Liberty91
A wooden rubber stamp pressing a clean brand mark onto a crisp report cover, deep navy with warm orange light
Industry7 min read

White-Label Threat Intelligence: What to Look For.

If you run an MSSP, an MDR practice, or any kind of security service, threat intelligence is one of the easiest things to add to your offer and one of the hardest to do well. Buying a white-label platform lets you put your own brand on intelligence without standing up a research team of your own, which is exactly why it is attractive. The catch is that not every product marketed as “white-label” means the same thing, and the gaps usually show up months later, in front of a customer, at the worst possible moment.

So here is the short version before the detail: a white-label threat intelligence platform is worth buying when the branding goes all the way to the report and the email, when the intelligence is genuinely tailored to each of your customers rather than one feed with your logo on it, when you can deliver into your customers' tooling instead of just emailing a PDF, when you can prove what you sent for the QBR, and when the commercial model still works for you at fifty customers, not just five. This post walks through the questions worth asking under each of those headings, so you know what you are actually buying before you put your name on it.

I have sat on both sides of this. I have been the buyer of intelligence and the consultant standing up intelligence capabilities for other organisations, and the thing that consistently separates a service that renews from one that quietly churns is not the quality of any single report. It is whether the whole thing feels like it came from you.

1. How deep does the white-labelling actually go?

Plenty of platforms will let you drop a logo into a corner of a dashboard and call it white-label. That is fine for an internal tool, but your customers do not log into your vendor's dashboard. They read what lands in their inbox, and they judge your brand by it. So the question to ask is not “can I add my logo?” but “where does my brand stop and the vendor's brand start?”

Walk through the full path a piece of intelligence takes to reach your customer and check the branding at each step:

  • The sender. Does the email come from your domain, with your sender name and your reply-to address, so a customer who hits reply reaches you and not a third party they have never heard of?
  • The email itself.Are the templates yours, with your colours and typography, or is it the vendor's house style with a logo bolted on?
  • The report.When a customer opens the PDF, is the cover, body, and footer carrying your logo and your typography from first page to last, or does the vendor's name appear somewhere in the small print?

If the answer to any of those is the vendor's brand, you do not have a white-label product, you have a co-branded one, and your customer will notice. Liberty91 carries the branding through all three layers: sender and reply-to, email templates, and the report PDF cover, body, and footer with your logo and typography. The point is not vanity. It is that your customer should never have a reason to wonder who is really behind the intelligence they are paying you for.

2. Is the intelligence tailored per customer, or one report with different logos?

This is the question that matters most and the one easiest to gloss over in a demo. A single well-produced threat report looks impressive. The harder thing to verify is whether the report your fintech customer receives is meaningfully different from the one your manufacturing customer receives, or whether it is the same content with two different logos on the cover.

The test is simple to state and hard to fake: would two of your customers in different sectors recognise their own world in the report, or would they recognise each other's?

Generic intelligence is not worthless, but it is not what your customers are paying a premium for, and they can usually get it free from a vendor blog. What earns a renewal is intelligence that reflects the customer's sector, region, technology stack, and exposure. So ask how relevance is decided. Is there a defined set of standing questions per customer that drives what gets collected and surfaced for them, or is everyone fed from the same pool?

This is where the underlying model matters more than the output. The Liberty91 approach gives each customer their own set of Intelligence Requirements, the prioritised questions that organisation needs answered on an ongoing basis, with a dedicated AI agent stack working against them. The platform handles the prioritisation, and the requirements maintain themselves as the customer's exposure shifts. Hundreds of sources are monitored in real time, and relevance is assessed per customer, so leaked-credential exposure or a supply-chain risk that matters to one account does not get buried in noise meant for another. That is the difference between a feed and intelligence.

3. Can you deliver into your customers' tooling, not just send a PDF?

A PDF in an inbox is a fine way to reach a CISO. It is a poor way to reach a SOC. If part of your value is helping customers act faster, the intelligence has to land where the action happens, which means inside their existing security stack and not only in a human's email.

Ask what formats the platform produces and where it can send them. The useful outputs are the ones a customer's tooling can consume directly:

  • Written reports for the humans who need context and a judgement, not just data.
  • IOC lists with enrichment so an analyst is not starting cold on every indicator.
  • Sigma rules the customer can load into detection without rewriting them.
  • STIX 2.1 bundles for structured ingestion into a TIP or downstream pipeline.

Then ask where those outputs can go. Delivery into a SIEM, a SOAR platform, a firewall, a TIP, or an automated security agent is what turns intelligence from something a customer reads into something their defences use. Liberty91 produces all of the formats above and delivers into that tooling, so a single piece of intelligence can reach a customer's analyst as a report and their detection stack as a rule at the same time. If a platform can only send a PDF, you are reselling a newsletter, and you will be competing on price the moment a customer realises it.

4. Can you prove delivery for QBRs and renewals?

Every service business lives and dies on the renewal conversation, and intelligence is harder to defend at renewal than most services because good months can feel quiet. When nothing went wrong, a customer can easily conclude they did not need you. Your defence is evidence, and evidence means an audit trail you can put in front of them.

So ask whether the platform keeps a per-customer record of what was sent and when. When you sit down for a quarterly business review, you want to say, with receipts, “here is every alert and morning report we delivered to you this quarter, here is the supply-chain risk we surfaced in March, here is the leaked-credential exposure we flagged in April.” That is a renewal conversation built on a log, not on memory.

This is what the Liberty91 Mailroom is for. It handles multi-tenant dispatch across your whole customer base and keeps an auditable, per-customer Sent log, routing the Morning Report and Alerts to the right accounts and recording each delivery. The log is not a nice-to-have for your operations team; it is the artefact that makes the value visible to the customer paying for it. Intelligence that nobody can prove they received tends to be intelligence nobody remembers paying for.

5. Does the commercial model scale per customer so it stays a margin as you grow?

The last question is the one that decides whether this is a business or a hobby. A white-label arrangement that works beautifully for your first three customers can quietly become unworkable at thirty if every new account adds disproportionate cost or manual effort. You are not just buying a product, you are buying a unit economics curve, and you want it to bend the right way.

Without quoting numbers, the framing to hold onto is this: the platform should let you add a customer without adding a research analyst. Per-customer tailoring should come from the platform doing the work, not from you stitching it together by hand each time. If onboarding a new account means someone on your team manually curating sources, rewriting reports, and managing delivery one by one, your costs grow in lockstep with your customer base and the margin you were counting on evaporates.

The whole reason this model is attractive is that you get real intel at machine speed with no team to build, and that advantage only holds if it survives growth. So when you evaluate, do not just price the first customer. Picture the fiftieth, and ask whether the work to serve them looks the same as the first or ten times heavier. That single thought experiment will tell you more about the long-term economics than any feature list.

The questions, in one place

If you take nothing else into your evaluation, take these five questions:

  • Does the branding reach the sender, the email template, and the report PDF, or stop at a logo on a dashboard?
  • Is the intelligence tailored per customer through a defined set of standing requirements, or is it one feed wearing different logos?
  • Can you deliver reports, IOCs, Sigma rules, and STIX bundles into a customer's SIEM, SOAR, firewall, and TIP, or only send a PDF?
  • Can you produce a per-customer record of what was sent and when, ready for a QBR?
  • Does serving the fiftieth customer cost roughly what the first one did, so it stays a margin as you grow?

Where Liberty91 fits

I am obviously not a neutral party here, so take this as context rather than a verdict. We built Liberty91's white-label threat intelligence around exactly these five questions, because they are the ones that decided whether the services I worked with over the years kept their customers or lost them. Per-customer Intelligence Requirements and a dedicated agent stack handle the tailoring. The report PDF, email templates, sender, and reply-to carry your brand end to end. The Mailroom dispatches across your customer base and logs every delivery. And the outputs land in your customers' tooling, not just their inboxes.

If you are weighing up adding intelligence to an MSSP offering, or shaping a threat-intelligence-as-a-service line, the worst outcome is putting your name on something that turns out to be shallow once a customer leans on it. Ask the five questions of whoever you evaluate, including us. If you want to see how the branding, tailoring, delivery, and audit trail actually work in practice, we are happy to walk you through it.

Related Blog.

A tailor's tape measure, a spool of orange thread and fabric shears resting on dark cloth, deep navy tones with warm orange light, suggesting bespoke tailoring
Industry

Per-Customer Threat Intelligence vs Generic IOC Reports

Why a context-free IOC report underdelivers at a customer's desk, and what per-customer threat intelligence means: relevance, context, and detection content assessed per organisation.

A neat row of identical branded report folders fanning out across a desk, deep navy with warm orange light, suggesting a service that scales per customer
Industry

Threat Intelligence as an MSSP Revenue Stream, Not a Cost Centre

Why threat intelligence usually lands as an MSSP cost, and what makes it a value-added service line that grows margin: per-customer relevance, branded delivery, and a provable audit trail.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.