In the rapidly maturing landscape of cybersecurity, the battle for digital defense has traditionally been fought through the lens of automation. For years, the industry standard for threat intelligence has relied on massive, automated crawlers—systems designed to scrape the dark web, index illicit marketplaces, and flag potential breaches before they escalate. However, as threat actors evolve their tactics, techniques, and procedures (TTPs), the limitations of purely automated surveillance have become increasingly apparent.
Kobe Shwartz, CEO of Underdark, believes the industry has reached a point of diminishing returns with traditional monitoring. In a recent discussion with CB Insights, Shwartz outlined a radical departure from the status quo, arguing that the future of threat intelligence does not lie in more powerful algorithms, but in the nuance of human interaction.
The Landscape: A Market Saturated with Automation
To understand Underdark’s position, one must first understand the current competitive environment. The cyber threat intelligence (CTI) market is dominated by well-capitalized incumbents such as Recorded Future, Digital Shadows (now part of ReliaQuest), Flashpoint, and Cyberint.
These organizations have built their reputations on scale. Their business models rely on the rapid ingestion of vast amounts of unstructured data from the dark web, forums, and encrypted messaging services. By utilizing sophisticated AI-driven crawlers, these companies can alert a client that their corporate credentials have appeared on a known leak site or that a specific vulnerability is being discussed by a ransomware syndicate.
While this approach is effective for broad-spectrum monitoring, it creates a "data noise" problem. Security Operations Center (SOC) analysts are often overwhelmed by thousands of alerts, many of which lack the necessary context to determine the intent behind a threat. As Shwartz notes, these incumbents are largely defined by "human-assisted AI"—a process where machines do the heavy lifting of collection, and human analysts attempt to interpret the results after the fact.
Chronology of a Shift: From Passive Monitoring to Active Intelligence
The evolution of CTI can be categorized into three distinct phases:
- The Manual Era (Pre-2010): Intelligence gathering was largely conducted by specialized consultants using rudimentary methods. It was slow, expensive, and difficult to scale.
- The Automated Era (2010–2020): The rise of big data and machine learning allowed for the creation of massive scraping engines. The industry shifted toward volume, attempting to map the entirety of the dark web through continuous, automated collection.
- The Engagement Era (Present Day): As threat actors become more paranoid and sophisticated, they are increasingly moving into private, invite-only, or vetted environments. Automated crawlers are often blocked, misled by "honeypot" data, or simply unable to gain access to the deepest, most dangerous levels of the underground economy.
Underdark represents the vanguard of this third phase. By pivoting away from automated data collection, the company has effectively inverted the industry model. Rather than waiting for information to be "posted" where a bot can find it, Underdark engages in a process of proactive elicitation.
Supporting Data: The Limitations of "Crawler-First" Strategies
Industry research indicates that while automated threat intelligence is essential for perimeter defense, it leaves a significant blind spot regarding the "intent" of threat actors. According to recent cybersecurity benchmarks:
- False Positive Rates: Organizations relying solely on automated threat intelligence feeds report that up to 40% of alerts require manual verification, leading to "alert fatigue" among security teams.
- The "Vetting" Wall: Many top-tier threat actors now require a period of "social grooming" before allowing new users into their forums. Bots and automated scrapers fail these vetting processes immediately, leaving them unable to access the most critical, high-value intelligence.
- Contextual Scarcity: Automated tools can tell a company that a threat exists, but they often struggle to explain why or when an attack is imminent. Human-led intelligence provides the tactical context—the "human narrative"—that machines currently cannot replicate.
Underdark’s methodology addresses these gaps by treating the dark web not as a data repository, but as a social ecosystem that requires interpersonal engagement.
Official Perspective: Kobe Shwartz on the "Human Interaction" Differentiator
When asked how Underdark defines its specific niche within the crowded CTI market, Shwartz is clear: the company does not compete with the scrapers; it operates in a different dimension entirely.
"Our market is cyber threat intelligence and dark web monitoring, which is full of bigger companies," Shwartz explains. "The difference between them and us is that they’re mostly using humans assisted by AI to do the job. What we do is called human intelligence, where we go into the dark web and engage the threat actors personally."
This is the cornerstone of Underdark’s service offering. The company avoids the "automated collection" trap. Instead, its operatives function as sophisticated intelligence assets, navigating the social complexities of dark web forums. By engaging directly with threat actors, Underdark operatives can:
- Confirm the veracity of leaked data before it is made public.
- Determine if a threat actor is bluffing or possesses genuine capabilities.
- Gain insights into the "supply chain" of an attack, identifying who is selling the access and who is providing the malware.
"We don’t do automated collection of data," Shwartz emphasizes. "What we sell is the human interaction. All we do is engage with threat actors and obtain intelligence and information for our customers based on this human interaction."
Implications: The Future of Cyber Defense
The emergence of human-centric intelligence firms like Underdark has profound implications for the cybersecurity industry at large.
1. The Rise of "Human-in-the-Loop" Intelligence
For CISOs (Chief Information Security Officers), the shift implies that they can no longer rely on a single dashboard to maintain security. The future of CTI will likely involve a hybrid approach: automated feeds for high-volume, low-context alerts, and human-led intelligence for high-stakes, strategic decision-making.
2. Escalating Complexity for Threat Actors
As Underdark and similar firms penetrate the social fabric of the dark web, threat actors are being forced to adapt. This leads to a "cat-and-mouse" game that goes beyond simple code-based evasion. Threat actors must now be suspicious of everyone they interact with, potentially slowing down the speed at which they can organize attacks.
3. Ethical and Operational Challenges
The "human interaction" model is not without its challenges. Operating as a human agent in the dark web requires a high degree of operational security (OPSEC). There is a constant risk of exposure, and the ethical considerations of engaging with illicit actors are complex. Companies like Underdark must balance the need for intelligence with strict adherence to legal and ethical frameworks, ensuring that their engagement does not facilitate the very crimes they are trying to prevent.
4. A Shift in Value Proposition
For the CTI market, this move signals a transition from "data as a commodity" to "intelligence as a service." When data is everywhere, the value lies in the interpretation and the provenance of that information. Underdark’s model suggests that the most valuable commodity in the digital age is not the data itself, but the human-verified truth behind the threat.
Conclusion: Redefining the Perimeter
As we move deeper into the 2020s, the digital perimeter has become increasingly porous. The sheer volume of automated threats means that organizations can no longer rely solely on defensive walls or passive monitoring tools.
Underdark’s approach—prioritizing personal engagement over automated scraping—represents a necessary maturation of the threat intelligence sector. By recognizing that cybersecurity is a human-driven industry, both in its creation and its disruption, Underdark is providing a level of clarity that is often missing from the automated feeds of larger incumbents.
For the modern enterprise, the message is clear: automation can provide the map, but human interaction is required to navigate the terrain. As Shwartz and his team continue to refine their engagement strategies, the broader CTI market will likely follow suit, shifting focus from how much data can be collected to how much truth can be derived from the human beings operating in the shadows of the internet. The future of security, it seems, is not in the code, but in the conversation.
