Threat Hunting Framework OverviewUNIXBusinessApplication

Threat Hunting Framework is the #6 ranked solution in top Threat Intelligence Platforms. PeerSpot users give Threat Hunting Framework an average rating of 9.0 out of 10. Threat Hunting Framework is most commonly compared to CrowdStrike Falcon: Threat Hunting Framework vs CrowdStrike Falcon. Threat Hunting Framework is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
Buyer's Guide

Download the Threat Intelligence Platforms Buyer's Guide including reviews and more. Updated: October 2022

What is Threat Hunting Framework?

Group-IB is a Singapore-based provider of solutions aimed at the detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC, while its Threat Hunting Framework has been recognized as one of the leaders in Network Detection and Response.
Group-IB’s technological leadership is built on the company’s 18 years of hands-on experience in cybercrime investigations around the world and 65 000 hours of cybersecurity incident response accumulated in one of the biggest forensic laboratory and a round-the-clock center providing a rapid response to cyber incidents — CERT-GIB.
Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.

Threat Hunting Framework Video

Threat Hunting Framework Reviews

Filter by:
Filter Reviews
Filter Unavailable
Company Size
Filter Unavailable
Job Level
Filter Unavailable
Filter Unavailable
Filter Unavailable
Order by:
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Showingreviews based on the current filters. Reset all filters
John Rendy - PeerSpot reviewer
CTO at Systema Global Solusindo
Top 5Leaderboard
High fidelity cyber incident detection is near in real-time, enabling proactive & timely mitigation efforts
Pros and Cons
  • "Great automatic correlation of all internal activities."
  • "Monitoring the endpoint could be improved, it requires a huge effort."

What is our primary use case?

The primary use case for this solution is to reduce Mean Time to Detect and Mean Time to Recovery, proactively hunt for threats in the internal cyber network with correlated high fidelity threat intelligence feeds -automatically. 

The solution allows clients to conduct Automated Threat Hunting which close the gap of cybersecurity skillset in the market and the high requirements of knowledge required to do such analysis. 

How has it helped my organization?

The product has significantly reduced the mean time to detect (MTTD). Usually banks can detect cyber attack way months after an incident happened. This solution allows us to see cyber attack in near real time basis. The advantage is that the response time is much quicker because banks can carry out a prioritized and directed mitigation effort. It closes the gap and saves the bank a lot of money because cyber incident can be proactively prevented & response mitigation can be carried out much earlier.

What is most valuable?

The most valuable feature is the automatic correlation of all internal cyber activities with the cyber threat intelligence. Threat Hunting Framework provides real-time correlation on all the cyber events and checked against Group-IB Threat Intelligence database. Customer can easily conduct automated threat hunting to assess if their system is susceptible to targeted attack by cybercrime syndicates.

What needs improvement?

The nature of the system means it has to be implemented throughout the organizations. You need to implement it on the network layer, the email layer, the web proxy layer, and also the endpoints. Nevertheless, endpoint monitoring is very challenging due to the lack of automated method to install the endpoint agents. In one of our customer case, we have about 40,000 endpoints and we need to have a simplified method of deployment if we're going to implement the endpoint monitoring effectively. Product features also need some improvement in creating custom signatures for detection because that is not open to customers. 

Buyer's Guide
Threat Intelligence Platforms
October 2022
Find out what your peers are saying about Group-IB, CrowdStrike, Cognyte and others in Threat Intelligence Platforms. Updated: October 2022.
653,757 professionals have used our research since 2012.

For how long have I used the solution?


What do I think about the stability of the solution?

Because the system requires an appliance, reliability and stability can become an issue because we are looking at network point of failure and at the OS point of failure as well. So in terms of reliability, these kind of systems needs to have been placed in a high availability deployment. This solution is the most sensitive in terms of reliability or availability issues. If things are not going well, you need to reboot the systems because of certain issues on the OS for example. So I might say reliability is around 90 to 95%.

The solution requires preventive and corrective maintenance. You have to pay attention to storage usage of the sensors before it becomes an issue, because if we don't do preventative maintenance, the system is unable to process once it reaches a certain level of storage. Maintenance and support is pretty intense with this type of solution, because sometimes the update is run on a fairly small bandwidth in the environment and we get a system error and have to reboot or do some troubleshooting.

What do I think about the scalability of the solution?

Scalability is good because the single instance can support multiple sensors. So we can have big sensors that cover around 10 gigabytes per second traffic ingestion and that can be scaled up to hundreds of gigabytes. The solution is also implemented on the ISP level to provide the visibility on the ISP network, which is typically hundreds of gigabits per second traffic ingestion. In terms of scalability, there is no doubt that the system could be scaled up. The number of users is not a limiting factor. We can create as many users as we want, at  implementation we only had about 10 users that could access the system concurrently.

How are customer service and support?

We have direct communication with technical support so it's real time support and we don't have to open a ticket number and wait several hours to get a response. They are very prompt and responsive.

How was the initial setup?

Whenever we deploy, we have to deploy at least four appliances and these appliances cannot be simplified because each is for different purposes. One serves as a sensor, another works as the satellite information platform, a sandbox, and another as the main platform to correlate all the information. Then we need to deploy these multiple sensors and that is quite resource intensive. 

We need three to four staff to manage the deployment effectively. It also requires a project manager to align with the network division, cybersecurity division, probably endpoint division, and also email. In these big organizations, there are usually different personnel that handle each of these functions. Deployment is a big project and can take around three to four weeks, minimum. 

What's my experience with pricing, setup cost, and licensing?

The solution is provided on a subscription basis. In terms of pricing, there are several options offered depending on company size, whether it's a a high tier or low tier bank, so a smaller organization can also afford this kind of solution if combined with a hybrid deployment. There is also an MSSP model for the solution meaning we only deploy a single sensor and have the instance running on a private cloud. 

Which other solutions did I evaluate?

The company checked many different technologies before choosing this solution including all sorts of sandboxing technologies. Once they saw Threat Hunting Framework, the whole direction shifted to that approach because it contains the whole monitoring aspect rather than requiring separate pilot products that work on their own.

What other advice do I have?

Framework is essentially one of the highest orders of cybersecurity to my mind. The idea of Threat Hunting Framework is to understand the cyber path that is affecting the organization. It's not as simple as running a firewall because you need people who understand types of attacks and how they move into the organization on their network, their email, or their proxy. 

Apart from the technical functionality limitation and those challenges, this solution could easily be one of the best in the market, but there are certain challenges in maintenance and its resource intensity. I rate this solution a nine out of 10. 

Which deployment model are you using for this solution?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Threat Intelligence Platforms Report and find out what your peers are saying about Group-IB, CrowdStrike, Cognyte, and more!
Updated: October 2022
Buyer's Guide
Download our free Threat Intelligence Platforms Report and find out what your peers are saying about Group-IB, CrowdStrike, Cognyte, and more!