GreyMatter Recognized by Forrester Among Notable External Threat Intelligence Providers
Threats are accelerating, and AI is making it easier for adversaries to launch more sophisticated attacks at scale. At the same time, security teams are challenged to cover more ground—fraud intelligence, brand impersonation, exposed credentials, and supply-chain risk—with the same headcount and tooling. Raw IOC feeds and standalone intelligence platforms were never intended to power defense for that reality.
At ReliaQuest, we’ve long believed that threat intelligence only delivers value when it’s embedded into how your SOC operates—powering detections, driving hunts, and triggering threat response. We built GreyMatter around that conviction.
In The External Threat Intelligence Service Providers Landscape, Q1 2026, Forrester describes an external threat intelligence market evolving toward an operationalized, AI-enabled approach—and recognized ReliaQuest among notable providers in this space.
External Threat Intelligence Can't Stay Idle
Most security teams aren’t short on threat intelligence, but they often lack ways to operationalize it. The problem is where the intelligence lives and how it’s used. When it’s consumed in a standalone platform separate from the tools and workflows where detection, hunting, and response happen, it’s harder to act on.
According to Forrester, "gaps in operationalizing intelligence and aligning it to business context are the primary challenge" in the external threat intelligence market. That challenge plays out in SOCs every day. Analysts end up manually translating intelligence into detection rules, cross-referencing IOCs across alerts and tools, and contextualizing findings for their specific environment. Every handoff adds delay. That manual translation layer kills speed.
In 2025, the fastest data exfiltration ReliaQuest tracked took just six minutes. Average SIEM detection time remained at 51 minutes. At that pace, intelligence that isn't operationalized is already too late.
Consider this scenario—a dark web forum is discussing new ransomware TTPs targeting the manufacturing industry. In a siloed model, that intel might sit in a report until it’s pulled for a quarterly analysis. Meanwhile, threat actors move forward with plans shared in the forum, and a manufacturing company on the receiving end of the attack doesn’t find out about it until the incident unfolds in real time. As attackers increasingly use AI to find and exploit vulnerabilities across the open, deep, and dark web, security leaders need to drastically reduce the time between collecting intelligence and acting on it.
Threat intelligence has to be embedded into the operational core of the SOC so it can continuously inform detections, hunts, and response.
How GreyMatter Operationalizes Integrated Threat Intelligence
Within GreyMatter, threat intelligence is continuously collected from deep, dark, and open web sources through proprietary collection systems and human-led research. That intelligence is correlated against assets, identities, vulnerabilities, and IOCs in a unified model—the foundation GreyMatter's Agentic Teammates use to take action.
Forrester notes that "usable intel data is rich in context and delivered in machine-consumable formats that map directly to detections, response playbooks, and threat-hunting workflows." That's how GreyMatter delivers intelligence to the SOC.
Because threat intelligence is embedded at the platform level, the Agentic Teammates can autonomously:
Build and tune detections as new IOCs and TTPs emerge, updating rules across your SIEM and EDR tools without waiting for manual engineering cycles.
Kick off targeted threat hunts based on emerging threat actor activity, campaign patterns, or newly exposed infrastructure relevant to your environment.
Execute automated response playbooks that scope impacted identities, contain compromised assets, and initiate remediation within minutes of a signal surfacing.
GreyMatter also natively converges threat intelligence with digital risk protection and attack surface discovery. When executive credentials appear in a stealer log or a fraudulent domain impersonating the brand is identified, those signals feed directly into the same operational model—triggering detection, investigation, and response through integrated workflows. That kind of convergence is where the threat intelligence market is headed—GreyMatter was built to operate this way from the start.
What Forrester’s Market Perspective Highlights
Forrester's report highlights three dynamics shaping the external threat intelligence market.
1. Main trend: Agentic AI being embedded into threat intelligence workflows to improve effectiveness and efficiency.
How we believe GreyMatter fits in: GreyMatter's Agentic Teammates leverage over 200 agent skills and 400+ AI tools to operate across threat intelligence workflows autonomously. The Threat Intel Teammate conducts research across the open, deep, and dark web and 57+ threat intelligence feeds to generate real-time threat reports tailored to a customer's specific environment. Together, the Agentic Teammates autonomously investigate and respond to 100% of alerts across 250+ technologies with 99.4% accuracy—more than 74 million times a year.
2. Primary challenge: Gaps in operationalizing intelligence and aligning it to business context.
How we believe GreyMatter fits in: GreyMatter closes the operationalization gap by correlating external intelligence against a customer's assets, identities, vulnerabilities, and IOCs in a unified model—then acting on it. The Detection Engineering Teammate reduces time spent on manual detection engineering by 70%, building, tuning, and deploying rules from natural language prompts.
3. Top disruptor: AI systems and applications that meaningfully enhance threat intelligence capabilities.
How we believe GreyMatter fits in: AI enhances every stage of the intelligence lifecycle within GreyMatter, from collection through response. GreyMatter customers contain threats in less than 5 minutes, and in a commissioned Total Economic Impact™ study of ReliaQuest GreyMatter, Forrester Consulting found that GreyMatter reduces Mean Time to Resolve by 75% for a composite organization based on interviewed ReliaQuest customers.
In one case, when Scattered Spider TTPs emerged, GreyMatter deployed seven detection rules across all customers in a matter of days—turning isolated threat research into network-wide protection.
To us, Forrester's market perspective confirms what we've seen operating across enterprise SOCs: the future of threat intelligence is operationalized, AI-driven, and embedded into the security operations lifecycle from collection through response.
GreyMatter makes that operational reality possible—giving security teams the foundation to detect, investigate, and respond before adversaries can execute.
Read the full Forrester report to see how the external threat intelligence market is evolving.
Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here .
