Introducing ThreatStream Next-Gen: New AI-Powered Capabilities to Sharpen Your Intelligence Operations

Threat intelligence teams face a relentless challenge: too much data, too little time, and processes that depend on manual effort that doesn't scale. Analysts pull the same feeds every morning, re-read the same reports, and track open questions in spreadsheets that no one fully trusts. The result is noise, missed signals, and teams stretched thin doing work that should run automatically. Today, Anomali introduces ThreatStream Next-Gen, the new iteration of a trusted platform that is designed to change all of that. 

Priority Intelligence Requirements (PIRs), Command Center, Intelligence Search, Case Management, and Reporting bring agentic automation, unified visibility, and AI-assisted workflows directly into ThreatStream Next-Gen so analysts can focus on the intelligence and context that matter instead of the mechanics of finding it.

These capabilities are now available in early access to ThreatStream Next-Gen AI Professional and AI Enterprise customers. 

Priority Intelligence Requirements (PIRs): Eliminate Duplicate Findings

Every CTI team has a version of the same problem. Analysts define the questions that matter to the business, like which threat actors are targeting our industry? What vulnerabilities affect our infrastructure?, and then answer those questions manually, day after day, with no memory of what they found yesterday.

The result is predictable: duplicate findings, missed context, and analysts burning hours on repetitive research instead of acting on new intelligence.

Automation With Memory

PIRs solve this universal frustration by turning standing intelligence questions into continuously running, AI-driven workflows. An analyst defines a PIR once by giving it a title, a description, and the threat data inputs to monitor and then ThreatStream takes it from there.

On every scheduled run, Anomali Agentic AI analyzes the ingested data, extracts relevant signals, and generates structured outputs including new threat models, tagged indicators of compromise (IOCs), Jira or ServiceNow tickets, Slack notifications, and platform alerts. Analysts can also trigger a run on demand at any time.

The difference between PIRs and a simple alert rule is memory. PIRs track what they’ve already reported and surface only net-new intelligence on every execution so that analysts can stop reading the same findings twice.

That deduplication engine is the capability that sets PIRs apart. Competing platforms offer alert rules and custom feeds, but none maintain persistent memory across executions or embed AI analysis as a native step in the workflow. The result is a structured, auditable intelligence process that runs on a schedule not in a spreadsheet.

For security leaders, PIRs provide an auditable, repeatable record of how the team monitors its defined intelligence requirements, which is a capability that matters at the board level and in regulated environments alike.

Command Center: One View of the Threat Landscape

Before analysts can act on intelligence, they need to understand what’s happening. That’s harder than it sounds when relevant signals are scattered across multiple screens, tools, and data sources with no single starting point.

Command Center replaces that fragmented experience with a single, personalized dashboard tailored to each analyst’s organization and industry vertical. It surfaces what matters now — active attacker operations, trending malware, trending vulnerabilities, targeted entities, and curated global news — without requiring analysts to go looking for it.

From Fragmentation to Focus

Instead of navigating across disconnected screens to build a picture of the threat landscape, analysts open ThreatStream and see the relevant intelligence already assembled. Command Center consolidates curated insights upfront, so teams can orient quickly, prioritize their day, and move to action faster.

Integrated directly into Command Center is Intelligence Search: a unified search experience across all historical IOCs, Threat Bulletins, Threat Models, and feed data. Analysts receive AI-generated natural language explanations of how observables relate to threat motivations and threat models — turning raw search results into actionable context.

Case Management: Keep Intelligence and Action in the Same Place

When a CTI analyst identifies a significant threat, the next step is usually a context switch: out of ThreatStream, into Jira or ServiceNow, copy-pasting intelligence findings into a ticket that has no native connection to the observables or threat models that triggered it. That context loss is operational friction, and it adds up to a big frustration for security teams.

ThreatStream Next-Gen’s distinct Case Management capabilities solve that problem by bringing a native, AI-powered case and ticketing experience directly into the platform. Analysts create, manage, and resolve intelligence-driven cases without leaving the platform and every case links directly to the relevant observables and threat models, preserving the full intelligence picture alongside the work.

AI-Powered From the Start

Every case in ThreatStream Next-Gen includes on-demand AI summaries generated by Anomali Agentic AI, along with AI-suggested next steps tailored to the case type and content. For cases involving a host or asset, Agentic AI automatically fetches related asset and host data before the analyst even opens the case, which reduces manual lookup time and gets analysts to context faster.

Org admins can embed standard operating procedures directly into case types via Anomali Agentic AI prompts, giving junior analysts a guided playbook every time a case is opened and without any additional training overhead.

Cases are private to the creating organization by default, keeping sensitive CTI work within the platform boundary. Granular permissions ensure that all org users can view and comment on cases, while editing is restricted to the case creator, assignee, and org admin.

Case Management is also accessible via the Anomali MCP API, enabling agentic workflows where PIR outputs automatically create cases and AI systems update and read cases programmatically closing the loop from intelligence signal to tracked analyst action without human intervention.

Reporting: Share Intelligence With the People Who Need It

Intelligence that stays inside the CTI team doesn’t protect the business. Reporting in ThreatStream Next-Gen lets analysts publish exec-ready reports from existing templates and share findings with stakeholders across the organization, quickly. When a major geopolitical event unfolded on a Friday afternoon, a threat analyst at a large credit union pulled together research for senior leadership in under 20 minutes, turning a task that once took hours into minutes because Anomali Agentic AI is woven across the platform rather than bolted on top. 

Reports are saved and organized by date, name, author, shared visibility, TLP classification, and draft status, making it easy to manage a library of intelligence outputs and maintain a consistent communication cadence with business teams.

Intelligence Operations That Run on a Schedule, Not on Heroics

Each of these capabilities is useful on its own. Together, they form a connected intelligence operations workflow: Command Center orients the analyst to the current threat landscape, PIRs automatically monitor the intelligence requirements that matter to the business, Case Management tracks every intelligence-driven action from signal to resolution, and Reporting communicates findings to the stakeholders who need them.

The through line is reducing the manual effort that CTI teams currently carry. Recurring research tasks that run automatically. Case context that arrives pre-enriched. Reports generated from templates instead of built from scratch. These are not incremental improvements — they’re a shift in how intelligence operations work.

The goal is a CTI team that spends its time on analysis and decisions, not on the mechanics of gathering, tracking, and reporting intelligence.

‍

Availability

PIRs, Command Center, Intelligence Search, Case Management, and Reporting are now available in early access to existing ThreatStream Next-Gen AI Professional and AI Enterprise customers. General availability is planned for April 2026.

To learn more or get access, contact your account manager directly. For more information about the Anomali Agentic SOC Platform, visit www.anomali.com.

‍