that starts before the threat reaches your perimeter. This includes:
Pre-ransomware detection: A SOC manager receives an Early Warning Alert that company VPN access has appeared in an IAB collection. The security team investigates and remediates before ransomware is ever deployed.
Nation-state attribution: A threat hunter bulk-loads APT35 IOCs and retrospectively searches 90 days of log history, surfacing prior compromise with immediate actor attribution.
Outside-in C2 detection: Anomali observes a customer IP beaconing to APT35 C2 infrastructure before internal tools detect the connection. The SOC investigates the compromised host early in the kill chain.
Credential compromise response: The security team receives an alert that 15 employee credentials appeared in a dark webdump. The identity team forces password resets before BEC or account takeover occurs.
Compliance audit: The compliance officer uses Anomali Credential Monitoring alert logs as audit-ready evidence of credential monitoring for SOC 2, ISO 27001, and cyber insurance requirements.
Underground Intelligence. Overground Protection.
Anomali Underground Threat Intelligence powered by RedSense surfaces intelligence that has historically lived beyond the reach of conventional feeds and integrates it directly into the workflows of ThreatStream Next-Gen; security teams now have the depth, attribution, and timing they need to stay ahead of even the most sophisticated threats.
Anomali Underground Threat Intelligence powered by RedSense is available nowfor ThreatStream customers. To learn more, request a demo.
ABOUT REDSENSE: Redsense, Cyber Threat Intelligence Engine for the modern Enterprise and Mid-Market, empowers organizations with actionable threat intelligence that is proactive, targeted, and made easy. Customers use RedSense’s intelligence feeds to help them stay ahead of modern threats and adapt their defenses to an ever-changing threat landscape.
RedSense is purpose-built by industry leaders for threat intelligence teams everywhere who share a common purpose: to strengthen their detection and response capabilities with the best threat intelligence.
FEATURED RESOURCES
Iranian Cyber Operations Enter Sustained Pre-Positioning Phase: What CISOs Must Know Now
