SPARK Matrix™ Q2 2026 Report: Four Cyber ​​Intelligence Leaders (DTIM) in the Softprom Portfolio

DTIM market transformation in 2026: key findings of QKS Group

The analytical agency QKS Group has published a global study SPARK Matrix™: Digital Threat Intelligence Management (DTIM) Q2 2026. This report captures a tectonic shift in the industry: classical Threat Intelligence Platforms (TIP) focused on IOC aggregation have completely given way to comprehensive ecosystems that manage the full lifecycle of cyber intelligence.

According to analysts' findings, the modern DTIM stack has evolved from simple feed collection to adaptive scoring engines that consider internal asset criticality, the context of real-world cyber campaigns, and vulnerability exploitability. Domains such as Digital Risk Protection (DRP), External Attack Surface Management (EASM), and Dark Web monitoring are actively converging into a single DTIM framework.

QKS Group experts emphasize that defense effectiveness is no longer measured by the volume of collected data, but rather by contextual prioritization and response automation. The focus has shifted toward reducing false positives through the implementation of Agentic AI, machine learning, and human-in-the-loop validation.

Evaluation methodology: key criteria for identifying leaders

QKS Group ranks vendors based on two fundamental categories, each having its own specific weight:

Technological Excellence

• Threat Analysis (20%): the depth of advanced analytical techniques applied to identify patterns, trends, and relationships across disparate threat datasets.
• Data Collection & Aggregation (20%): the ability to efficiently collect and normalize diverse information from OSINT, commercial, and closed sources.
• Threat Intelligence Feeds (15%): access to a wide range of high-quality premium feeds to enhance the depth and breadth of detection.
• Competitive Differentiation Strategy (15%): unique technological advantages of the platform (USPs) and long-term development strategy.
• Operational parameters (30%): real-time monitoring and alerting, integration capabilities (SIEM, SOAR, XDR), architectural scalability, and reporting/compliance alignment.

Customer Impact

• Product strategy & performance (20%): evaluation of product availability and price-to-performance ratio.
• Market presence (20%): evaluation of the revenue, client base, and growth along with presence across key geographical regions.
• User experience (60%): proven record of implementations, ease of deployment, customer service excellence, and unique value proposition.

Based on the results of this comprehensive audit, the statuses of Leader and Strong Contender, which confirm the highest gold standard of the industry, were awarded to four vendors from the Softprom distribution portfolio.

Technical profile of leaders: architecture and capabilities

CrowdStrike Falcon Threat Intelligence

The solution is deployed as a core component of a unified, AI-native cybersecurity platform and represents a deeply integrated threat management system that shifts away from manual analysis toward autonomous threat operations.

• Architectural features: the platform leverages a massive volume of proprietary global telemetry collected by Falcon agents worldwide. A key differentiator is the introduction of Threat AI — agentic AI capabilities designed for autonomous reasoning, proactive hunting, and incident investigation within governed response frameworks.
• Technological functionality: the platform implements an adversary-centric defense model, mapping technical indicators to specific named threat actors, campaigns, and their TTPs (tactics, techniques, and procedures). Dark Web monitoring and automated malware analysis are natively integrated. The solution delivers threat context directly into EDR, XDR, and Identity Security modules without data movement delays or adding tool sprawl.

Trellix Threat Intelligence

The solution provides portfolio-based threat intelligence, combining large-scale global telemetry with instant integration at the Extended Detection and Response (XDR) layer.

• Architectural features: the core of the platform is the ATLAS analytics layer, which processes data from a massive global sensor network across endpoint, email, and network environments. The key technological hub is the Threat Intelligence Exchange (TIE), a proprietary reputation fabric that instantly distributes file, URL, and certificate reputation across all integrated security gateways.
• Technological functionality: Trellix Insights automatically correlates global cyber threats with the specific technologies, vulnerabilities, and configurations of a particular customer, highlighting posture gaps. The TIE module reduces the window between first sighting and global infrastructure containment to milliseconds: once a single node identifies a previously unknown object as malicious, the entire Trellix ecosystem instantly blocks it on the next encounter without waiting for traditional signature updates.

Google Cloud Security Operations (Mandiant Threat Intelligence)

The platform consolidates decades of frontline incident response and breach investigation experience regarding the world's most sophisticated target attacks (APTs), providing clients with high-fidelity, context-rich intelligence verified in active threat environments.

• Architectural features: it operates on top of Google's scalable cloud infrastructure, processing internet-scale telemetry. The platform is fully integrated with generative AI summaries via Gemini for Google Security Operations, enabling instant generation of threat summaries and translating complex technical logs into business risk metrics.
• Technological functionality: the core value lies in investigation-driven, frontline threat intelligence. Intelligence originates directly from real-world intrusions investigated by Mandiant analysts, which ensures exceptional contextual accuracy of indicators (IoCs) and low noise. The service tracks the evolution of campaigns by advanced state-sponsored groups, enriches alerts with vulnerability context, and delivers strategic threat assessments directly to leadership (CISO/Board).

Rapid7 Threat Intelligence

The solution is engineered as an operationalized threat intelligence platform designed not just to deliver feeds, but to immediately translate cyber intelligence into automated defensive actions inside the SOC.

• Architectural features: delivered via Threat Command and embedded modules across the Insight platform. It is natively connected to cloud SIEM (InsightIDR) and SOAR components. Data collection combines curated commercial feeds, global telemetry of the vendor, and open data initiatives (Project Sonar).
• Technological functionality: the platform ingests, normalizes, and enriches indicators with risk context, filtering out irrelevant background noise. The major architectural advantage of Rapid7 is its direct link to detection logic. Threat intelligence immediately updates detection rules and triggers automated response playbooks (alert enrichment, blocklists at network controls, and isolation). The platform offers a transparent licensing model that is not tied to data log volume, which is critical for scaling enterprise infrastructures without financial unpredictable spikes.

Implementing a DTIM strategy with Softprom

The deployment of modern Digital Threat Intelligence Management enterprise systems requires high technological maturity from the information security department. Softprom, as an official distributor of the technological leaders highlighted in the SPARK Matrix™ 2026 report, addresses the challenges of platform adaptation to specific customer requirements:

• Architectural consulting: we help align the capabilities of CrowdStrike, Trellix, Google (Mandiant), and Rapid7 platforms with the current maturity level of your SOC and design a robust threat prioritization strategy.
• Pilot projects (PoC): organization and technical support for testing platforms within a real environment to verify feed scoring quality on your infrastructure.
• Engineering support: assistance from certified engineers in building complex bi-directional integrations between DTIM platforms and your existing security stack (Firewalls, EDR, SIEM, SOAR) to orchestrate end-to-end automated playbooks.

Choosing vendors from the Leaders category of the QKS Group 2026 report is a strategic decision that shifts enterprise cybersecurity from reactive post-event response to pre-emptive digital risk management.