Somewhere right now, a security analyst is triaging alerts at two in the morning. Not because threats have multiplied, but because no system can tell them which ones actually matter.
Anomali launched ThreatStream Next-Gen on Tuesday to fix that bottleneck.
The Redwood City firm claims its intelligence platform cuts investigation time to a fraction of traditional workflows—300 times faster, validated across 50 enterprise deployments. Available both as a standalone tool and embedded within Anomali’s Unified Security Data Lake, ThreatStream Next-Gen positions threat intelligence not as background context but as the active decision engine inside security operations. The pitch: stop detecting, start deciding.
Most security platforms answer the question “what happened?” Anomali’s CEO Ahmed Rubaie argues that’s no longer fast enough. “Attackers move fast, targeting identity and exploiting behaviour – often closing windows in hours. We close them faster,” Rubaie explained. “ThreatStream Next-Gen is the intelligence layer that competitors can’t replicate, because it’s not a bolt-on – it’s the core of everything we build, including our current innovation in agentic AI. By owning the decisioning layer between intelligence and action, we give security teams something they’ve never had before: the ability to respond at the speed of threats.”
The release arrives as security operations centres face mounting pressure. Alert volumes continue climbing whilst analyst headcount struggles to keep pace. The result: decision paralysis dressed up as thoroughness, with investigators spending hours stitching context across disconnected tools.
ThreatStream Next-Gen addresses that friction through two deployment paths. Existing ThreatStream customers get the standalone version—an AI-enhanced intelligence platform that connects to their current security stack, delivering prioritisation and case management where analysts already work. For customers running Anomali’s Data Lake, intelligence becomes native to the infrastructure itself, enriching every security event at ingest and surfacing recommended actions without context switching.
Both deployments work with whatever infrastructure teams have in place. That means augmenting a legacy SIEM, replacing it entirely, or unlocking telemetry trapped inside data platforms like Databricks and Snowflake. The mission stays consistent: find what matters, act with confidence.
What sets the release apart is its AI architecture. ThreatStream Next-Gen ships with autonomous triage, scoring, and investigation capabilities—what Anomali calls agentic levels one and two. These functions operate across both standalone and Data Lake deployments, acting on a foundation of operational threat context rather than raw event data alone.
The phased rollout is deliberate. Autonomous response capabilities—levels three through five—remain in active development. Anomali plans to reach full agentic autonomy for ThreatStream Next-Gen by August 2026, with the Data Lake following in 2027. Crucially, the company has built configurable analyst oversight at every stage, a response to enterprise concerns about fully automated security decisions.
Rubaie’s framing is blunt: operational intelligence is what makes agentic AI work. Without structured threat context, automation risks amplifying noise rather than cutting through it.
The platform introduces five capabilities designed to close the gap between intelligence production and action. Priority Intelligence Requirements automate recurring threat monitoring, ensuring consistent coverage of organisation-specific risks without manual analyst intervention each cycle. Command Center provides a live, prioritised threat view—less time triaging noise, more time acting on signal.
Intelligence Search connects indicators, threat models, and campaigns with AI-generated context, compressing investigations that once took hours into minutes. Case Management synchronises investigation and response workflows, preserving context from initial detection through final resolution. Reporting translates technical findings into stakeholder-ready outputs without manual reformatting or lost detail.
Early customer response suggests the decisioning layer resonates. A cybersecurity specialist at a critical public sector organisation described it as “the best platform we’ve seen that allows us to tag our own intelligence, apply confidence ratings, and collaborate with other intel sources to get a clearer picture of attacker infrastructure at play in cyberattacks.”
A security leader at a $30 billion U.S. retailer noted that “Anomali has changed how we utilize threat intel data. It’s the foundation of our cyber fusion approach – connecting real-time threat intelligence, operational security, and vulnerability management in one place.”
For one global financial institution, the value came from unlocking dormant data. “We had years of telemetry we couldn’t make useful. The moment we embedded ThreatStream into the Anomali Data Lake, that data became an intelligence asset – our analysts stopped chasing false positives and started doing the work they became security professionals to do,” the CISO explained.
Anomali has spent the past five years building operational intelligence into a full security operations platform. The company serves Fortune 500 enterprises and government organisations worldwide, operating from its California headquarters with offices across Europe, the Middle East, and Asia Pacific.
The competitive landscape is crowded. Threat intelligence platforms compete with SIEM vendors, extended detection and response systems, and a growing class of security data lakes. What Anomali is betting on is that intelligence—structured, contextualised, and decision-ready—becomes the layer that matters most when seconds count.
That 2am analyst is still triaging alerts. The question is whether systems can finally help them decide which ones demand action, and which can wait until morning.
