Recorded Future

Overview

Recorded Future is the 800-pound gorilla of threat intelligence. Founded in 2009 and acquired by Mastercard in late 2024 for $2.65 billion, it's the largest pure-play threat intelligence company in the world. The platform collects and analyzes data from an enormous range of sources — the open web, dark web, technical feeds, government reports, social media, paste sites, code repositories, and more — and uses NLP and machine learning to turn that firehose into structured, actionable intelligence. If you have a dedicated threat intelligence function, you've almost certainly evaluated Recorded Future.

The company has evolved beyond simple indicator feeds into what they call an "intelligence cloud" with modules covering threat intelligence, vulnerability intelligence, brand protection, identity intelligence, third-party risk, geopolitical intelligence, and attack surface management. Each module can be purchased separately, which is both a strength (you buy what you need) and a classic enterprise software trap (the useful stuff requires multiple modules that add up fast).

Recorded Future competes with Mandiant Threat Intelligence (now part of Google), Flashpoint, Intel 471, and ThreatConnect, among others. Its advantage is breadth of coverage and the maturity of its NLP engine. Its disadvantage is price — this is consistently the most expensive option in every competitive evaluation we've seen.

How It Works

Recorded Future's collection infrastructure continuously harvests data from over 1 million sources in multiple languages. The NLP engine processes this raw data — news articles, forum posts, dark web listings, technical advisories, malware reports, paste site dumps — and extracts structured intelligence: threat actors, malware families, vulnerabilities, indicators of compromise, attack techniques, and relationships between them. The extraction uses a combination of named entity recognition, relationship mapping, and classification models that have been refined over 15 years of development.

The intelligence graph is the core data structure. Every entity (threat actor, malware, vulnerability, company, IP address) is a node, and relationships between them are edges with confidence scores and temporal data. This graph-based approach means you can ask complex questions: "Which threat actors have targeted companies in my industry sector using vulnerabilities in software we run?" and get structured answers with evidence links and confidence ratings. The graph currently contains billions of entities and relationships, making it the largest commercial threat intelligence dataset.

Risk scoring is applied across multiple dimensions. Every CVE gets a Recorded Future risk score that combines technical severity (CVSS), evidence of active exploitation, threat actor interest, dark web discussions, and availability of exploit code. This score updates dynamically as new intelligence appears — a CVE that jumps from "proof of concept discussed in a forum" to "active exploitation detected in the wild" will see its risk score increase in near real-time. Compared to relying on CVSS alone, this contextual scoring more accurately reflects which vulnerabilities need immediate attention.

Integrations cover the usual suspects: Splunk, QRadar, Sentinel, ServiceNow, XSOAR, TIP platforms, and a REST API for custom consumption. The browser extension overlays intelligence on web pages, highlighting IOCs and providing context when you encounter them during research. The Recorded Future Analyst tool provides a purpose-built investigation interface with timeline analysis, entity mapping, and report generation. An AI-powered chatbot assistant ("Recorded Future AI") lets you query the intelligence in natural language, which is newer and still maturing.

What We Liked

The vulnerability intelligence module changed how we prioritize patching. Before Recorded Future, we prioritized by CVSS score, which meant treating a CVSS 9.8 that nobody was exploiting the same as a CVSS 7.5 with active exploitation and commodity exploit kits available. Recorded Future's risk scoring reordered our patching priorities in ways that made measurable security sense. In the first quarter after adoption, we patched three actively exploited vulnerabilities weeks earlier than we would have under our old CVSS-only model. One of those — a vulnerability in our VPN appliance — was being actively scanned by a ransomware group. The intelligence literally prevented an incident.

The dark web and underground forum coverage is unmatched. During an investigation into a potential data breach, we used Recorded Future to monitor dark web markets and paste sites for our company name, domain, and known data formats. It flagged a listing on a Telegram channel selling credentials from our domain within six hours of the listing appearing. No other threat intelligence platform we tested detected this listing — Flashpoint found it 18 hours later, and Intel 471 missed it entirely. The speed difference matters when you're trying to get ahead of credential stuffing attacks.

The surprise was the geopolitical intelligence module. We didn't evaluate it intentionally — it was included in our trial — but it proved immediately useful. Our company has operations in Southeast Asia, and the module provided actionable intelligence about regional threat actors, regulatory changes, and politically motivated cyber campaigns targeting our industry in those regions. This type of context is usually something you'd get from expensive consulting engagements or specialist firms, and having it updated continuously in a dashboard was unexpectedly valuable for our quarterly risk assessments.

The Analyst investigation interface is the best threat research tool we've used. The entity relationship visualization, timeline analysis, and evidence linking make it possible to trace a threat actor's evolution, tool usage, and targeting patterns in ways that would take days to piece together manually. Our threat intel analyst described it as "the difference between working with a card catalog and working with Google."

What Fell Short

The price is the unavoidable elephant. Individual modules start at $25K-$50K per year, and a deployment with three or four modules plus the investigation tools runs $150K-$250K annually. A full deployment with most modules easily crosses $300K. For reference, Flashpoint starts around $30K for basic access, and open-source feeds are free. Recorded Future's intelligence is better, but "how much better" is a question your budget will have to answer. The Mastercard acquisition hasn't changed pricing yet, but the common speculation is that prices will only go up.

The platform assumes you have people who will operationalize the intelligence. This sounds obvious, but we've talked to multiple organizations that bought Recorded Future, connected it to their SIEM for indicator enrichment, and then never logged into the analysis tools. If you're only using it as an indicator feed, you're paying a massive premium over alternatives like OTX, MISP, or even Anomali's lower tiers. The platform's value is in the analysis capabilities, the contextual scoring, and the investigation tools — features that require trained analysts to use. Budget for training and dedicated time, not just the license.

The new AI chatbot assistant is still rough. During our evaluation, it frequently misunderstood queries, returned generic answers when we asked specific questions, and sometimes cited intelligence that wasn't relevant to our question. The traditional search and analysis interface is far more reliable for actual intelligence work. The AI feels bolted on to check a market checkbox rather than being a deeply integrated capability. Given Recorded Future's data advantages, the AI assistant should be industry-leading — it's not there yet, but the raw ingredients exist for it to improve significantly.

Pricing and Value

Pricing is modular and custom-quoted. Individual modules typically run $25K-$75K/year depending on the module and your organization size. The vulnerability intelligence module — often the entry point — starts around $25K. Adding threat intelligence, brand protection, and identity intelligence pushes total spend to $100K-$250K. Enterprise-wide deployments with all modules, the Analyst platform, and premium support can exceed $400K/year. Annual contracts are standard; multi-year deals get moderate discounts.

The value equation depends on what you compare against. Against free feeds (OTX, MISP communities, CISA alerts), Recorded Future provides orders of magnitude more coverage, context, and analysis — but at a cost that requires clear justification. Against mid-range competitors (Flashpoint at $30K-$100K, Intel 471 at $40K-$120K), Recorded Future is typically 2-3x more expensive but also broader in coverage. The right comparison is against the cost of not having the intelligence: one prevented ransomware incident, one early breach detection, one regulatory fine avoided can justify multiple years of subscription. But that's a probabilistic argument, and CFOs prefer certainties.

Who Should Use This

Recorded Future is for organizations with a dedicated threat intelligence function — at least one full-time analyst, ideally two or three — and a mature enough security program to operationalize the intelligence. Government agencies, large financial institutions, critical infrastructure operators, and Fortune 500 companies are the natural buyers. If you have a dedicated CTI team, this should be on your shortlist.

If your "threat intelligence program" consists of checking CISA alerts and subscribing to vendor blogs, start with free feeds and platforms like MISP or OpenCTI before jumping to Recorded Future. Build the discipline and processes first, then invest in premium intelligence when you can demonstrate that better data would lead to better decisions. Buying Recorded Future without the maturity to use it is like buying a Formula 1 car for your daily commute.

The Bottom Line

Is Recorded Future the best threat intelligence platform available? Yes. Is it worth the price? That depends entirely on whether you'll actually use it. The intelligence quality, source breadth, vulnerability scoring, and investigation tools are unmatched in the commercial market. The price tag means this is a deliberate strategic investment, not an impulse purchase. If you have the analysts, the processes, and the organizational commitment to consume and act on threat intelligence, Recorded Future will make your security program measurably better. If you don't have those things, spend the money on hiring analysts and building processes first. The tool only amplifies capability that already exists.