ZeroFox Reviews & Product Details

One of the new and most impactful aspects I appreciate about ZeroFox is how it delivers actionable external threat intelligence rather than just raw indicators. The platform effectively combines AI-driven monitoring with human analyst validation to identify real threats across social media, surface web, deep web, and dark web sources. This approach significantly reduces noise and false positives, which is extremely valuable for SOC teams working under time constraints. ZeroFox’s ability to detect phishing campaigns, brand impersonation activities, leaked credentials, and early threat‑actor discussions allows analysts to move from reactive response to proactive defense.

From a SOC operations standpoint, I particularly like how ZeroFox provides strong contextual enrichment clearly linking suspicious activity to adversary intent, targeted assets, and potential business impact. This context makes investigations faster and more effective, especially during high‑severity incidents involving phishing, account compromise, or data leakage. Additionally, its seamless integration with SIEM and SOAR platforms supports automated workflows such as alert ingestion, correlation, and response actions, which helps improve overall detection efficiency and incident response timelines. Overall, ZeroFox strengthens digital risk protection by extending security visibility beyond the traditional perimeter and empowering SOC analysts with intelligence that is practical, prioritized, and ready for action. Review collected by and hosted on G2.com.

While ZeroFox is a very strong platform for external threat intelligence and digital risk protection, there are a few areas where it could be further improved from a SOC analyst’s perspective. One key area is alert prioritization and customization. Although ZeroFox already reduces noise through analyst validation, giving SOC teams more granular control over alert thresholds, severity scoring, and use‑case‑based filtering would help align alerts more closely with specific organizational risk priorities and reduce additional triage effort during peak hours.

Another improvement area is deeper integration visibility with SIEM and SOAR tools. While ZeroFox integrates well with platforms like Microsoft Sentinel and other security stacks, enhanced out‑of‑the‑box correlation dashboards and clearer mapping between external intelligence and internal telemetry would make investigations even faster and more intuitive for analysts handling incidents end‑to‑end.

Additionally, expanding guided investigation workflows and SOC‑focused playbooks within the platform could further support junior analysts and new team members. More scenario‑based recommendations tied to phishing campaigns, credential leaks, or dark web chatter would help speed up response and ensure consistent investigation quality across shifts. Overall, these enhancements would further strengthen ZeroFox’s usability and operational efficiency for SOC teams without changing its already strong intelligence foundation. Review collected by and hosted on G2.com.

After three years of continuous use, we view ZeroFox not just as a tool, but as a trusted cybersecurity partner. Its unified approach to external threat intelligence, brand protection, and rapid disruption has delivered tangible value by reducing risk, protecting reputation, and improving operational efficiency. For organizations seeking robust protection against modern digital threats—especially those targeting brands, executives, and customers—ZeroFox stands out as a mature, effective, and future‑ready solution.

As threat actors increasingly target brands, executives, and customers across social media, domains, and the open, deep, and dark web, ZeroFox has proven itself to be a reliable, forward‑thinking, and highly capable platform for external cybersecurity Review collected by and hosted on G2.com.

While ZeroFox delivers strong external threat visibility, the volume of alerts can occasionally be overwhelming and requires ongoing tuning to reduce noise and focus on the most critical risks. Some advanced workflows and customization options have a learning curve, which can slow efficiency for smaller or lean security teams. Additionally, as an enterprise‑grade platform, the cost and feature depth may feel heavier than necessary for organizations with more limited or narrowly scoped use cases. Review collected by and hosted on G2.com.

Its ability to detect and remediate brand impersonations and account takeovers in real time is impressive. The dashboard is user-friendly, and the alerts are actionable and easy to prioritize. ZeroFox significantly enhances our digital risk protection by offering proactive threat intelligence across social media, surface web, and dark web sources. The automation features reduce manual workloads and improve response time, making it a solid tool for staying ahead of external threats. Review collected by and hosted on G2.com.

Occasional alert noise can lead to extra triage time, and deeper customization of policies could be more intuitive. Additionally, integrating with other security platforms sometimes requires manual configurations that could be smoother Review collected by and hosted on G2.com.

I like that ZeroFox makes it easy to track potential threats and scams that could damage our company's name. The status feature of the platform is really clear, showing if an issue is new, reopened, or if a takedown was requested, accepted, or denied, which helps me manage the issues efficiently. My former account manager, Larissa, was very attentive, and typically, both account managers and the platform escalate relevant issues, which reduces my work. Also, the initial setup was straightforward since we received regular updates via an Excel file from our account manager. Review collected by and hosted on G2.com.

It's often repetitive because the same issues from the past are reopened. And also disappointing when registrars don't accept the takedown but there's nothing much we can do about it. When there's a reopened issue, we'd appreciate more clarity on why an issue was closed initially and why it was reopened, more intelligence in the platform regarding false positives and to continue disregarding false positives for future scans. Another complexity has been to delimit and update the list of whitelisted domains. Review collected by and hosted on G2.com.

What I like best about ZeroFox is how comprehensive yet straightforward it is to use for brand protection. It covers the full workflow end-to-end — from phishing website detection and submitting takedown requests, to dark web monitoring for potential data leaks — without being overly complex to operate day to day.

I also appreciate the level of service from their team. The launch/onboarding configuration was well handled, and the recurring check-in meetings are genuinely useful. They actively listen to customer feedback and it’s clear they take it seriously. Review collected by and hosted on G2.com.

What I dislike is mostly around some usability and customization details. Access control could be more granular, especially RBAC and visibility controls, so different teams can be limited to only the assets or alert types relevant to them (for example, allowing marketing to view impersonation-related alerts without access to data leak or dark web monitoring). Today, achieving that kind of separation can require duplicating configurations, which adds unnecessary overhead.

Alert search and day-to-day alert handling could also be improved to make investigation and triage faster. Reporting could also be stronger, particularly around more customizable customer reports (e.g., filtering and trending by geolocation and industry, and risk scoring based on alerts and monitored assets).

Finally, the physical security module feels very US-oriented and would benefit from stronger coverage and relevance for European organizations. Overall these are smaller details, but addressing them would make the platform even better. Review collected by and hosted on G2.com.

I like using ZeroFox for intelligence research because it helps maintain awareness, especially for a CTI analyst. It provides visibility on things that we're not getting from other vendors and delivers reports in a timely manner. I also appreciate the ability to check for chatters in the underground world, the functionality to takedown domains trying to impersonate our company, and staying informed on the latest campaigns or intel. The ZeroFox Intelligence Research really stands out for me. Review collected by and hosted on G2.com.

I don't like that the takedowns feature is not automated and grab the evidence by itself instead of asking for proof from the client. Implementing an automation for takedowns where it does the research on its own would be better. CrowdStrike is already doing that. Review collected by and hosted on G2.com.

The platform's ease of use is a major highlight; the dashboard is incredibly intuitive, allowing us to quickly assess our external risk posture without a steep learning curve. This simplicity encourages high adoption, and it has become a tool we rely on with high frequency of use - it's integrated into our security team's daily operational checks.

The ease of implementation was also impressive. We were up and running in less than a day, with our core assets configured and alerts flowing in. It also offers great ease of integration; we've connected it to our SIEM via its API, which allows us to correlate external threat data with our internal logs for a more unified security view.

The sheer number of features is comprehensive. We get immense value from the automated takedown services for phishing sites and the proactive intelligence on fraudulent domains and executive impersonations.

Finally, the customer support has been excellent. On the few occasions we've needed assistance - once to help fine-tune a complex alerting rule - our account manager was responsive, knowledgeable, and provided a clear resolution quickly. It's a complete package that delivers tangible results. Review collected by and hosted on G2.com.

While the platform is powerful, the initial volume of alerts can feel a bit overwhelming until everything is properly tuned. In our first couple of weeks, we saw a noticeable number of false positives, which meant extra manual review along with ongoing rule tweaks and adjustments.

Also, although the main dashboard is easy to use, I think the reporting module could offer more flexibility. I’d like to be able to create more granular, bespoke reports directly in the UI, rather than exporting raw data and manipulating it elsewhere. Strengthening the advanced alert-filtering logic as well (for example, supporting multi-conditional rules) would be a welcome improvement and would help us narrow in on the most critical threats even faster. Review collected by and hosted on G2.com.

I love the account takedown feature in ZeroFox. I also like the domain takedown tool, which is pretty handy. Additionally, I appreciate that it helps take down apps masking my own from the Play Store and Cloud Store. Another feature I love is the intro it gives into the dark web, especially if any customer data or organizational data is being sold there. It's a very beautiful capability. The initial setup of ZeroFox was quite easy and straightforward. Review collected by and hosted on G2.com.

I would say for users with infected hosts and users with compromised credentials, sometimes we get some behind alerts in the sense that we don't get to see the URL. You're saying you're having a compromised credential, but you don't even know the domain at which this compromised credential is for. Then two, sometimes we don't get enough visibility into the dark web alerts. We just see the Telegram alert and think it can be done better in that aspect. Review collected by and hosted on G2.com.

I find ZeroFox to be doing good, especially the tool and the search feature, which help in shutting down malicious websites. The response from the portal is also good, and the integration makes it nice and easy to submit a request. The integration with our SSO environment makes submitting a ticket very easy; you just copy the website or URL and submit the follow-up. Furthermore, the platform is accessible from an iPad, phone, or portal, which makes it easy to reach and submit the environment. Scanning or searching for the public website is also helpful. Review collected by and hosted on G2.com.

The Discovery sometimes is not good. I don't know because maybe it's very big. And maybe it's consuming a lot of the Internet because nowadays, the new AI tools, it's always nowadays instead of ZeroFox discover the website or the patent, we are getting information from our client or somebody from legal to department that we have discover a site. So that should be something in ZeroFox to be able to do more discovery and depend on what we give the name, the patent, and all these things. Review collected by and hosted on G2.com.

I use ZeroFox at my job mainly for brand insight, threat intel, and brand image protection. I appreciate that it helps me look out for possible threat leads and close any gaps visible to threat actors publicly. I like that I can look through frequently updated databases and breaches, meaning I never miss out on any recent activity related to both publicly and privately held breaches. I also really appreciate having a team that handles all the nitty gritty stuff, like legal work and going back and forth with companies and platforms. The initial setup was rather simple—just identifying our assets, providing asset details, and handling escalations and submissions. Review collected by and hosted on G2.com.

I really think the intelligence search needs to be revamped to include more filters and more parameters. For example, you should be able to select a specific time range or a date range. You should be able to expand each indexed item and view all the parameters in detail. Review collected by and hosted on G2.com.