Anomali Unveils ThreatStream Next-Gen with AI Triage Capabilities

Somewhere in a security operations center right now, an analyst is staring at a screen at 2 a.m., trying to determine which alert actually matters. Anomali is betting that this scenario will become less common with its new ThreatStream Next-Gen platform, announced May 5, 2026. The company claims the product delivers intelligence-driven decisioning at 300 times the speed of traditional investigation workflows, validated across 50 enterprise deployments.

The release comes as security teams increasingly struggle not with data collection, but with the actual work of deciding what to do next. Anomali's official press release details five new capabilities designed to bridge the gap between raw threat intelligence and actionable response. Priority Intelligence Requirements automate recurring questions. A Command Centre provides live, prioritized threat views. Intelligence Search connects indicators with AI-generated context. Case Management keeps investigations synchronized. Reporting tools translate technical findings for stakeholders without manual reformatting.

There are two deployment models available immediately. Existing ThreatStream customers can adopt the standalone platform with AI-driven prioritization and case management. Customers using the Anomali Data Lake get an embedded version that enriches events at ingest and connects activity across the broader security dataset. The software works with existing infrastructure—whether organizations keep their SIEM, replace it, or use telemetry stored in platforms like Databricks or Snowflake.

The agentic AI component is where things get interesting (and where most vendors tend to overpromise). ThreatStream Next-Gen ships today with autonomous triage, scoring, and investigation steps—what Anomali calls agentic levels 1 and 2. Autonomous response capabilities covering levels 3 through 5 are in active development. The company expects ThreatStream Next-Gen to reach full agentic autonomy by August 2026, with the Data Lake following in 2027. Configurable analyst oversight remains at every stage, which is probably a good thing given how messy real-world security operations actually are.

Ahmed Rubaie, CEO of Anomali, framed the launch around speed and decision-making rather than detection. "Attackers move fast, targeting identity and exploiting behavior—often closing windows in hours. We close them faster." The intelligence layer, according to Rubaie, is not a bolt-on but the core of everything Anomali builds. By owning the decisioning layer between intelligence and action, security teams gain the ability to respond at threat speed.

Customer feedback from the press materials suggests real-world validation. A cybersecurity specialist from a critical public sector organization called it the best platform for tagging intelligence, applying confidence ratings, and collaborating across intel sources. A security leader at a $30 billion U.S. retailer described it as the foundation of their cyber fusion approach. A CISO at a global financial institution noted that embedding ThreatStream into the Data Lake turned years of unusable telemetry into intelligence assets—analysts stopped chasing false positives and started doing actual security work.

The physical reality of this change matters. Instead of switching between five different tools to validate an alert, analysts now see context delivered when needed. The Command Centre shows prioritized threats in real time. Intelligence Search compresses multi-hour investigations to minutes. Case Management preserves full context from first signal to final resolution. It's less about flashy AI features and more about reducing the friction of clicking through disconnected systems.

SecurityBrief Australia's coverage of the launch corroborates the core claims about deployment models and the agentic AI roadmap. The outlet notes that the product targets cyber threat intelligence and security operations teams that must decide which alerts matter and what action to take next. The 300x speed claim appears consistently across sources, though independent benchmarking would be useful to verify.

There's a pragmatic tension here worth noting. Anomali is promising autonomous response capabilities by late 2026 and 2027, but the current release only includes triage and investigation automation. The architecture is in place, but the autonomy is being released deliberately. This measured approach suggests the company understands that full automation in security operations carries real risk—especially when false positives could trigger unnecessary incidents or when legitimate threats require human judgment.

The broader industry context matters too. Most security platforms were built to detect. Anomali positions itself as built to decide. Where competitors treat intelligence as a feed to be consumed, Anomali has spent years making it structural—the connective tissue between raw security data, analyst judgment, and response action. Whether this distinction translates to measurable ROI for customers remains the real question.

ThreatStream Next-Gen is available now for both standalone and Data Lake deployments. Pricing details weren't disclosed in the announcement materials. Organizations considering the platform should evaluate whether their current intelligence workflows actually need automation or if they need better data quality first. Sometimes the bottleneck isn't speed—it's signal-to-noise ratio.

Whether security teams actually adopt the agentic AI features at scale, or whether they keep human oversight tight, will determine if this becomes a genuine shift in threat intelligence operations or just another AI-powered dashboard. The technology exists. The deployment strategy is deliberate. The market will decide if it's worth the investment.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn