Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Threat Intelligence Platforms
September 2022
Get our free report covering Recorded Future, Intel 471, Digital Shadows, and other competitors of Cybersixgill Investigative Portal. Updated: September 2022.
634,590 professionals have used our research since 2012.

Read reviews of Cybersixgill Investigative Portal alternatives and competitors

Manager of Cyber Intelligence Center at a consultancy with 10,001+ employees
Real User
Top 5Leaderboard
Enables us to collect information from various sources very rapidly, while significantly reducing our workload
Pros and Cons
  • "They also provide some of the greatest notification capabilities. I put in a customer's company name and domain names, or sometimes I put in their IP addresses as a keyword. Once Sixgill collects information that includes those keywords, they then provide us email notifications. That means we can catch information related to our customers as soon as possible."
  • "Sixgill has strong capabilities based on search queries, but there is some difficulty in using Sixgill. Their querying is very powerful but it can be difficult. It's not hugely complex but you need some skill to use Sixgill querying."

What is our primary use case?

We have two use cases. We are providing intelligence and services regarding cyber threats against our clients. Our service covers information from open sources and also the dark web. It's in that context that we are using Sixgill.

For example, we have a credit card issuing company as a client. We use Sixgill to collect information regarding illegal credit card information which is sold on the black market. Sixgill covers many dark web markets, including the dark credit card market as an information source. That means we can easily find our customer's credit card information from Sixgill. We also use their API capability to collect credit card information.

How has it helped my organization?

Sixgill is very useful for influencing our clients' operations. By using Sixgill we can collect information from various sources very rapidly. It's really important for us and our customers as a way to improve our CTI operations and their operations.

In addition, by using Sixgill we have significantly reduced our operations workload. If we didn't use Sixgill, we would have to log in to each dark web forum and many other platforms. Using Sixgill we can search the entire area of platforms by entering one query. It significantly reduces our workload.

In terms of the amount of investigation time it's saving us, before using Sixgill it was very hard for us to find indications at all. So it's very difficult to compare. But if I were to approximate the difference, if I conducted research manually it would take one week, but by using Sixgill it takes two hours or three hours. It's a very large reduction. Finding indications, and the reduction in time it takes to do so, has resulted in a very huge cut in our workload.

Our open source research is mainly based on security news. It's not a problem for us. We sometimes use Sixgill in combination with open sources because sometimes serious vulnerabilities are reported in security news sources. But sometimes our clients ask us, "Is this a serious threat or not?" or "What is the dark web cyber criminals' reaction regarding this vulnerability?" We use Sixgill to ask such questions.

What is most valuable?

One of their strong points is flexibility. That means that once I log in to the Sixgill portal, I can search anything with a specific enquiry. Sixgill provides dark web information based on the search query. By using a combination of the queries, we can exclude various information. It's a very powerful feature of Sixgill.

Regarding the solution's scope, they already provide many things, and they are gradually extending their coverage. They also cover Twitter, Reddit, and some social media. The only thing they don't cover is security news from open sources.

They also provide some of the greatest notification capabilities. I put in a customer's company name and domain names, or sometimes I put in their IP addresses as a keyword. Once Sixgill collects information that includes those keywords, they then provide us email notifications. That means we can catch information related to our customers as soon as possible. Sometimes threat actors share vulnerable website leaks, and if one contains a client's assets, we can catch it quickly and notify the client.

Sixgill also provides threat actor analysis capabilities. When we catch some information regarding a client, such as when some dark web forum member mentions a client's asset, before we report it to the client we conduct a threat actor analysis. Not all members of dark web forums are serial cyber criminals. There are also some kids. Sixgill's threat actor analysis capability provides us with that threat actor's reputation on the forum and helps us know whether a post is very serious or not. We can understand who the threat actor is and whether he is a serious hacker or not. It's very useful information.

What needs improvement?

There are no major issues with Sixgill, but the most important ability of a service such as Sixgill is their coverage of information sources. They are continuously adding dark web sites. I don't have a specific request regarding their dark web sites, but I want them to continuously add information sources.

For how long have I used the solution?

I have been using Sixgill Investigative Portal for more than four years.

What do I think about the stability of the solution?

The portal is very stable.

What do I think about the scalability of the solution?

Scalability is excellent. There's no limit to how many clients' information we can register.

How are customer service and technical support?

We use their portal site to get technical support, and Sixgill's customer engagement team frequently provides us with new updates or with important information about our clients. We can also contact them through email.

Which solution did I use previously and why did I switch?

Currently we don't use any solutions that are similar to Sixgill.

How was the initial setup?

It's a SaaS service, so implementation of Sixgill is not difficult. The deployment didn't take too long. They set it up for us within one week. On our side it was my manager and I who were involved in the setup. And the SaaS means we don't need staff to maintain it. On that side, staff is involved only if we need to contact Sixgill, so one person is enough.

Sixgill has strong capabilities based on search queries, but there is some difficulty in using Sixgill. Their querying is very powerful but it can be difficult. It's not hugely complex but you need some skill to use Sixgill querying. 

I have been using Sixgill for more than four years so I know what to expect as the result of the queries, but a beginner might find some difficulty in excluding things from the results and getting what they want. Because Sixgill querying is very flexible, sometimes it returns unexpected results.

We have three staff members using it, all security researchers.

What was our ROI?

If we had to conduct the research that we do with Sixgill ourselves, we would have to hire three or four people to maintain our code and the quality of our CTI service. Sixgill is a significant factor in cutting our costs.

What's my experience with pricing, setup cost, and licensing?

The pricing is cheap compared with Recorded Future. Sixgill's cost-effectiveness is very good.

Which other solutions did I evaluate?

I have some prior experience with competitors of Sixgill, such as Recorded Future, IntSights, and FlashPoint. I have also tested some similar solutions.

Compared with other solutions, Sixgill's main strength is flexibility. Other solutions, such as Record Future and FlashPoint, sometimes have difficulty receiving load information. Load information means what is actually posted on a forum. By using Sixgill I can get exact information from posts on underground forums. Some of the other solutions lack information. That is why I use Sixgill, after comparing it with those platforms.

What other advice do I have?

We first had to establish what it was we really needed to know. That was very important. Sixgill, Recorded Future, and other CTI platforms provide a lot of information. If we didn't have some specific requirements for this information, we wouldn't be able to find the information that is important to us, in the flood of information.

I would rate Sixgill at eight out of ten. It's a very good solution.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Lead Cyber Threat-Intelligence Analyst at a educational organization with 10,001+ employees
Real User
Top 20Leaderboard
Provides early detection of imminent attacks, and speeds up addressing of vulnerabilities internally because it makes them real
Pros and Cons
  • "The solution’s approach of using limited open source intelligence and focusing, instead, on the Deep Web and Dark Web is what seals the deal. That is why I like them. I have other tools that I can aggregate all the open source intelligence from. I value Cybersixgill because it provides access to things that no one else does."
  • "Regarding their scraping abilities, things could be solidified. There are definitely improvements that could be made on the specificity for setting certain queries."

What is our primary use case?

Cybersixgill is a tool that allows you to monitor your organization's exposure to cyber criminals and threats by what I would call scraping Dark Web and underground hacker forum sites.

It's not on-premises. It's a service that's offered by Cybersixgill.

How has it helped my organization?

I'm a cyber threat intelligence analyst. This is what I do. The scope of Cybersixgill is about 20 percent of my job. For me, personally, and the organization, there has been immense benefit because it has given me early detection of imminent attacks, but not just against my organization. We have also been able to help other organizations, based on the attacks that are being launched against our vertical,  meaning companies and organizations that fit our profile.

It also enables us to do advanced analysis, such as threat-actor profiling. Being able to do advanced threat-actor network analysis allows us to take a higher view of an imminent attack and possible exploitation of vulnerabilities. That's helpful because it informs us about what's about to be exploited—what these criminals are looking for, what the threat-actor might be exploiting against the vertical itself.

In addition, it has reduced our security workload. I was a one-man shop for the first two years. It's hard to put a number on it, as I would have to gain access to the sources and translate the forum. I would have to create a scraper, myself. I would estimate it saves me up to 20 hours a week. They have a good thing going.

What is most valuable?

One of the most valuable features is the ability to be alerted to any possible imminent attack, or mention of your organization by a possible attacker.

It is also of the highest importance that it runs on a collection of Deep Web, Dark Web, and closed sources. This tool is a must for any organization that has a large footprint. The solution’s approach of using limited open source intelligence and focusing, instead, on the Deep Web and Dark Web is what seals the deal. That is why I like them. I have other tools that I can aggregate all the open source intelligence from. I value Cybersixgill because it provides access to things that no one else does. And the tool is configured to do this in a way that provides advanced analysis. That is one of the main values that it provides. They are not just aggregating open source news and feeds, they're actually gaining access to real intelligence.

The size and scope of the solution's collection are pretty impressive. I am impressed with the ease through which the tool allows you to track threat actors who are likely to target you, on a variety of underground forums which are closed. These are sources that would require a solid effort to infiltrate. The automatic translation of any exchange within the platform makes it the most expedient solution for automated threat intelligence and chatter monitoring.

Cybersixgill has also enabled us to access sources which we have not seen anywhere else. They have access to closed forums that I don't want to mention, but that access is important because it's not available anywhere else.

What needs improvement?

They're a newer company, so they're working on their UI a lot. Sometimes the UI is a little glitchy. They're working on different things and making efforts, so that's totally forgivable.

But regarding their scraping abilities, things could be solidified. There are definitely improvements that could be made on the specificity for setting certain queries. 

Step-by-step videos would be useful, instead of a book of instructions, because they're a new tool. They're now getting to the point where video training would be useful, or even live training. More digestible video instructions or opportunities for training, so that you actually learn hands-on, would help.

For how long have I used the solution?

I have been using Cybersixgill Investigative Portal for a year and a half.

What do I think about the stability of the solution?

It's very stable.

What do I think about the scalability of the solution?

Scalability is not really applicable. The only integration that I've found has been with my Anomali Threat Intelligence Platform. I'm not even sure that you would want it to scale.

They could improve, perhaps, some SIEM ingestion and the ability to integrate with other tools carefully. But this is a different tool and that's why I like it. It's not solely a technical intelligence tool. You're essentially spying on exchanges. Perhaps some level of implementation with other security solutions, or some level of automation with other security solutions would be helpful.

We're leveraging it to provide value to the incident response team, to the governance and compliance team, to the access management team, and to the vulnerability assessment team. We're leveraging it for a lot. As for expanding our usage of it, we're planning on trying to find ways to automate some of the inter-group alerting and use of the tool.

How are customer service and technical support?

Their technical support was responsive, but they have not achieved a solution yet for the problem that I was having. The issue is that I was having goes beyond just tech support.

Which solution did I use previously and why did I switch?

Before Cybersixgill, I would use open source tools and my own access to Dark Web forums. I would use GitHub tools and my own investigation on Dark Web forums, and it would take an enormous amount of time. Once I found this solution, I saw that I can do it all within one platform, easily.

How was the initial setup?

The initial setup was straightforward. You just upload the IPs, the domains, and the keywords that you want them to look out for, the ones that are indicative of mentions of your organization, and you're ready to go.

Setting up recurring queries and tracking of threat actors can only happen once you see who's going after you, but the initial setup of the tool can be done within hours.

In our company there are two of us who use the solution, both of us in threat intelligence.

What was our ROI?

I've seen an incredible return on the investment, in the form of time-savings and extremely valuable alerting on infrastructure attacks against us, alerts that I would not have seen if it wasn't for them.

There is also value in our ability to help other organizations that are not as fortunate as we are, organizations that are in our vertical. That has actually put our organization in an extremely good light.

In addition to the reputational, time-savings, and security advantages, there is a cultural advantage, in a way. This is important and is possibly something that we would not think about. It is difficult for large organizations to have patching and addressing of vulnerabilities in an expedited way, when they're dealing with multiple IT departments. But when the threat intelligence team is able to provide the exact time and way in which something is going to be exploited, based on screenshots of forums that detail the targeting, and based on real-life examples of how they do it—the kind of intelligence that we're able to generate because of Sixgill access—it makes patching and addressing of vulnerabilities a lot faster, because it makes them real.

What's my experience with pricing, setup cost, and licensing?

The pricing given to us is excellent.

Which other solutions did I evaluate?

I looked at Recorded Future. The main difference is that Cybersixgill is doing one thing, and one thing extremely well, and that is access to Dark Web forums. 

Recorded Future was too bloated. It had a lot of additional information that was open source. I don't need that. I get that from other places. I needed something that did one thing and that did it extremely well, and that is access to Dark Web, hard-to-find places, and alerting on infrastructure attacks when mentioned in those places. Recorded Future tries to do the job of two tools. I like the fact that Cybersixgill keeps it separate.

And Cybersixgill was incredibly more affordable than them. 

Overall, it was better on several levels: 

  • focus
  • access to specific forums and Dark Web spaces
  • simplicity of use; the UI was easier to use and better to look at 
  • pricing.

What other advice do I have?

My advice is make sure you schedule a walk-through, and then get it.

I have been very vocal about how much this tool has helped. I'm a big proponent of it. When I talk to people and collaborate with people in other organizations and they say, "Oh my God, how did you know that?" I'll tell them I knew because of this tool. Others don't do it as well as these people do. This tool does it better than anybody else, because they have focused on one very specific thing and they do it well. Their level of infiltration of these closed forums, and the backend engineering that they've provided, are better than any other solution.

In terms of conducting deep and complex investigations it would depend on how you define those terms. We don't just do threat-actor tracking. Sometimes we're tracking infrastructure and this is not the tool to do that. This is more of an alerting tool. But within the realms and the scope of what Sixgill was created for, you can actually create some pretty advanced tracking queries and alerting. The altering is invaluable.

For example, by setting queries to track exfiltration of ransomware gangs that employed the double ransom technique, it can exfiltrate the names of any companies that are being ransomed, before they hit the news. That allows me to cross-reference with our third parties and to tell my CSO that a third party is being compromised. I can tell him that before it even hits the news, and that we need to go into protection mode and assume that there might be potential impact to our organization, based on their compromise and the exfiltration of that data.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Threat Intelligence Platforms
September 2022
Get our free report covering Recorded Future, Intel 471, Digital Shadows, and other competitors of Cybersixgill Investigative Portal. Updated: September 2022.
634,590 professionals have used our research since 2012.