What is threat research as a service?

Threat research as a service is an outsourced model where a cybersecurity vendor commissions a researcher-led team to run an investigation, package the findings as a report, IOC list, and PR-ready material, and ship it under the vendor brand. It removes the need to hire and retain an in-house research team while preserving the vendor as the named source of the work.

What is included in a typical engagement?

A standard pack includes original investigation, a written report (typically 2,500 to 6,000 words), a structured IOC list with ATT&CK mapping, a PR cheatsheet with quotes and angles for media, and supporting graphics. Most engagements also include media outreach support and sales-enablement framing for the research findings.

How is this different from a threat intelligence feed?

Threat intelligence feeds deliver indicators and raw data. Threat research as a service delivers the editorial layer on top: the narrative, the context, the press angles, and the publishable artefacts that turn raw findings into pipeline and earned media. Vendors usually buy both, but for different reasons.

How long does a typical research cycle take?

Most packs run a four to eight-week cycle from brief to publication, depending on the depth of the investigation and how much supporting outreach is involved. Recurring quarterly programmes shorten the per-cycle time once the vendor relationship and source-of-truth content library are in place.

What does vertical exclusivity mean?

Vertical exclusivity is a contractual lock that prevents the same researcher-led team from selling the same packaged finding to a competing vendor in the same industry vertical during the same cycle. It protects the vendor's PR window and competitive edge on the research.

Threat Research as a Service: What It Includes and How Vendors Use It

Threat research as a service is the outsourced model where a cybersecurity vendor commissions a researcher-led team to run an investigation, package the findings, and ship the result as a vendor-branded report with media-ready artefacts. The vendor gets the press cycle, the analyst attention, and the sales enablement that comes with original research, without hiring and retaining a full in-house research team.

The category sits between two adjacent markets that are easier to understand. On one side, threat intelligence feeds deliver raw indicators and structured data without the editorial layer. On the other side, content marketing agencies produce written material without the underlying investigation. Threat research as a service does both: original investigation paired with the publishable narrative on top.

"Practitioners trust research that has a person attached. The named author signals accountability. Anonymous reports get scanned. Attributed reports get cited."

At a glance

Deliverable	Typical length	Where it lives
Threat research report	2,500 to 6,000 words	Vendor research hub or PDF
IOC pack with ATT&CK mapping	20 to 200 indicators	STIX, JSON, or vendor portal
PR cheatsheet	1 to 2 pages	Internal comms doc
Sales enablement framing	1 to 2 pages	Internal sales doc, leave-behind PDF

How a typical engagement runs

The order is consistent across most providers, even when the timeline changes from cycle to cycle.

Topic intake. Marketing and product define the research angle, the buyer relevance, and the publication target. The strongest topics map directly to a vertical the vendor is selling into.
Investigation. Researchers run the actual work, including dark web access, sample analysis, source attribution, and validation. Most cycles run two to four weeks here.
Findings review. The vendor sees the raw findings before the writing begins. Anything sensitive to product positioning gets surfaced now, not after the draft.
Report draft. The writer produces the full narrative around the research. Pieces typically run 2,500 to 6,000 words.
IOC pack and ATT&CK mapping. Indicators are structured and tagged for downstream operational use.
PR cheatsheet. Quotes, angles, and outreach targets land in a comms doc the vendor's PR team or agency can pick up directly.
Vendor review and publication. The vendor approves, applies its brand, and ships under its name. Media outreach runs in parallel with publication.

01The research report

The report is the centrepiece. It carries the narrative, the technical detail, and the named author. Length tends to fall between 2,500 and 6,000 words depending on the depth of the investigation. Reports under 2,000 words struggle to support sustained press interest. Reports over 7,000 words start losing the practitioner readership that makes the work shareable.

The named author is doing meaningful work. Practitioners trust research more when it has a person attached, and that trust is what converts a scanned report into a cited one. The byline signals accountability for the claims. Anonymous reports tend to bounce; attributed reports tend to stick in coverage cycles.

02The IOC pack

The IOC pack is the operational layer. Indicators are structured, mapped to MITRE ATT&CK, and shipped in a format the vendor's customers can actually ingest. STIX bundles, JSON exports, or direct vendor-portal uploads all work. The pack is what gives the report a useful afterlife inside the vendor's customer base, beyond the press cycle.

The most useful IOC packs include not only the indicators but also the rationale. Each indicator gets a short note explaining why it was extracted and what behaviour it correlates with. That context separates a useful pack from a CSV dump that gets ignored by detection engineering teams.

03The PR cheatsheet

The PR cheatsheet is what makes the difference between a report that gets one media pickup and a report that earns coverage in ten outlets. Cheatsheets list the named author, the talking points, two or three quotable lines that journalists can use directly, the analyst angles for each top-tier outlet, and the outreach targets with first-name relationships pre-noted.

The vendor's comms team or PR agency picks up the cheatsheet and runs the placement work. The research team handles spokesperson availability and follow-up questions. The cheatsheet exists so this handoff happens cleanly instead of through long internal email threads.

04Sales enablement framing

The fourth deliverable is the one that gets cut from cheaper engagements and missed in retrospect. Sales enablement framing turns the research into something an account executive can use on a discovery call. A leave-behind PDF, a one-pager that maps the research finding to the vendor's product, and a short internal narrative explaining how to bring the research up in conversation. Without it, the report stays a marketing artefact and never becomes a sales tool.

When the model fits

Threat research as a service makes sense for cybersecurity vendors that need credible research output but cannot justify a full in-house research team. Most Series A to C vendors are in this category. The cost of a senior threat researcher fully loaded sits at $200K+ per year before benefits, and that hire takes six to twelve months to source. The output ceiling on a single hire is also lower than most vendors realise. One researcher can credibly run two to four major investigations per year.

It is less suited to vendors that already have a five-plus-person internal research team producing regular output. Those teams typically need editorial and PR support rather than the research itself. It is also not the right model for vendors that want exclusive control over every step of the methodology, since the research team makes its own technical calls.

Threat research as a service: what it includes and how vendors use it