Google Launches New Gemini-Powered Threat Intelligence Platform Integrating Mandiant and VirusTotal Data

Enhancing Threat Intelligence in Modern Enterprises

In today’s complex enterprise landscape, threat intelligence poses significant challenges. Attackers operate at various levels, and critical data and tools are often scattered, leading to decreased observability.

Security teams face the daunting task of evaluating numerous alerts without always being updated on the latest vulnerabilities, attacker behaviors, or campaigns.

Are You Prepared for AI-Driven Solutions?

With the launch of Google Threat Intelligence, Google Cloud aims to equip even the smallest teams with the latest insights into the threat landscape. This innovative platform, unveiled at the RSA conference, combines the capabilities of Gemini AI with data from VirusTotal and Mandiant.

“You need the right balance of breadth and depth when it comes to threat intelligence,” stated Eric Doerr, VP of Engineering for Cloud Security at Google Cloud. Traditionally, providers have focused on one aspect over the other, leaving many organizations to piece together their own solutions.

Integrating Core Pillars of Threat Intelligence

VirusTotal boasts a global community of over 1 million users who collectively share intelligence on threat indicators, including files and URLs. Mandiant's researchers continuously investigate and analyze threat actor behavior. “These two pillars of threat intelligence come together seamlessly,” Doerr explained, further enhanced by Google’s expansive visibility into threats. With protection for 4 billion devices and 1.5 billion email accounts, Google blocks 100 million phishing attempts daily. This robust infrastructure provides invaluable insights into internet and email-based threats, connecting them to broader malicious campaigns.

Moreover, Google leverages open-source threat intelligence contributed by the security community, allowing customers to benefit from comprehensive IoC analysis, external threat monitoring, attack surface management, and digital risk protection.

“While there is no shortage of threat intelligence, the challenge lies in contextualizing and operationalizing that intelligence for specific organizations,” said Dave Gruber, principal analyst at TechTarget’s Enterprise Strategy Group. By integrating VirusTotal and Mandiant with Google and AI, security teams gain accessible and actionable threat intelligence.

Unlocking the Power of Gemini

At the heart of the new threat intelligence platform is Google’s Gemini 1.5. This model allows users to pose questions and receive answers through a vast search of Google, Mandiant, and VirusTotal's threat intelligence repositories.

Gemini’s capabilities include entity extraction, automatically scouring the web for open-source intelligence (OSINT) and categorizing industry threat reports. This data is transformed into knowledge collections, complete with threat actor profiles, tactics, techniques, procedures (TTPs), and indicators of compromise (IoCs).

Doerr highlighted that Gemini 1.5 supports a long context window of up to 1 million tokens, streamlining the traditionally labor-intensive process of malware reverse engineering—a skill in high demand amid a global cybersecurity talent shortage. Remarkably, during a recent test, Gemini analyzed the WannaCry ransomware attack code in just 34 seconds—an analysis that previously took 7 hours.

The ability to handle larger context windows means that the AI can now analyze more than 99% of malware samples effectively, making it a significant advancement in threat intelligence capabilities.

Streamlining Threat Intelligence Workflows

As new threats surface monthly, including attacks like Scattered Spider, security analysts are inundated with alerts, some genuine and others false positives. Google Threat Intelligence enables users to quickly condense extensive datasets, analyze suspicious files, and reduce manual tasks. Incoming threats are automatically integrated into workflows, enhancing situational awareness for security teams.

Doerr emphasized the platform's unique feature: the automatic enrichment of data for high-priority emerging threats. “Instead of merely reacting to alerts, teams can skip the extensive research phase,” he noted.

Many Google customers lack dedicated threat intelligence teams; some operate with small teams that juggle data from multiple sources, which can delay definitive assessments of threats. “It might take days or weeks to determine their security status,” Doerr explained. This platform accelerates their research and response times significantly.

For large enterprises with dedicated threat teams, the platform automates routine tasks, allowing teams to focus on addressing threats unique to their sectors.

Doerr pointed out that threats exist in a “pyramid,” ranging from broad attacks like ransomware to those targeting specific industries such as healthcare. Much of the security teams’ time is spent on lower-tier threats, often overlooking the more targeted risks. “There are not enough highly trained personnel available to manage all threats effectively,” he concluded, underscoring the importance of streamlining operations to bolster organizational security.