Cyber Threat Intelligence and Brand Protection Solution

A global SaaS solution is sought for cyber threat intelligence and brand protection, providing automated data analysis, monitoring, and secure integration capabilities.

Compliance with Environmental Management System (EMS) Questionnaire (Annex 10)
Compliance with Cybersecurity Questionnaire (Annex 9)
Minimum 10 years of experience in Cyber Threat Intelligence and/or Brand Protection
Robust and dedicated team of intelligence professionals
Evidence of independent third-party assessment of services and capabilities
Ability to collect, process, and analyze raw data in an automated way and multiple languages
24/7 intelligence collection and/or brand protection observation delivery
24/7 support for platform unavailability, bug issues, and service disruptions
24/7 analyst-led research activities
Timely handling of all technical issues to maintain uninterrupted access
Service-Level Agreement (SLA) terms and conditions for operational issues must be shared
Strict confidentiality of client and subscriber data, protected under non-disclosure obligations
Solution delivered as a Software-as-a-Service (SaaS) platform, available 24/7, requiring no software installation
Minimum 20 user accounts for platform access
Secure access to a single CTI and/or Brand Protection platform
Browser-based analysis environment with query interface, interactive visualizations, collaboration, and reporting capabilities
Client analysts' profiles in the platform with filtering, customization, and selection options
Searchable reports and findings through the portal, with ability for users to save and share queried criteria
Service provided in both “push” and “pull” modes
Native integration of intelligence and brand protection outputs with client’s existing security technologies (e.g., TIPs, SIEMs)
Provision of all necessary technical support, tools, and services for successful integration with client’s systems
Well-documented, secure APIs (e.g., RESTful APIs) for programmatic data ingestion, extraction, and integration
Implementation and maintenance of adequate data protection measures, including encryption, access controls, and audit logs
Compliance with all applicable data protection and privacy regulations
Client must have full visibility on all subscriber-related data, detections, and reports
Ability to access detailed intelligence and/or brand protection reports prepared by the supplier
Written reports suitable for intelligence analysts, SOC analysts, Incident Response specialists, and Security Managers/CISOs
Reports and findings appropriately labeled and tagged for efficient filtering, classification, and navigation
Provision of multiple levels and formats of reporting (Alerts, Operational reports, Strategic reports)
Threat intelligence and/or Brand Protection observations delivered through multiple channels (Email, Web portal, API)
Technical indicators and observations provided and exported in multiple formats
Reports provided and exported in multiple formats (e.g., PDF, HTML)
Initial in-person training session of at least eight hours covering solution use and capabilities within the first six months
Quarterly hands-on training to effectively use the platform and new features
Support for ad hoc technical demonstrations, report presentations, and cybersecurity awareness sessions on demand
Solution must enable the prioritization of relevant intelligence in accordance with client’s needs
Delivery of threat intelligence data including threat actor campaigns, TTPs, vulnerability intelligence, and actor profiling
Detection and reporting of relevant cyber events
Monitoring of the presence, spread, and evolution of cyber threats within the global threat ecosystem, with focus on subscribers
Detection and informing the client about targeted attacks impacting subscribers’ digital assets
Ability to monitor a minimum of 500 concurrent assets (domain names, acronyms, full names, IP addresses/ranges)
Client analysts must be able to independently manage and modify the list of monitored assets within the platform
Identification and collection of IOCs associated with identified and tracked cyber threats
Enrichment of observed IOCs to facilitate pivoting during investigations and Incident Response activities
Platform allows analysts to explore relationships between IOCs, enrich them, and dynamically pivot across related entities
Unlimited lookup requests for IOCs, specific keywords, and similar queries, available through platform and API
Leverage configurable search criteria (e.g., IP address ranges, domain names, keywords) to generate relevant intelligence outputs
Monitoring of subscribers’ assets through open-source intelligence (OSINT) from public media, blogs, and social media platforms
Collection and analysis of data from paste sites (e.g., Pastebin, Ghostbin, GitHub Gists) to identify leaked data
Provision of cyber threat trend analysis tailored to subscribers’ sectors, geographic footprints, technology stacks, and risk profiles
Tailored trend analysis must include forward-looking insights, future scenarios, potential impacts, and recommended mitigation priorities
Prompt identification, analysis, and assessment of mentions of subscribers’ assets and keywords on the Deep and Dark Web (DDW)
Leverage keywords related to subscribers’ domains, digital assets, and identifiers to detect references within multiple sources
Collection and analysis of data from online marketplaces to identify threats, illicit offerings, or activities relevant to the client
Collection and analysis of data from ransomware leak sites to identify matches with subscribers’ monitored keywords or assets
Proactive and continuous monitoring of subscribers’ digital assets to detect suspicious or malicious activities (e.g., website defacements, DDoS attacks)
Identification of leaked and/or stolen credentials associated with the client on the DDW within underground forums/markets
Collection and analysis of credentials from infostealer-related sources (e.g., drop zones, C2 infrastructure, Telegram groups, combo lists)
Collection, analysis, and reporting of intelligence related to data breaches (enterprise credentials, PII) from public leak collections
Support for monitoring cyberspace activity related to high-profile events involving subscribers, enabled with dedicated keywords monitoring
Provision of Vulnerability Intelligence capabilities covering publicly disclosed and zero-day vulnerabilities, including exploits and PoCs
Delivery of detailed contextual information for each identified vulnerability (details, underground mentions, exploit availability, patch availability, technical analysis)
Assistance in the establishment and ongoing maintenance of tailored Vulnerability Intelligence aligned with client’s technology stack(s)
Demonstrated capability in human-driven intelligence collection through digital environments (vHUMINT), including threat actor engagements and source development
Maintenance of undercover access to underground forums, dark web marketplaces, closed communities, and restricted communication channels
Ensuring vHUMINT activities comply with applicable legal, ethical, and regulatory requirements, with validated and contextualized intelligence
Provision of AI-assisted capabilities to automatically summarize, correlate, and interrogate intelligence data within the platform’s dataset
Solution must allow users to ask natural language questions against available intelligence data and receive contextualized, analyst-ready responses
Scheduled outputs delivered via configurable delivery channels (e.g., emails, APIs) aligned with client’s defined intelligence priorities
Provision of access to a professional malware sandbox solution to enhance threat assessment and hunting capabilities
Execution of suspicious files and URLs in a fully automated and controlled environment to monitor behavior
Support for submission and analysis of a minimum of 50 malware samples per month
Compilation of all activities registered during malware analysis into comprehensive analysis reports
Provision of Brand and High-Profile Target Users (HPTU) protection capabilities to identify, monitor, and mitigate risks
Secure access to a Brand Protection platform with full monitoring capabilities
Continuous monitoring and detection of threats associated with potential abuse of subscribers’ legitimate brands and logos, with assisted takedown services
Ability to customize detection parameters, including monitored brand assets, keywords, and logos
Support for proactive hunting of malicious infrastructure and configuration of custom rules for continuous detection
Ability to submit requests for specific investigations and targeted analyses related to client’s assets or cyber security incidents
Retention of information about detections, takedown records, and historical reporting for a minimum period of one year
Definition, measurement, and reporting of key performance indicators (KPIs) and metrics related to brand and HPTU protection activities
Capability of monitoring, detecting, reporting, and tracking Brand and Domain Abuse, Phishing emails, and Websites misusing brand/reputation
Capability of monitoring, detecting, reporting, and tracking Unauthorized websites mimicking official domains/logos or abusing reputation
Capability of monitoring, detecting, reporting, and tracking Typo squatting Domain names and Scams Across Digital Channels
Monitoring and detection capabilities for impersonation attempts targeting designated HPTUs across social media and messaging platforms
Client must be able to request monitoring of up to 500 concurrent HPTUs
Compliance with all applicable regulatory, legal, and platform-specific requirements when initiating and executing takedown actions
Responsibility for detecting malicious observations, promptly notifying the client, and executing takedown actions upon formal authorization
Client entitled to submit a minimum of 500 takedown requests per month related to the subscribers
Takedown process, including validation, authorization, execution steps, and closure, must be documented, shared, and formally agreed with the client
Client can request the supplier to initiate the takedown process for observations directly detected by the client or subscribers
Platform provides full API-based capabilities covering the entire takedown lifecycle
Platform provides live detailed reporting and statistics on takedown activities, accessible via UI and APIs
All APIs supporting the takedown process must be secure, well-documented, and suitable for integration into client’s internal systems
Support for the definition, management, and use of Priority Intelligence Requirements (PIRs) to guide intelligence collection and analysis
PIRs must focus intelligence activities on relevant threat actors, attack techniques, campaigns, vulnerability trends, and emerging threats
Client must have the ability to submit Requests for Information (RFIs) for specific investigations and targeted analyses
Service must include an agreed RFI capacity, equivalent to five RFIs per month cumulative or fifty analyst hours per month cumulative
Ticket-based request management approach where tickets remain open until client formally confirms completion
Technical support and RFI submissions must be available 24/7 via email and/or the web portal
Initial RFI response within one hour, first updated response within four hours, subsequent daily updates until completion
Capability to respond to on-demand requests about intelligence collection relevant to the client but not part of its subscribers

$1,000,000 – $3,000,000

Questions on technical, contractual or commercial matters related to the RFP are to be submitted by no longer than COB September 1st, 2025.

A virtual Bidders' Teleconference will be held on March 11th, 2026 at 2 pm CET.

Bidders can send additional queries until March 13th, 2026 at 5 pm CET.

Proposals must be submitted EXCLUSIVELY via InTend not later than March 25th, 2026 at 5 pm CET.

Proof of Concept activities are estimated to take place in April 2026.

United Nations International Computing Centre

Organization overview and procurement intelligence available on paid plans.

This RFP seeks a vendor to provide a comprehensive cyber threat intelligence and brand protection solution, delivered as a Software-as-a-Service (SaaS) platform. The platform must operate 24/7 and require no software installation, offering global intelligence coverage through closed-source (CLOSINT) and signals intelligence (SIGINT), including honeypots and network sensors. The solution should include automated collection, processing, and multilingual analysis of raw data, complemented by a dedicated team of cybersecurity intelligence professionals. Continuous, analyst-led research and reporting on relevant cyber events is required, with full visibility granted to the client on all subscriber-related data, detections, and reports.

For brand protection, the platform must use open-source intelligence (OSINT) from news sources, social media, technical platforms, and public instant messaging groups. The vendor must deliver both push and pull modes of service and provide a browser-based analysis environment with interactive visualizations, supporting informed decision-making and collaboration. Reports need efficient tagging and filtering, and monitoring must cover threats across various digital channels. Secure APIs should be provided to support takedown processes, enabling integration with internal client systems and workflow automation. The vendor must also offer 24/7 support for operational issues and platform accessibility.

Cyber Threat Intelligence and Brand Protection Solution

Overview

Fit Score

SUMMARY

KEY REQUIREMENTS

BUDGET

CONTRACT DURATION

TIMELINE

QUESTION DEADLINE

Issuing Agency

DESCRIPTION

Similar RFPs