Compare ZeroFox with Industry
Digital Threat Intelligence Solutions

      • Monitor leading global social network platforms
        Supports all leading social networks Facebook, Twitter, Instagram, LinkedIn, YouTube
        Supports popular social media platforms
        Limited support for monitoring social media data sources. Coverage for popular social media platform account profiles (Facebook, Twitter, YouTube), and specific Twitter coverage focusing on company-referenced tweets, threat actor tweets, security commentator tweets and vendor tweets
      • Monitor regional (international) social network platforms
        Regional networks VK, Sina Weibo, Tencent QQ
        Few if any international social sites
      • Monitor mobile app stores for rogue apps on apple and android platforms
        Detects rogue apps, impersonations in 200+ mobile app stores in Google Play and Apple app store
        Limited direct monitoring of app stores. Threat Intelligence Card data can be used for monitoring and alerting on mobile malwares
        Supports monitoring and detection of malware and impersonations across mobile app stores
      • Monitor and search paste sites, covert communication channels, and dark web marketplaces, sites and forums
        Monitors paste sites, hacker forums, covert communication channels, TOR, 1000's of deep and dark web sources
        Extensive dark web forum coverage. Provides details on emerging exploits and malcode tools relevant to an organization's technology stack
        Continuous monitoring and searchable database of deep and dark web threats with indexing of hundreds of millions of dark web pages, closed paste sites and code repositories, criminal forums, Telegram, IRC, and I2P pages. Analysts track and provide intelligence on latest criminal trends and activity on deep and dark web
      • Monitor leading forums, blogs, news and reviews sites
        Monitor popular news and reviews sites such as Reddit, Pinterest, TripAdvisor, etc.
        Coverage includes paste sites, code repository (GitHub Gist), social media, dark web, mainstream news, and forums
        Surface web coverage includes some paste sites, code hosting repositories, technical and public forums, file sharing sites, blogs, and some news sites
      • Monitor common TLDs and ccLDs for new domains or status changes that may pose risk to brand
        Monitors gTLD and ccTLD registries for new domain registrations, change of ownership and status (active, parked, etc). Continuous, daily monitoring to ensure protection from malicious changes
        Limited to new registration monitoring with no continual domain monitoring. Farsight Security partnership for change history. Fast flux block lists
        Continuously monitors for new and recently registered domains from most major registrars and 3rd-party domain feeds
      • Monitor cloud email solutions (Gmail, O365) for phishing attempts, impersonation and BEC. Monitor collaboration platforms for inadvertent IP disclosure, malicious links and file attachments, and offensive language
        Inline offensive and malicious content remediation for Slack. Check for insecure meetings in Zoom, MS Teams and more. BEC protection with inline suspicious email warnings
        Slack is notification channel for RFIs only
      • Monitor code share and paste sites for accidental IP disclosures, leaked credentials, or improper brand useage
        Monitors for exposed credentials, leaked IP, and brand abuse in Pastebin, Bitbucket, GitHub, Stack Overflow, and AWS S3 buckets
        Detects sensitive company data and user credentials being sent to paste sites, cloud services, GitHub, and other data stores. Ability to search for any exposed AWS keys
        Detects sensitive data leakage, compromised credentials and brand risks across document stores, open/closed paste sites, code hosting forums like Github and GitLab
      • Monitor leading emarketplaces for fraud, piracy, and brand abuse
        Comprehensive coverage including Alibaba, Amazon, eBay, Etsy, Lazada, MercadoLibre, Snapdeal OLX
        Focuses on dark net criminal markets
        Focuses on dark net criminal markets
      • Ability to find digital assets such as accounts, profiles, etc. via automated scanning across attack surface for digital footprinting
        Proactively describe entities and instantly find legitimate and illegitimate copies. Easily whitelist owned assets
        No concept of entities, so no proactive discovery. Intelligence Goals Library allows some description of assets
        Limited, no social discovery. Automatically identifies domains associated with owned domains and populates a “proposed assets” tab. Capabilities around adding critical values to assets to rank importance. Credential discovery and timeline
    Gain visibility into external threats across the open, deep and dark web learn more
      • Primary use cases the vendor supports
        • Brand Protection
        • Executive Protection
        • Domain Protection
        • Account and Page Protection
        • Threat Intelligence
        • Advanced Email and Workforce Protection
        • Brand Intelligence
        • SecOps Intelligence
        • Threat Intelligence
        • Vulnerability Intelligence
        • Geopolitical Intelligence
        • Third-Party Intelligence
        • Brand Protection
        • Dark Web Monitoring
        • Data Leakage and Compromised Credentials Detection
        • Threat Intelligence
        • Technical Leakage Detection
        • Attack Surface Monitoring
      • Monitor owned social media accounts for unauthorized activity (postings, contact change, etc.) and unowned acccounts for impersonations and improper brand usage
        Protects brand and executive accounts against account hacking attempts and offensive content published to owned pages and profiles. Freeze accounts at early warning signs of hijacking
        Monitoring limited to names (not images, logos) for impersonation. No automated remediation actions upon discovery
        Monitoring limited to account names and profiles (not images, logos) for impersonation. No automated remediation actions upon discovery
      • Monitor domains (DNS and MX records) for impersonating domains abusing brand
        TLD/CCLD and sub-domain monitoring for impersonating sites. Homoglyth / typosquat detection. Rescan on status change (ex. after move from inactive to active registration status). Detect expired certificates
        Domain abuse protection, phishing detection. Open web and technical source monitoring, including passive DNS records, social media, messaging platforms, paste sites, and mobile app stores. Dark web focused
        Contunuously monitors and alerts for risk based on changes to MX and WHOIS + DNS records. Detects typo and combo-squats across broad range of TLDs and subdomains. Detects expiring, revoked, insecure or vulnerable SSL certificates
      • Protect digital presence, owned assets and accounts, logos and trademarks against account hacking, impersonations, malicious content and reputation damage on websites , product listing, emarketplaces
        Detect impersonations and brand abuse across all channels in real time through automation and web beaconing. Identify brand by logo, product image, keywords, hashtags
        Limited image detection. Real-time alerting on brand-related mentions, brand impersonation detection, brand/product/logo monitoring
        Limited, no product image/logo detection. Monitoring and detection for brand-related mentions, impersonating branded domains, impersonating branded mobile apps, and branded terms used on social media
      • Protect VIPs and executives against spearphishing attacks, impersonations, account hacking, physical threats and more. Compromised credential detection
        Identify and takedown impersonating profiles and accounts. Ability to identify deepfakes. Eliminates false positives with analysis of name, bio, picture matching to protect VIPs and executives and their followers. Detect leaked credentials in paste sites, code share repositories, and in dark web chatter
        VIP impersonation detection however limited credential compromise protection. Requires Geopolitical Intelligence licensing. Dynamically links, categorizes, and updates in every language from social media, the dark web, and more
        Detection of compromised credentials and capabilities around detecting social media profiles impersonating VIPs and executives
      • Protect locations, including headquarters, stadiums, facilities, and residences, and events against threats of violence and targeted attacks. Gain situational awareness and early warning of attack planning or nearby threats to locations and events
        Protection and alerts on threats by correlating geo-location (down to 0.01 mile radius) with threatening language. Mobile app for real-time situational awareness. Human geopolitical analysis and risk assessment
        Has real-time geopolitical event monitoring and location-based risk scoring. Human analysis
        Ad-hoc / non-geo location solution via analyst analysis
      • Detect brand abuse, phishing and targeted campaigns to complement legacy email malware/spam/antivirus protection solutions by leveraging existing information such as DMARC failure reports and forwarded [email protected] inboxes,
        Phishing abuse protection identifies impersonation email domains, campaigns and takes down offending infrastructure. Alerts user with BEC suspicious email warnings. Real-time analysis and malicious link moderation of owned account content posts, Slack and email communications, etc. Analyze malicious links from [email protected] or DMARC failure submissions
        Detect, alert and takedown squat domains used in phishing attacks and exposed email addresses. Extract compromise indicators and analyze the email subject, address, and attachments to assign an incident severity value, but no BEC or suspicious email warnings. Sandboxing is a feature of the SecOps Intelligence module
        Monitor and alert for spoof domains, emails and malicious websites used in phishing attacks and detect exposed email addresses in data leaks. No BEC or suspicious email warnings
      • Detect customer scams, fakes and pirated merchandise for sale
        Detect embedded objects within images such as fraudulent money flipping offers, coupon scams, credit cards, logos and fake or stolen branded goods illegally for sale
        Dark net marketplaces are covered but not clear sites (eBay, Amazon marketplace, etc.)
        Dark net forums, marketplaces and mobile app stores are covered but many surface websites are not (eBay, Amazon marketplace, etc.)
      • Customer has the ability to develop or customize existing rules in a familiar language (ex. Javascript) to tailor to fit unique use cases and improve detection accuracy
        Open - hundreds of out-of-the-box javascript (Foxscript) rules tailorable directly in platform
        API-only based platform. Must develop own rules using Python, cURL, PowerShell. For advanced users only
        API-only based platform. Must develop own rules using Python, cURL, PowerShell. For advanced users only
    Protect brands, domains, executives and data see how
      • Analyze sentiment to derive meaning and intent in native languages
        Supports 55+ native languages for 99% accurate sentiment analysis
        Text sources are analyzed using natural language processing (NLP) to extract entities, events, and temporal information. Rosette text analytics powers much of this and supports 64 languages
        Natural Language Processing (NLP) pulls data associated with an entity in 27 languages from millions of online sites in real-time
      • Examine content for malware, phishing, spam and other suspicious links
        Real-time analysis and malicious link moderation of owned account content posts, Slack and email communications, etc.
        IT teams can aggregate alerts to suspected phishing emails from SIEM and logging services, as well as individual end users. Sandboxing ability
        Detect and alert on malicious or phishing domain links and apply risk score analysis aligned to Factor Analysis of Information Risk (FAIR) framework for alert prioritization
      • Detect characters embedded in disguised images (ex. Instragram money flipping scams)
        Bounding boxes to highlight text within alert images
        Only raw text-based technology
        Only raw text-based technology
      • Detect objects within images such as credit cards, weapons, logos
        Detects and highlights credit cards, weapons (guns/knives), and logos in images
        Only raw text-based technology
        Only raw text-based technology
      • Ability to sample train and progressively tune analysis engine to accurately recognize new object types
        Intel AI Builders acceleration partner. ZeroFox pioneered facial, deepfake, weapons and logo recognition image analysis through ML-trained models
        Uses machine learning techniques to structure data into categories, to analyze text across multiple languages, to provide risk scores, and to generate predictive models
        Partnered with Webroot BrightCloud® Threat Intelligence Services which uses machine learning to classify and categorize billions of IP addresses and URLs across millions of domains according to the possible threat they represent
      • Image comparison and facial recognition within static images and videos
        Facial image comparison for impersonation detection. Video analysis, deepfake detection and Deepstar open source training tool
        Only raw text-based technology
        Only raw text-based technology
      • Ability to evaluate billions of content pieces annually and dynamically handle processing fluctuations through use of automation and sophisticated analysis engines
        Highly-scalable, low-latency SaaS and managed service deployment model, automatically analyzes billions of content pieces per year and process tens of millions of AI enrichments per day. Priority alerts are validated and enriched via 24x7, global operations team. Scale continues with automated remediations
        Collection and analysis is aided by automation, however overall throughput is limited by human analyst-based approach to curated, finished intelligence and requirements, inquiry-driven request processes. This dependency ultimately yields fewer detections, more costly, and slower remediation for many common impersonations and attacks
        Collection and analysis of threats and risk scoring is handled mostly by automation accessible via cloud-based portal or integrated security platform. Requires expensive analyst to operate the platform. The SearchLight platform is difficult to scale while minimizing cost
    Visualize AI tools and analysis in the platform get a demo
      • Ability to collect and correlate threat intelligence from open, searchable and indexable public sources
        Platform transparently displays 1000s of data sources and digital platforms. All data flows thru multiple AI-based CV/OCR/NLP AI/ML-classifiers as opposed to a single NLP engine, plus >5k rules to automate analysis, with continual collection (reindexing upon new indicators). Patented (28 issued) automated collection and expansive network/hosts relationships
        Collects and models real-time TI data on Security Intelligence Graph from a large quantity and variety of sources across open web channels. Also uses OSINT to expand visibility and monitor and detect location-based threats
        Users can search across SearchLight's large collected database of open source intelligence from publicly available web channels; including a range of intelligence and reputation feeds
      • Ability to collect and correlate threat intelligence by means of interpersonal human analysis across public and covert channels
        Has 81 HUMINT collectors with personas in over 300 different high value darkweb forums and > 500 closed communication channels. HUMINT represents ~25% of dark escalated alerts, despite dark web accounting for 12% of the data. Uses encrypted comms and TOR for non-attributable infrastructure
        Leverages Insikt Group along with team of ~30+ on-staff human analysts to add critical insights to TI data model
        Utilizes ~20+ on-staff analysts that work together to provide customers with intelligence from covert sources that involves collecting, tracking, analyzing and reporting on threat actors, campaigns, operations, and their affiliated TTPs
      • Finished intelligence about relevant global active and emerging threats, with analysis and recommendations by expert research staff
        Delivers highly-relevant intelligence curated by ZeroFox Threat Intelligence researchers
        Has over one billion Intelligence Cards on threat actors, malware, vulnerabilities, IP addresses, updated in real time
        Curated analysis on the latest threat actors, and tactic, techniques and procedures (TTPs). Custom reports, weekly summaries and on-demand TI services available. Limit TI staff
      • Select threat intelligence relevant to customer use case(s) and threat environment, prioritized by criticality
        Delivers contextualized scored vulnerability (CVEs) and advisories that reflect customer entities (assets) and protections, and are tuned to customer needs
        Advanced querying, alerting, and data visualization
        Alert threat risk-scoring prioritization and entity-relevant intelligence incidents alerts contextualized with associated trends/threat actors
      • Provide alerts packaged so that allows for semi- or fully-automated response
        Delivers actionable alerts with recommended actions and 'in-alert' response options. Complete managed takedown services for critical threats and ToS violations
        Block-grade indicators plus URL and file sandboxing. Threat hunting packages and global threat views, but actions must be customer initiated
        Ad-hoc threat hunting database via Shadow Search. This provides a powerful way to search/filter their indexed data to track threat actors, campaigns, IOCs, and identify instances of fraud
      • Communication mediums by which intelligence is made available to analysts or SOC operators
        Intelligence available by platform portal, mobile app, and daily email digest and weekly threat bulletins
        Intel available from searchable web portal access, RESTful API & integrations, Insikt Group reports, Browser extension, and mobile app for iOS and Android devices.
        Weekly Intelligence Summary reports (IntSum). Cloud-based searchable web portal and API integrations to TIP, SOAR, SIEM environments
      • Researchers available for custom investigations and reports including attacker attribution, campaign research, and persistent attacks
        Access to intelligence analysts, for both ad-hoc/on-demand and ongoing, recurring in-depth custom threat investigations and special reports. This is part of subscription offering
        Most analyst time is for finished intelligence production per SIRs. Custom analysis is available through Analyst On-Demand services at incremental charge
        Limited, very few TI analyst staff. On-demand intelligence services available
      • API delivering real-time IoCs in consumable format for correlation and use by security stack components
        REST API provides feed with traditional IOCs (file hashes and IP addresses and domains) as well as social indicators like phone numbers, malicious pages and malware indicators, and unique social indicators
        In addition to Intelligence Cards, additional threat feeds can be consumed from integration partners, as well as STIX, TAXII and MISP feeds
        Customers can ingest latest TI data from threat feeds and integrate with leading threat intelligence platforms, such as Anomali, ThreatConnect, ThreatQuotient, and TruStar – as well as with a host of SIEM, Ticketing, SOAR, and Enforcement platforms. Additionally, customers can enrich observed data findings via access to Cylance Infinity, AlienVault, PhishTank, and Webroot – as well pastes, criminal forum posts, Twitter posts, and other data sources
      • Ability to easily export indicators and intelligence into common analysis/workflow platforms such as TIPs, SOARs, SIEMs
        API integrations with leading TIP and SIEM platforms from ThreatQuotient, Threat Connect, Anomali, Splunk, and many more. See full list at
        Security stack integration partners include ServiceNow, Splunk, Palo Alto, Anomali, Bitdefender, Carbon Black, Cortex SOAR, Dark Trace, Facebook Threat Exchange, IBM X-Force, Slack, ThreatQ, ThreatConnect and more
        Security stack integration partners include: TruStar, Mimecast, Splunk, Demisto, ThreatQuotient, Phantom, Anomali, ThreatConnect, QRadar, ArcSight and more
    Learn more about our intelligence services learn more
      • Ensure easy and fast remediation actions that are built into risk platform and can be invoked within individual alerts
        All available remediation actions are built into each alert - take immediation action. Options include request takedown, email user, assign to user, whitelist/block perpetrator, set to reviewed/closed, escalate, hide/delete content, lock account, mark not helpful
        Remediation with takedowns are offered, but are manual in nature, requiring a request be submitted and acted upon within a defined SLA
        Managed Takedown Service is available, but expensive and limited to domain-specific use cases and is outsourced to 3rd-party (Fraudwatch). Additionally, includes playbooks for remediating risk and managed/templated takedown options
      • Provide a managed takedown option to remove offending and fake accounts, domains, and content that violates network terms of service. This should minimally include validating violations, gathering evidence, submitting requests, and reporting results
        ZeroFox Takedown-as-a-Service™️ provides a complete 24x7 takedown managed service operating on behalf of the customer. ZeroFox has the expertise, technology, and established network relationships to achieve rapid takedown at scale, conducting over 150,000 takedowns annually
        Only available via costly third-party option (via FraudWatch). Some ISP relationships (NameSIlo, Cloudflare, Hurricane Electric, Contabo) for takedown request processing
        Managed Takedown services offer remediation for phishing/malacious domains, malacious or impersonating mobile apps, brand abuse violations (such as social media impersonations), malware distributing URLs, and impersonating emails. Domain takedowns are only available via costly third-party option (via FraudWatch)
      • Track and provide remediation performance metrics to measure remediation and takedown effectiveness
        Social media, mobile app, and paste site issues validated and resolved in under 6 hours. Domains validated and takedown requested with mean time to submission under 1 hour. 97% takedown success* (*varies per period)
        Not available. Support request response during business hours typically 1 hour or less. No takedown metrics
        Claims timely takedowns through combination of automation and manual human involvement. Response in some cases less than 2 hours (but typically one business day or more and not available 24x7)
      • Avoid malware propogation and data leakage with real-time content moderation for owned accounts
        Provides offensive or unauthorized content and malicious link removal from content posted within owned properties including social posts, owned review forums, Slack channels, and email attachments
      • Provide transparency to remediation and takedown status, tracking status change and history
        Complete transparency into Takedown requests including status, request date, number of submission attempts, duration, offense source
        Only through FraudWatch
        Track the status of takedown requests and interact with team of experts
    With over 150k takedowns per quarter, don’t just identify attacks, disrupt attacker infrastructure learn more
      • Allow SOC Managers and Execs to see summary health, status, and trends from main dashboard, and easily drill into data for details
        ZeroFox dashboard summarizes top alerts, data sources, top attacked entities and overall health, along with research highlights, with hyperlinked data to drill down to details
        Out-of-the-box SOC-style dashboard views include enrichment, correlation and alert dashboards. There are also several watch list and global threat views available. Global views include Vulnerability Risk, Ransomware, Cyber Espionage, Banking and Payments, Merchants and POS, ICS/SCADA, etc.
        Cloud-based web portal dashboard provides views in four key areas: asset configuration, data source monitoring and collection, analysis and risk Identification, and remediation. Threat intelligence portal provides a timeline view of various threats and vulnerabilities
      • Provide adequate detail within UI pages to minimize the number of required 'screens' and allow related workflow operations to occur directly within relevant page(s). Provide for filtering of menus/displays, and auto-form completion and/or suggested pull downs
        ZeroFox web UI includes tabbed portal key screens for entity configuration, policy and rule creation, alert viewing, reporting, remediation and research. Each sub-screen has action buttons that guide applicable next steps
        UI is reported clunky and only for advanced SOC analyst users. Have SSO (Gsuite only), 2FA. Intelligence Cards correlate information
        Platform UI is not very user friendly and may require an expensive analyst to operate. There is a noticeable lack of visability on what is being monitored and service can be buggy and slow at times
      • Allow for real-time, anywhere access and interaction with the system for situational awareness and action
        ZeroFox Mobile App for iPhone/Android allows instant viewing of critical alerts and ability to issue takedown requests on the spot. Also allows access to threat research
        Receive real-time alerts, review the security intelligence news, and look up indicators directly from mobile phone (iOS or Android) with the Recorded Future mobile app
      • Provide out-of-the-box reports for various users / stakeholders of the platform
        ZeroFox provides role-based reports for executive summary, CorpSec location and executives, marketing brand, SOC analyst, technical and other key system elements such as alerts and takedowns
        Has RBAC for both reports and dashboards (which are customizable and filterable)
        Includes support for role-based access control (RBAC)
    See the platform for yourself get a demo
      • Price products and services in a straightforward, easy-to-understand manner that is applied consistently, openly, and fairly
        ZeroFox pricing is based on protected entities and remediation actions which matches price to value delivered without any mystery
      • Allow flexible configurability within pricing packages - to buy only what is needed and grow over time
        ZeroFox pricing allows customer to start small and grow - and buy only what is required. The 'a-la-carte' style menu offers ultimate flexibility
        Licensing is based on threat feeds, and per analyst-user (basic, advanced), Includes finished Threat Intelligence, with additional charges for analyst-on-demand services (custom research)
    Find the solution set that works for you get a demo
Need helping choosing? Learn what makes ZeroFOX unique on a 15 minute intro call. schedule a call

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.