SOC Prime Threat Detection Marketplace Pricing: What Can You Get from the Quote-Based Plan?

What’s included in the SOC Prime Threat Detection Marketplace quote-based plan?
Included in the SOC Prime Threat Detection Marketplace quote-based plan are the following: support for specific rules and parsers, API integrations, cross-platform integration configurations, and access to premium native applications for the Elastic Stack. You also get content repository features that provide access to a wide array of open-source and exclusive content types, plus customer support.

Various pricing schemes for IT security software make it tricky to compare one product with another. Some providers charge a flat monthly fee while others charge per event or based on the volume of analyzed log data. There are IT security software providers who are generous enough to offer a free plan, but this usually comes with user limits and a set number of endpoints.

Moreover, a number of these solutions tend to address only a piece of your infrastructure. For example, you get one identity management solution to control user access and another for securing your firewall. On the other hand, there are solutions that offer comprehensive security services. However, they are meant to add to, if not replace, your existing software. Such offerings make it hard for you to beef up your cybersecurity policies using the infrastructure you already have.

SOC Prime Threat Detection Marketplace (TDM) aims to solve these pain points by giving you access to a threat detection content repository. Instead of one-off or complete solutions, you can get rules, rule packages, and other content types that you can customize for your platform and environment. They offer both free and paid quote-based plans to address various needs. But what exactly are you getting from these plans? In this article, we’ll detail the features that you’re getting in the plans.

soc threat detection marketplace pricing

Not addressing gaps in your cybersecurity policies can make you a potential victim of cybercrimes. This, in turn, can lead to huge revenue losses as set out in Accenture’s 2019 Cost of Cybercrime Study. According to Accenture, the average annual cost of cybercrime in the United States in 2018 is $27.37 million. Out of different technology solutions, those that offer security intelligence and threat sharing enjoyed the highest adoption at 67%. Using these solutions also resulted in the biggest net technology savings for companies at $2.26 million.

Source: Accenture, 2019

However, as data breaches become an increasingly common phenomenon, businesses struggle in tightening their security policies. In its 2019 Data Risk Report, Varonis found that the highest security risks for companies were having over-exposed sensitive data, sensitive stale data, stale accounts, and non-expiring passwords. Furthermore, data risk assessments conducted on 785 organizations showed that 53% of companies had more than 1,000 sensitive files accessible to every employee. 

One way of reducing the financial impact of cybercrimes is to invest in technology that makes threat discovery, investigation, and recovery efforts much more efficient.

Overview of SOC Prime Threat Detection Marketplace

soc threat detection marketplace dashboard

SOC Prime Threat Detection Marketplace is an IT security software featuring a platform-agnostic repository for threat detection content. It claims to be the world’s largest security operations center (SOC) and a SaaS content platform, with over 61,000 custom rules and more than 240 attacker techniques.

Businesses of all sizes can leverage SOC Prime TDM to upgrade their cybersecurity capabilities. TDM customers include companies in the Fortune 100 and Forbes Global 200 lists. They also have international companies, local firms, and governmental organizations as clients. Meanwhile, typical TDM end users include chief information security officers, SOC managers, threat hunters, detection engineers, threat intelligence and incident response specialists, and SOC analysts.

Organizations that use SOC Prime TDM can use the vetted content published in the platform to establish cybersecurity practices. The software gives them access to a MITRE ATT&CK® database that is constantly updated, letting you keep abreast of the latest cybersecurity trends. This way, they gain better visibility of threat actors, tools, techniques, and tactics and can adjust their policies accordingly. SIEM and API integrations allow companies to automate their incident response process. This frees up security staff from time-consuming manual tasks so they can focus on more value-adding activities.

Detailed SOC Prime Threat Detection Marketplace Review

The following are key features of SOC Prime TDM:

  • Comprehensive SaaS Content Marketplace
  • Mapping to MITRE ATT&CK® Framework
  • Access to verified content
  • Ready-to-use rule packs, SIGMA rules, and parsers
  • Hundreds of use cases
  • Multi-platform support
  • Standard Search
  • Lucene Search
  • MITRE ATT&CK® View Modes
  • Content Filters
  • Rule Master
  • Rule Streaming
  • Custom Field Mapping
  • Automation
  • API Integration
  • Wanted Page
  • Threat Bounty Program
  • Premium Support on Detection Content with SLA

SOC Prime TDM Plan Inclusions

Like other free IT security software solutions, you can sign up for a SOC Prime TDM Community Access plan at no cost. All you need to get to the marketplace is a corporate email. You will then get access to more than 45,000 content items.

On the other hand, SOC Prime TDM also has a paid premium tier that includes support for exclusive rules and parsers. Depending on your subscription, you also get access to an API, custom field mapping and rule master tools, as well as round-the-clock support. Before transitioning to a paid tier, you can sign up for a 14-day free trial to try out premium features and get access to both free and exclusive detection content. Below are some features you can expect from both freemium and paid plans. 

Access to Various Content Types

A SOC Prime TDM subscription gives you access to over 60,000 custom rules and more than 240 attacker techniques. These rules specifically designed for threat hunters and SOC analysts were developed by Security Information and Event Management (SIEM) experts including developers from the Threat Bounty Program powered by SOC Prime

A huge chunk of the database is allotted to SIEM rules that help you detect individual threats. However, you can also search for other content types in TDM. These include rule packs, Logstash configuration files, premium apps, YARA rules, red team tests, and Snort rules.

In addition, the platform makes it possible to search using Sigma types. TDM makes it easier to find content that suits the detection method that you will be implementing in your organization. Options include Indicators of Compromise or Tactics, Techniques, and Procedures. Another category under Sigma type is Compliance. This allows you to detect common activities that are not necessarily security incidents but you still need to manage to enforce your compliance policies.   

Content types in the platform support various use cases. These cover L1/L2 SOC, proactive exploit detection, data integration with enhanced cybersecurity services, threat hunting bundles, and cloud security monitoring. For instance, a managed service provider for cloud services uses rules in SOC Prime TDM to map the most recent attack vectors into their service. They combined SOC Prime TDM with another product, the SOC Workflow App. As a result, they were able to reduce the time it takes for them to detect cyber attacks.


A SOC Prime TDM subscription gives you access to a MITRE ATT&CK® page, which means Adversarial Tactics, Techniques, and Common Knowledge. More than 95% of the content in TDM is mapped to the MITRE ATT&CK® framework. This helps you discover malware and other threats in real-time for data stored on-premise and in the cloud and get content keenly focused on your company’s threat profile.

In TDM, you can view techniques in three modes: Kill Chain, Table, or Flat mode. Kill Chain mode gives you a futuristic, rotating visualization of cyberattack techniques. There’s also Table mode, which gives you an overview of adversarial behavior in small tiles. On the other hand, Flat mode provides you with the same perspective but this time with bigger tiles. 

The MITRE ATT&CK® page in Kill Chain mode

Color-coded tiles give you visual information about a particular technique. For example, blue tiles mean that there is detection content available for that technique. A red tile means that atomic red team testing has been done on the technique. Meanwhile, a purple tile means that blue team detection content for the technique exists in addition to atomic red team testing. A tile with no color means that no content has been developed for the technique.

You can view additional information about the technique, from its general description to its mitigation IDs, how-to’s for detecting the technique, and the data sources required for the technique.

The comprehensive knowledge base of tactics available in the MITRE ATT&CK® Page allows you to improve the security of your business in line with a specific technique. It’s a great tool for addressing gaps in your security policies, too. Just search for a technique and read up on related information about it to augment your existing policies.

Search Capabilities

Users can do two types of searches in SOC Prime TDM: a standard search and Lucene search.

With a standard search, you can view search results containing relevant rule names or tags. Pressing Enter after your search will give you more generalized search results for your search term. In contrast, clicking on a tag allows you to have a specific, limited subset of results.

If a standard search allows you to whitelist search results, you can also blacklist or exclude some items from your search. This is possible with Lucene search, which allows you to conduct an advanced search by applying search logic rules. For example, you can add the operator NOT before your search term to exclude certain content from appearing in your search results. SOC Prime TDM has a Lucene query syntax window, which gives you an explanation of the various operators you can add to narrow down your search.

Filtering Capabilities

SOC Prime TDM features a variety of filters to help you find the content that you need. You can apply filters for platform, content types, rule packs, rules, log sources, and authors. Align your policies with the MITRE ATT&CK framework by using the filters to search for actors, tools, and tactics.

Find content faster in TDM by applying various filters.

Filters also allow you to view and use content that is appropriate for your subscription type. For instance, freemium users can apply the Community filter to access content without buying a subscription. In contrast, the Exclusive filter allows users to download content available only for premium plans.

If you want search results that are tailored to your environment, you can use Rule Master to make the process easier. With this feature, you don’t have to apply various search filters. Instead, you can fill out the Rule Master fields once and save it to get your own pre-generated filter. You can fill out the optional Expert Settings field to specify the tools, actors, and techniques you already have in place.

It’s possible to set up more than one profile in Rule Master. This is a great feature for managed security service providers that have different log sources for clients. It is also useful to organizations that have production and development instances or multiple SIEMS in their environment. Although the feature is available for quote-based plans, users with a freemium subscription can request a free trial to see its benefits.

Wanted Page

SOC Prime Threat Detection Marketplace gives users access to a global community with a vast array of cybersecurity resources. One part of this community is a Wanted Page which contains a list of items that users are interested in. Community members can vote on an idea so that contributors and SOC Prime’s in-house developers can create content that their users need. You can also add an item that’s not listed there. Simply use the Add to Wanted feature to add an item to the list whether that’s a threat actor, parser, or technique. SOC Prime promotes collaborative cyber defense through its crowdsourcing component, Threat Bounty Program, and encourages developers who are engaged in this project, to produce their own detections fulfilling these content requests of TDM users. 

Integrations and APIs

SOC Prime TDM offers SIEM integrations with Elastic, Splunk, and Azure Sentinel. These integrations are configurable right from the web interface. Integrations allow you to quickly use content from the marketplace and roll them out in said platforms. For certain quote-based plan tiers, SOC Prime TDM allows you to add an API to your license. In addition, you can also try out API access as part of a 14-day free trial.

With an API, you don’t need to log in to the marketplace every time to download rules. Instead, you can set up an automated query to look for new rules, tactics, or procedures. You can then use rule streaming to automatically download rules from the marketplace and then implement them in Splunk, Elasticsearch, or Microsoft Azure Sentinel. API integration allows you to set up threat detection feeds for more than 240 techniques based on the MITRE ATT&CK® framework.

A TDM guide is available on the platform for those interested in adding an API or getting an insightful overview of the TDM functionality. It includes information about how to access and manage the API, available endpoints, required parameters, and building search strings. Users who want access to the API can contact their SOC Prime TDM account manager for further details.

Custom Field Mapping

Aside from integrations, another way to quickly use rules is the Custom Field Mapping Feature that is available for paid tiers. This feature allows you to translate Sigma queries to other SIEM languages like Elastic, Arcsight, or Splunk. This addresses the problem of differences in field names that is common in security analytics. Mapping for multiple platforms is available, including Elasticsearch ECS, Kibana, X-Pack Watcher, ArcSight, Sumo Logic, Qualys, QRadar, Azure Sentinel, and more.

You can type your own custom field names or choose from pre-defined ones in the Sigma Field Mapping menu.

With custom field mapping, you can pick the fields you want to translate and map them on the fly according to the configuration you have. As such, you don’t have to manually change these fields with text tools every time you need to translate them. As a result, it’s easier and faster to integrate rules or queries with whatever platform you have and helps avoid parsing issues.

Does SOC Prime TDM Fit the Bill?

Today, cybercriminals grow more sophisticated than ever by changing their attack methods. A SaaS threat detection content platform like SOC Prime TDM equips you with a wide range of tools to keep up with their pace. Even with the free plan, you get access to a considerable amount of resources to protect your organizational data and systems. For more content and customer support, there’s always the paid premium tier plan tailored to your budget. SOC Prime also offers a 14-day free trial to test out premium features before switching to the paid subscription.

To see if this is the right solution for you, you can sign up for free community access from the TDM website. You can also schedule a call with a SOC Prime TDM representative to inquire about their premium tier.

Nestor Gilbert

By Nestor Gilbert

Nestor Gilbert is a senior B2B and SaaS analyst and a core contributor at FinancesOnline for over 5 years. With his experience in software development and extensive knowledge of SaaS management, he writes mostly about emerging B2B technologies and their impact on the current business landscape. However, he also provides in-depth reviews on a wide range of software solutions to help businesses find suitable options for them. Through his work, he aims to help companies develop a more tech-forward approach to their operations and overcome their SaaS-related challenges.

Leave a comment!

Add your comment below.

Be nice. Keep it clean. Stay on topic. No spam.


Why is FinancesOnline free? Why is FinancesOnline free?

FinancesOnline is available for free for all business professionals interested in an efficient way to find top-notch SaaS solutions. We are able to keep our service free of charge thanks to cooperation with some of the vendors, who are willing to pay us for traffic and sales opportunities provided by our website. Please note, that FinancesOnline lists all vendors, we’re not limited only to the ones that pay us, and all software providers have an equal opportunity to get featured in our rankings and comparisons, win awards, gather user reviews, all in our effort to give you reliable advice that will enable you to make well-informed purchase decisions.