

Anomali and Devo are competing cybersecurity solutions in the threat intelligence and log management sectors, respectively. Devo holds an advantage with its advanced analytics capabilities, appealing to organizations that prioritize extensive data analysis.
Features: Anomali leverages threat analysis and intelligence capabilities, comprehensive threat detection and response, and strong automation through its API, enabling robust threat intelligence operations. Devo offers powerful data analytics with real-time capabilities, robust Activeboards for visual analytics, and extensive scalability with its cloud-native multi-tenant architecture.
Room for Improvement: Anomali could benefit from enhancing its data set size to compete with broader intelligence databases, improving user interface intuitiveness for novice users, and increasing integration options with external tools. Devo should work on streamlining query complexity for easier use without training, improving the flexibility of alert configurations, and enhancing support for diverse data sources to expand its utility.
Ease of Deployment and Customer Service: Anomali offers straightforward integration with existing security infrastructure, providing seamless threat intelligence implementation. Devo emphasizes flexible deployment options, supported by comprehensive technical support services, tailoring its approach to align with varying organizational deployment needs.
Pricing and ROI: Anomali generally incurs higher upfront costs, but its advanced threat detection capabilities promise a strong ROI. Devo presents competitive pricing structured to deliver significant ROI, particularly for organizations deriving value from its expansive analytics capabilities. Its cost-effectiveness coupled with robust analytics makes it a viable choice for value-driven security solutions.
Analyst productivity has improved significantly, with hours saved because of automation and AI-driven work that Anomali performs.
Anomali provides us with a very cost-effective value compared to the market, and I would rate it ten out of ten for return on investment metrics.
There is a return on investment concerning time and effort saved by 40% after implementing Anomali.
They have strong onboarding and deployment assistance, provide a dedicated technical account manager for large customers, and engage in regular product updates and customer interaction.
The technical support at Anomali is excellent.
It doesn't seem very professional how they're handling support anymore.
I rate the customer support a nine out of ten because of their timely technical guidance and responsiveness during the deployment and troubleshooting periods.
The scalability is massive, allowing us to store millions of indicators.
I believe Anomali's scalability is good; whether it is an organization for ten people or one hundred thousand people, the job a threat intel platform has to do will be the same.
Anomali's scalability is impressive as a mature platform capable of processing large amounts of threat intelligence and indicators of compromise data.
Devo is a unified SIEM solution designed to handle growing log volumes and enterprise-scale monitoring requirements.
From a reliability perspective, Anomali consistently injects threat feeds, works on automation, performs reliable API integrations, and supports enterprise scale globally.
For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.
The good thing is that they have a health check page, and if any issues arise, they notify us.
It is stable and reliable for our security operations.
Combining all aliases into a coherent solution would be beneficial, as we had to review each individual source ourselves.
Anomali should increase their capability to fetch details from various dark web solutions where threat actors post compromised credentials.
Anomali's ability to correlate and integrate different Threat Intel platforms, such as Mandiant and PolySwarm, is another valuable feature, removing duplicacy and enabling the application of specific IOCs across various security controls.
This is particularly evident when dealing with failed login attempts and determining true versus false positives.
UI improvements, a simplified dashboard, or an easier reporting workflow could further improve analyst productivity.
The cost is a little higher compared to other tools such as DataDog or Elasticsearch, so they could work on reducing costs.
Pricing and licensing are good, but the costs for purchasing threat feeds are somewhat complicated and a bit on the higher side.
My experience with Anomali's pricing is that it is higher compared to other open-source alternatives.
My experience with pricing, setup cost, and licensing is that there are not many follow-ups, but once we interacted with the product team or the leadership of Anomali, they managed a lot with us, and it all paid off to reach a conclusion that we would continue with this product.
Regarding integration, Anomali has capabilities to integrate with different downstream applications such as Palo Alto, allowing us to create playbooks to block domains, URLs, or IPs directly within the firewall.
Correlating IOCs with the telemetry data we are ingesting from our data sources allows us to pull monthly reports identifying how many assets and users interacted with malicious content, giving insight into whether communications failed or users accessed restricted content, providing complete visibility of the IOCs traveling throughout our environment.
It aggregates intelligence from hundreds of sources, automatically de-duplicates, applies risk scoring, applies context, and reduces much manual effort.
When they see a spike in a line chart for a failed login, which could be a true or false attempt, they can click that spike, and a table widget on the same active board instantly populates with raw logs of data for those specific failed logins.
When the analyst uses queries to search, it pulls the data quickly, in a second, which aids us greatly with the investigation.
It utilizes 400 days of hot data, allowing queries to run very fast and yield results quicker than other tools in terms of security and SIEM capability.
| Product | Mindshare (%) |
|---|---|
| Anomali | 1.4% |
| Devo | 1.2% |
| Other | 97.4% |

| Company Size | Count |
|---|---|
| Small Business | 4 |
| Midsize Enterprise | 1 |
| Large Enterprise | 14 |
| Company Size | Count |
|---|---|
| Small Business | 9 |
| Midsize Enterprise | 5 |
| Large Enterprise | 12 |
Anomali delivers user-friendly cyber threat intelligence, offering concise insights with robust capabilities for evolving scenarios.
Anomali offers a powerful platform for cyber threat intelligence, allowing organizations to efficiently stream and analyze threat feeds. It excels in threat modeling, prioritizing intelligence, and supporting large-scale automation through its API, fostering a proactive security approach.
What are Anomali's Key Features?Anomali serves as a crucial tool for threat intelligence in industries ranging from finance to healthcare. Organizations stream threat feeds into Anomali to correlate and aggregate data, enhancing security measures and facilitating thorough threat investigations. Its adaptability makes it suitable across different sectors.
Devo offers powerful visual analytics, real-time data querying, and log integration capabilities within a cloud-native, multi-tenant architecture, supporting extended data retention ideal for long-term analysis and compliance.
Devo is recognized for its Activeboards, which facilitate visual analytics. High-speed search capabilities and real-time analytics enable efficient data manipulation and querying. Its multi-tenant architecture supports effective data segregation and customization tailored to distinct business needs, enhancing its value for handling complex log integrations. With extended data retention of 400 days and a cloud-native architecture, Devo is a robust platform for long-term analysis and compliance requirements. Though opportunities exist to improve browser stability on large searches, SOAR integrations, and its parser capabilities, Devo remains essential for incident response and security monitoring, offering centralized data storage and analysis.
What are Devo's most important features?Devo is extensively used in industries focused on incident response and digital forensics, centralizing data for security monitoring across hybrid environments. Organizations benefit from its ability to store and analyze aggregated logs, creating alerts and dashboards to enhance visibility for network and endpoint activities in multi-domain settings.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.