How Superhuman Unlocked a New Era of AI-Driven Threat Intelligence With Recorded Future

Superhuman uses Recorded Future to surface relevant threats through AI-driven workflows, keeping its security function ahead of adversaries and protecting customer interests.

j1pzcxty5h

Goal

Build a modern, scalable threat intelligence program that cuts through noise, surfaces real risks fast, and increases efficiency.

Challenge

Analyzing fragmented threat intelligence to protect users, data, and infrastructure across a growing attack surface

Outcome

Eliminating manual data correlation lowers investigation time
Centralized threat intelligence and faster threat detection reduces dwell time
Increased automation and AI integration enable the team to focus on high-value security functions
Context-rich reporting sharpens executive decision-making

Challenge

Manual efforts aren’t enough to protect attack surfaces

The hardest part of threat intelligence isn’t locating signals; it’s cutting through a tidal wave of noise. For Superhuman, that tide was rising fast.

Superhuman (formerly Grammarly) delivers proactive, context-aware AI agents that slide into workflows, wherever people work. Having recently changed its company name to unite Grammarly, Coda, and Superhuman Mail under one umbrella, the company now supports millions of people who leverage Superhuman tech to improve how they work and communicate.

Protecting those users means making sure everything behind the product is rock solid. The critical responsibility of protection falls to Superhuman’s Security team, which relies on threat intelligence for everything from detection and response to solution engineering.

“Threat intelligence is very important for us,” says Security Engineer Erich Harbowy. “We want to protect all of our customers’ interests, keep the platform safe, and maintain their trust.”

Previously, the team took a conventional approach: monitoring threat intelligence feeds and attack reports for new scenarios and tactics, techniques, and procedures (TTPs) used by threat actors. They also used public Indicators of Compromise (IoC) feeds to collect and compare with their internal data.

While it worked, the process was highly inefficient for a fast-growing company. Threat intelligence became siloed across multiple systems, requiring analysts to spend time manually searching and connecting the dots between disconnected sources. Analysts focused on collecting data instead of making decisions, which significantly slowed their ability to generate meaningful context from the raw IoC.

“Our processes were quite manual and required a lot of maintenance from our side,” says Security Engineer Igor Tarpan. Harbowy agrees, adding, “We had to deal with a lot of cumbersome work. We needed a solution that made things more efficient.”

We needed a reliable source of intelligence to get information about the threat actors relevant to us. Being able to map this threat intelligence in one place would reduce the noise and help us to drive action.

Igor Tarpan

As Superhuman grew with new products and acquisitions, so did the attack surface. Alert volumes were climbing, intelligence was scattered, and manual processes were eating into the team’s time for real investigation.

Everything changed when Superhuman found a new superpower: Recorded Future.

Solution

Automating threat enrichment

Recorded Future has the scale and capabilities to aggregate and analyze diverse data sources, then deduplicate and reduce the noise. It became the foundation for delivering contextual, actionable threat intelligence organization-wide.

“It helps us validate threats, understand which threats are most important to us, and focus only on the things that matter and present a risk for our company,” Tarpan says. “It proved to be one of the best tools for our needs.”

Life before Recorded Future was like living in a cave. I saw nothing. With Recorded Future, a lot has opened up. We can efficiently respond and find the data we need.

Erich Harbowy

Superhuman’s first milestone with Recorded Future was automation. They integrated Recorded Future into their SOAR environment, allowing alerts to be automatically enriched with threat scores, actor profiles, and IOC details. What used to require manual lookups now happens instantly.

“It’s given a wealth of great information to our intelligence team,” Harbowy says. “We also relied on Recorded Future’s API tools inside our SOAR workflows to enrich data and power our automations.”

“Recorded Future enriches and drives our security operations,” Tarpan adds. “It’s especially valuable during incident triage and response.”

Powering agentic security workflows

These early wins inspired the team to go beyond automation and toward agentic workflows. The team doubled down on integrating Recorded Future into AI-native workflows throughout the threat intelligence lifecycle.

One of the most impactful steps was building an internal MCP server based on Recorded Future API. It enables Superhuman’s AI agents to request threat intelligence dynamically, thereby evaluating risks, understanding attack vectors, and summarizing threats in natural language.

The connector effectively lets our AI agents reach out to the Recorded Future databases. It brings threat intelligence to us in a way that helps us understand the top risks that we can act on immediately.

Erich Harbowy

Their first AI use case focused on detection and response, helping the team seamlessly manage rising alert volumes. From there, they expanded into the full threat intelligence cycle, including data enrichment, research, and engineering support.

Results

Deeper research and democratized intelligence

Automation and AI didn’t replace human analysts. Instead, the tools strengthened their role. Analysts continue to conduct in-depth investigations using features like Advanced Query Builder, visualization tools, entity filtering, and Recorded Future AI and the conversational interface to explore emerging threat actors and attack techniques, while validating hypotheses quickly.

“Some of the most-loved functionalities are the Advanced Query Builder and visualizations, which help us understand the high-level picture about threats, their timeline, and what signals we should prioritize. We search for specific entities, filter by sources, exclude noisy ones, and focus on signals that really matter,” Tarpan says.

The biggest change, however, has been cultural. Threat intelligence now flows effortlessly across teams. Engineers access threat intelligence directly, reducing dependency on the security team and accelerating product development. Recorded Future AI and the conversational interface let them query data sets in natural language: Is this domain risky? What techniques does this actor use? Should we worry about this vulnerability?

“It lets engineers understand the risks of what they’re building,” Harbowy explains. “Anyone can ask Recorded Future AI a question in natural language and get an answer they understand.
It’s a little addition that gives a lot of time back to the team.”

“I have so many other tools where I have to memorize query languages. Recorded Future AI presents the threat directly for me in natural language, without reading hundreds of reports or articles,” Tarpan says.

It’s also enabled them to better communicate with leadership.

“By translating technical intelligence, we can narrow down what leadership must know about campaigns that affect us,” Harbowy says. “We give the executive team real numbers, examples, and context, making it easier to justify investments and explain what we see.”

Efficient operations, rapid detection, and a decisive edge

With centralized, actionable threat intelligence, Superhuman reduces dwell time, accelerates investigations, and scales AI-driven workflows without adding headcount.

Both Harbowy and Tarpan encourage other security teams to take a pragmatic approach to adopting AI. “The easiest thing is to start small with a specific use case,” Harbowy says. “Don't just use AI to use AI — think about the problem you’re trying to solve.”

For Superhuman, the problem was that their manual efforts couldn’t keep pace with their expanding attack surface. With Recorded Future, they’ve built solutions to address that, and they’re reaping the benefits.

“Recorded Future puts everything in one spot, so our investigation times are lower,” Harbowy says. “Our threat detection and dwell time have become much faster. Protection is better simply by having a source we can trust.”

“You have to know about threats. You have to prepare for them, and without intelligence, it's impossible,” Tarpan declares. “Having all this in one place with flexible ways to access, filter, and build alerts on top of it makes Recorded Future one of the coolest platforms for threat intelligence.”

In Recorded Future, Superhuman has found trusted threat intelligence, AI-native workflows, and a platform aligned with its vision. It’s the kryptonite of their adversaries, and it’s their not-so-secret weapon for keeping users safe.

See the risks, stop the threats.

Quickly connect the dots with industry-leading platform capabilities to identify and neutralize critical threats before they happen.

Get a demo