Cyware: Turning Threat Intelligence from Buzzword to Backbone
If you have spent any real time in cybersecurity, you have seen threat intelligence sold as the magic ingredient that will solve everything. Then you watched it show up as another feed no one tunes, a PDF someone forwards once, or a “platform” that mostly functions as an expensive spreadsheet viewer.
Cyware is one of the companies trying to change that dynamic, not by inventing new buzzwords, but by taking threat intelligence seriously as an operational discipline. Their pitch is simple: make threat intel something your organization actually uses to make faster, better decisions, instead of something you trot out in incident postmortems to explain why the indicator was technically “known” but never acted on.
At the 2026 RSAC Conference in San Francisco, I sat down with Jawa Sivasankaran of Cyware. With almost thirty years in the security industry, Jawa has seen the evolution of SOCs, SIEMs, TIPs, and now AI powered everything. Cyware is his current platform to fix some of the most stubborn problems in how organizations understand and act on threats.
What follows is a narrative of Cyware, built around Jawa’s own words and aimed squarely at CISOs and senior security leaders deciding where threat intelligence fits in their roadmap.
Cyware’s Origin Story: A Practitioner’s View Of A Broken Landscape
Jawa’s background is not “generic enterprise software executive who discovered cybersecurity last quarter.” He has lived through the operational side of security and then moved into building and taking products to market. That matters, because it shapes how Cyware frames the problem.
As Jawa puts it:
“I’ve been in the security industry for almost 28 years now, closing in on three decades. Started in the 90s, as a practitioner, did engineering in the early 2000s then product in the mid, late 2000s then moved on to go-to-market roles.”
That arc from practitioner, to product, to GTM means he has seen the pain from every angle. He has been the person trying to make sense of events at 3 a.m., the person designing tools to help, and the person explaining to customers and boards why the tools did or did not work.
He is also very aware of how aggressively the landscape has shifted recently, especially under the influence of AI.
“We’re in a very exciting phase right now. Of course, general AI use has emerged in just in the last 18 months. How much things have changed!”
About a year before this interview, Jawa joined Cyware to help scale it beyond the early growth stages.
“I joined [Cyware] a little over a year ago, to scale the company, to take it to the next level. We’re Series C, going later stage at some point and mid to late stage. So the goal is for us to accelerate our business and take it to the next level.”
The way Cyware plans to get there is not by promising to be your one platform to rule them all. Quite the opposite. They picked a very specific problem and are stubbornly staying focused on it.
Staying In Their Lane: Operationalizing Threat Intelligence
If you ask most security vendors what they do, you almost need a decoding key. They are an XDR plus SOAR plus UEBA plus AI agent layer with some “platform” sprinkled in for good measure.
Ask Cyware what they do and you get something that actually fits in one breath.
“From a product point of view, you know what we do? So we focus on threat intelligence. We operationalize threat intelligence, period. Don’t get distracted.”
In an industry that seems addicted to product creep, that kind of clarity is almost suspicious. Jawa is very clear that many of the peers Cyware launched alongside have since taken different paths.
“Many of our peers that started around the time that we started back in 2019 either they’ve been acquired by bigger players, so they got integrated as ‘quote, unquote’ – features into larger platforms, or they themselves. They’ve moved on to do other things, add on other things.”
Cyware deliberately chose not to become a feature.
“We’ve stayed true to our roots. We operationalize threat intelligence, we enable bi-directional threat intelligence sharing. We help our customers partners with automating the right responses. That’s what we do, and that’s where we’ll continue to focus.”
For a CISO, that means Cyware is not trying to replace your SIEM, your EDR, or all your other investments. Instead, they want to be the connective tissue that takes in threat intelligence, enriches it, shares it with the right internal and external stakeholders, and helps your teams automate the right responses.
“Operationalizing” in this context is not a buzzword. It is an admission that intelligence that does not flow into workflows, automation, and decisions is just trivia.
From Fortune 500 Toy To Enterprise Requirement
Jawa has sat on the SIEM and TIP side of the table before, including a stint at Splunk running go to market for advanced security offerings. That gives him some credibility when he talks about the evolution of the market.
“I’ve been in the SEC ops market for a while. I was at Splunk. I ran go to market for their advanced security business SIEMs, or UBA. We also had a TIP as well. But the market has changed so much in the last six years, if you just think about it from a threat intelligence point of view.”
Historically, threat intelligence was a luxury item.
“What was at that point, let’s say, a Fortune 500-type of focus, large enterprises, large government organizations. They were the ones having a budget line item for threat intelligence.”
That has shifted meaningfully.
“That has changed so much. We’re clearly seeing threat intelligence getting democratized.”
To be clear, Jawa is not claiming that SMBs are suddenly building threat intel teams.
“It’s still not an SMB play. Let me be very clear. You’re not seeing, you know, small, medium businesses waking up at all. I need to have a threat intelligence program in place. It’s still not there.”
But in the revenue band where many readers of this magazine live, threat intelligence has moved from “nice to have if you are a top target” to “something you are expected to have an answer for.”
“We’re clearly seeing the Fortune 100s. Those that are doing 500 million and up in revenue, definitely 1 billion and up in revenue. They see threat intelligence as something that they need to adopt.”
Why The Stack You Already Own Is Not Enough
If you are reading this, you probably already own most of the modern defensive alphabet. Firewalls, IPS, SIEM, EDR, EPP (Endpoint Protection Platform), maybe some flavor of XDR, plus a few specialized tools.
The problem is that this stack on its own still leaves you with surprises. Jawa hears that often.
“They’ve had the tools. They’ve had firewalls, IDS, IPS, SIEM, EDR, EPP, all of that, but still, hey, I’m getting breached. I’m still getting attacked with advanced threats. I need to take a threat-centric approach.”
Cyware’s thesis is that without a threat-centric layer that understands adversaries, TTPs, indicators, and sector level patterns, your stack is essentially playing whack-a-mole with partial context.
The limits of legacy tooling are not that they are useless. They do their jobs. The problem is that the jobs they were built for do not fully match the threats you are dealing with.
“The legacy tools that we’ve had for a long time, they’re just not cutting it right. They don’t serve their purpose. Let’s you know, let’s make no mistake about it, they’re there. They add value. But when it comes to advanced threats, more often than not, they’re not able to either look at threats the right way or enrich them, look for indicators or compromise malware hashes. Or if they do, they don’t have the level that a pure play of focus threat intelligence platform, threat intelligence management platform, can do.”
Cyware is trying to fill that gap without pretending you will throw everything else away.
Threat Sharing That Actually Happens
“Information sharing” has been one of cybersecurity’s favorite feel-good topics. Everyone agrees it is important. Everyone nods along. And then implementation too often devolves into email lists, PDFs, and “we will publish a report later.”
Jawa’s assessment of our track record as an industry is sober.
“We as an industry, I’m just saying all of us, having been in the industry for. Almost three decades, we don’t do a good job when it comes to threat sharing or information sharing in general, right, especially as it relates to within industries, within a private public sector, we can do better.”
Cyware’s second core pillar is focused specifically on this problem.
“One is threat intelligence management, which we do, which is one core pillar. The second core pillar is threat sharing.”
Instead of treating ISACs and other communities as separate worlds, Cyware has integrated them into its platform.
“One of the ways we help our partners are the ISACs that we closely partner with. We work with 90% of the major ISACs from financial services, health, space – and we enable that bi-directional threat sharing within those communities, within those industries.”
Ninety percent of major ISACs is not a casual statistic. It means if you belong to one of these communities, Cyware is likely to be relevant to how information flows in and out of it.
They do not stop at single sector sharing either.
“And we also enable industry to industry threat sharing at different levels, at national cert levels, other levels where make that thread sharing seamless. So that’s a core pillar of what we would be do.”
Cyware wants to make it normal for healthcare to benefit from what financial services is seeing, for space to learn from critical infrastructure, and for national CERTs to participate without everything turning into an email forwarding exercise.
Jawa is clear that they have been leaning into this for years, not just reacting to a trend.
“Again, that has evolved so much in the last six years, and we make sure we’re not reacting to it. Some of our peers, competitors, that’s kind of how they’ve done. We’ve kind of led this path around bi-directional thread sharing, and we are super proud of our partnerships with the ISACs.”
For CISOs, the question is simple. If you are already part of one or more ISACs, are you operationalizing those memberships, or just liking the occasional PDF in Slack?
From TIP To Cyber Intelligence Suite
Cyware began life as a classic threat intelligence platform vendor. Over time, they realized that multiple related areas really belong in the same threat centric view, rather than living as disconnected tools whose data your analysts have to mentally correlate.
“One is what we’ve been building as an intelligence suite. We call it Cyber Intelligence Suite. So essentially, we started as a TIP player, just like the other threat intelligence platform players, five, six years ago. But over time, we’ve evolved.”
The last year-and-a-half have been about packing more into that core, but in a way that still aligns with threat intelligence as the organizing principle.
“Over the last 18 months, we’ve been packing lot more functionalities into the TIP based platform, where we’re seeing a lot of adjacent areas coming together with threat intelligence.”
Those adjacent areas are ones many of you already spend money on, usually with separate tools and separate contracts.
“So things like compromised credential management, malware sandboxing, even some sectorial feeds integrated. And traditionally, these were different budget line items. They were islands of their own, not integrated into cyber threat intelligence. So we brought them all together.”
Cyware is also using partnerships to pull digital risk protection into that same lens.
“One announcement that we’re coming up in the next couple of weeks, is a partnership with SOCRadar, where we’re bringing in full on digital risk protection capabilities that is dark web monitoring, domain monitoring, social media monitoring, executive social health monitoring, all of that tied into integrated into cyber threat intelligence.”
If your current security architecture has DRP in one console, compromised credentials in another, malware sandboxing in a third, and sector intel somewhere else, Cyware’s pitch is that all of those should roll into a single threat intelligence fabric that your teams can reason about coherently.
Agent AI Without The Hype Hangover
No RSAC conversation in 2026 is complete without AI. Everyone has “agents” now. Some of them are real advances. Some are old workflows hastily wrapped in a large language model and a new SKU.
Cyware has taken a more patient route.
“What we didn’t want to do is we didn’t want to rush ourselves into this whole bandwagon and create another LLM wrapper and call it an agent.”
They did the baseline engineering work that everyone did.
“We launched our MCP server last Black Hat, August timeframe. We did all the check boxes, if you will.”
But they waited before going big on fully fledged agents, first launching what they call their AI Fabric, then layering agents on top.
“We did do a major launch in November, four months back, what we call as our AI Fabric that kind of gave the foundation, along with a couple of agents.”
Recently they have expanded that significantly.
“What we’ve launched this past week is really powerful, meaningful, solving real world problems for customers, not just taking something that you could automate 20 years ago or 15 or even five years ago, and then call that an agent. No, this is truly an agent AI capability that or at least the handful of agents that we have, we have 11 agents so far, and I would say five, six of them are trailblazers.”
For security leaders who are understandably skeptical of “AI will run your SOC for you,” Cyware’s stance is more realistic. Agents handle the repetitive, high-volume work and help with analysis, while humans focus their time and attention on the parts of the problem that actually require judgment.
Why Threat Intelligence Is Becoming A Program, Not A Purchase
So what is driving more organizations to wake up and say “we need a threat intelligence program,” not just “we bought another feed”? Jawa sees three main forces at play.
First, threat sophistication and geopolitical reality.
“One, the threats are a lot more advanced, and they keep getting advanced. APT attacks are not new. We’ve known APT One came about 13 years ago. So advanced, persistent threats, they’re not new. We keep seeing them. There’s a lot of conflicts happening around the world, and those trigger a lot of cyber related incidents, for sure.”
As more organizations land in the blast radius of these campaigns, simply owning tools is no longer enough.
“So customers of all sizes are sitting up and saying, Yeah, I do have the defense tools, but I also have to have a better view into my adversaries, the threats that I’m facing, their TTPs, you know what they’re coming in with. I need to have better visibility into what’s happening so that I can take the right decision so that’s happening.”
Second, the structural limits of legacy defenses, as already discussed. Third, and increasingly important, is the fact that adversaries are using AI as well.
“And the last one, I would say, is AI adoption by the adversaries. That’s a scary thing, which we’ve not talked about much in the industry. We’re seeing that pop up more as well.”
In that context, threat intelligence cannot remain a slow, manual, static function. It must be tightly integrated, automated where it can be, and assisted by AI on the defender side just to keep up.
If you are a CISO or senior cybersecurity leader, Cyware’s story should force a few uncomfortable but necessary questions.
Do you actually have a threat intelligence program, or do you just have some feeds flowing into your SIEM and a couple of community memberships that you remember when someone forwards a report? When your ISAC publishes something important, how long does it take before that knowledge turns into detections, playbooks, or automated responses in your environment? How much of your analysts’ time is being spent chasing low context alerts instead of working from curated, shared, and enriched intelligence?
Cyware is betting that threat intelligence is about to become a central discipline for any organization above a certain size that is serious about advanced threats, and that it should be grounded in real sharing, real integration of adjacent capabilities, and practical AI.
If that resonates, here are pragmatic next steps:
- Map your current threat intelligence landscape. Identify all your feeds, ISAC or sector memberships, DRP tools, malware analysis systems, and how they connect to your SOC and incident response playbooks.
- Ask your team to walk you through a recent example where external threat intelligence or community sharing directly changed a detection, response, or control decision. If those examples are rare or slow, that is a signal.
- Evaluate whether a dedicated threat intelligence platform that is built around both management and bi-directional sharing would materially change how quickly you can act on new threats and how much value you get from the communities you already belong to.
- Explore how AI agents, used in the way Cyware describes, could relieve some of the low-level analysis burden on your SOC while raising your overall maturity and security efficacy.
- Engage Cyware for a focused discussion or demonstration of their Cyber Intelligence Suite, ISAC integrations, and Agent AI capabilities, specifically in the context of your sector, your existing tools, and your current threat intel maturity.
Threat intelligence is moving from “interesting extra” to “expected capability” for organizations in the revenue and risk bands that most CISOs in this readership occupy. Cyware is one of the vendors trying to ensure that when you say you have threat intelligence, you mean more than “we bought some feeds a while back.”
Author’s Note
This article is based on a conversation with Jawa Sivasankaran of Cyware during the 2026 RSAC Conference in San Francisco, held March 23rd to 25th, 2026. The discussion took place at the conference as Cyware highlighted its Cyber Intelligence Suite, deep ISAC partnerships, and Agent AI capabilities focused on raising security efficacy and SOC maturity rather than replacing analysts.
For more information, please visit https://www.cyware.com.
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
