By John Williamson, Chief Revenue Officer (CRO)
For fifteen years, the external threat intelligence market has operated on a simple premise: Scan the dark web, find bad things, alert the customer, repeat. The companies that dominated this era, such as Recorded Future and ZeroFox, built impressive platforms. They cataloged billions of threats. They generated thousands of alerts. They wrote detailed reports.
And enterprises kept getting breached anyway.
I refocused my cybersecurity career from managed services to cyber threat intelligence in 2021 to sell dark web monitoring, right as the modern dark web was emerging as the primary theater of operations for threat actors. I quickly perceived a pattern: Corporate security teams would light up when we uncovered data breaches – most often employee credentials on Tor, I2P, Freenet and other “dark nets.” The coverage was impressive. The threat actor insights were valuable. Then three months into deployment, we’d get the call. “We’re drowning in alerts and having difficulty prioritizing them. Can you help us make sense of all this?”
The tuning never fixed it. Because the problem wasn’t alert fidelity—it was that the threat intelligence workflow assumed unlimited human capacity to deal with the data. Every alert required a human analyst to investigate, validate, create a ticket, wait for IT to respond, then take remediation action. This approach involved multiple teams and resulted in days or weeks of latency. The problem was the threat actors were moving faster.
Pushing critical and timely alerts directly to a SIEM, Slack channel, or even priority emails proved ineffective because the remediation lag remained in these human-in-the-loop workflows. Credentials and identity exposure were touted as a visibility gap – when all along they exposed something more than that – they exposed a remediation velocity gap.
The Structural Break from First-Generation Threat Intelligence
Then something occurred that pushed this problem to another level – an insidious development that even today much of the cybersecurity market has yet to grasp, despite its magnitude.
The infostealer malware economy didn’t just grow, it industrialized. Redline, Vidar, Raccoon, Lumma – these aren’t sophisticated APT tools, they’re among a growing list of purveyors hawking $150/month malware-as-a-service subscriptions to anyone interested. The barrier to enterprise entry has collapsed.
Initial access brokers monetize corporate credentials, session cookies and active MFA tokens within 48 hours of theft. The lag between “your employee got infected” to “threat actor is inside your network” has compressed from days to hours. Flare collects approximately 1.7 million infostealer logs on Telegram channels and dark web marketplaces every week. And these logs revealed a concerning trend in enterprise identity exposures going into 2026: The proportion of infections yielding enterprise identity access climbed from around 6% in January 2024 to nearly 14% of all logs in November 2025, and it has continued to accelerate since.
Cybersecurity leaders simply cannot manually process their way out of an automation problem. Identity exposure has become the new attack surface, but the remediation gap is structural, not tactical.
The first-generation threat intelligence vendors were pioneers, and they achieved valuations to prove it. However, their data collection efforts optimized for only two primary metrics – source coverage and alert fidelity, which are indeed noble causes. But detection volume without remediation velocity just creates alert fatigue. Adding more high-fidelity intelligence without changing the underlying workflow makes the problem noisier, not better.
The proliferation of infostealer malware and the dark economy it has spawned have laid bare this structural weakness.
Identity Exposure Management: From “want to have” to “must have”
Many platforms are building iterative improvements on the same architecture that has failed to make threat intelligence a universal necessity. From improved dark web crawling, social media impersonation detection, new data sources, to AI-driven prioritization – these are indeed incremental advancements. However, the truth is they are only tweaks to systems designed for a threat landscape that no longer exists.
Flare built a Threat Exposure Management (TEM) technology stack with a different assumption: Detection without automated remediation is surveillance theater. Flare is a new paradigm in cyber threat intelligence – not just new features – must-have cybersecurity.
Flare’s approach to Identity Exposure Management (IEM) fundamentally differs. We’re not just telling you that your credentials are compromised; we’re enabling you to do something about it immediately and automatically.
This is achieved through seamless integration with Microsoft Entra ID today (and very soon to include Okta, Ping Identity, and all other identity providers) empowering security teams to automate remediation. When Flare detects a compromised credential in a stealer log, it doesn’t generate a ticket. It validates the password is current, and then activates a password reset or other actions through the IDP API within seconds. No human-in-the-loop. No waiting for security team triage. No hoping employees respond to the reset email.
The credential is invalidated before the threat actor can monetize it. This changes everything.
Today’s Modern MSSPs are Taking Notice Too
The most sophisticated managed security providers recognize this shift. They’re not looking for more threat intelligence feeds to monitor. They’re looking for remediation infrastructure they can integrate into their service delivery.
Flare’s API-first architecture enables MSSPs to embed automated identity exposure management into their service stack. When they detect a compromised credential, the remediation happens automatically through their identity provider integrations—no escalation to the customer’s IT team, no waiting for employee response, no manual tracking of remediation completion.
This transforms the MSSP service model. Instead of selling “we’ll alert you faster,” they’re selling “we’ll neutralize the threat automatically.” The value proposition shifts from detection to resolution, and operational efficiency improves by an order of magnitude.
The MSSPs that adopt this architecture will win enterprise accounts from competitors still operating on alert-based models. Flare becomes the infrastructure layer that separates next-generation managed security from legacy service delivery.
The Data Moat
Even with breakthrough automation paired to threat intelligence – if you can’t see it, you can’t stop it. Flare delivers visibility earned over nearly a decade of dark web collection infrastructure, forming the backbone for unparalleled telemetry to power its automated remediation. Today the platform monitors 58,000+ Telegram channels, threat actor forums, marketplaces, and stealer log repositories in real-time.
Every week, 50 million credentials get traded in these channels – a dizzying velocity. The access relationships required take years to establish, and the operational security to maintain presence in adversarial environments is complex. Flare’s proven pattern recognition separates signal from noise. A credential appearing today might be meaningless. That same credential appearing from three different threat actors over six months indicates a compromised identity supply chain.
Identity Exposure Remediation is Critical Infrastructure
Flare isn’t designed just to compete in the threat intelligence market. We’re building the Identity Exposure Management category. The distinction matters. Threat intelligence is a cost center. Identity infrastructure is critical-path for business operation. Threat intelligence gets evaluated during annual security tool reviews. Identity infrastructure gets integrated into IAM enterprise architecture and MSSP service delivery.
The companies that dominated the last era optimized for analyst workflows. Flare is optimizing for identity provider integration and managed service automation. Different buyer. Different economics. Different competitive dynamics.
I believe Flare will become the exposure validation layer that sits between identity providers and credential issuance. Before Microsoft Entra resets a password, it checks Flare’s API to see if that identity has current exposure. Before Okta issues a new session token, it validates the credential health score against Flare’s exposure database.
Consider this: Across all customers, Flare found that just over 1% of validated credential events turned out to be true positives, meaning the exposed account and related credentials were still active in the customer’s environment. This 1% true positive rate ends up being 100% true positive risk reduction when it is fully automated with no human in the loop. No alerting system can achieve this.
History is recursive: The infostealer economy created the same structural vulnerability that credit cards had before fraud detection became table stakes. Flare is positioned to be the “fraud prevention infrastructure” of identity. Just as payment processors wouldn’t function without fraud detection layers, identity providers won’t function without exposure monitoring.
This isn’t threat intelligence sold only to security teams. This is infrastructure that identity providers and MSSPs depend on to function safely.
Why I’m Joining Flare Now
The timing is precise. The infostealer economy reached critical mass in 2024-2025. MSSPs are actively seeking remediation automation partners. The regulatory environment is tightening—cyber security insurance policy requirements, SEC disclosure rules, state privacy laws, EU Digital Services Act—all increase liability for credential exposure.
Flare is years into this architecture. The integrations work, the automation works, and the data collection infrastructure is mature. Flare is scaling a working system to make identity exposure management and remediation an industry standard while defining next-generation security operations.
The market will bifurcate rapidly. MSSPs that integrate automated remediation will win enterprise accounts from competitors still generating tickets. Enterprises that deploy remediation infrastructure will reduce breach risk while competitors struggle with alert overload.
The threat landscape will continue accelerating as infostealer malware will only get cheaper and more effective. The credential exposure problem will get worse before it gets better. The companies still operating on alert-based architectures will generate more noise and deliver less value.
I joined Flare because I believe we’re building the infrastructure layer that defines the next decade of identity security. Not better threat intelligence, rather infrastructure that makes identity providers safe to operate in a world where credentials are compromised at industrial scale.
The first generation ended. Flare is defining what comes next.
Let’s Talk About the Next Generation of Threat Exposure Management
If you’re a security leader who wants to explore the future of threat intelligence and prioritize remediation, we want to talk with you, or you can check out what external threats are exposed for your organization for free. We’re building something special here, not just technology, but a better approach to a problem that’s only getting worse.
